Will Grinch bots steal Christmas with sophisticated attacks?

Retailers and online shoppers must also stay vigilant this festive season
Retailers and online shoppers must also stay vigilant this festive season
A recent study by Imperva highlights the increasing sophistication of cybercriminals, with a focus on disrupting retailer websites this festive season

As the festive season approaches, it’s apparent that cybercriminals are gearing up for Black Friday and Christmas; a favourite time of year to prey on retailers and consumers alike. A recent research study by cybersecurity leader Imperva, warns that hackers are preparing to disrupt retailer websites, corner the market on popular items, and steal shoppers' personal information.

The report found that automated attacks on application business logic, carried out by sophisticated bad bots were the leading threat for online retailers. Retailers must brace themselves for these Grinch bots, which are sophisticated scalping bots designed to disrupt holiday sales events and purchase the most popular items to resell at high prices. 

Other significant risks include account takeover, distributed denial-of-service (DDoS) attacks, API abuse, and client-side attacks.

eCommerce is an easy target for malicious actors

The eCommerce industry remains a lucrative target for cybercriminals due to its vast network of API connections and third-party dependencies. Cybercriminals are motivated to compromise user accounts for personal data and payment information and a successful security incident can lead to higher infrastructure and support costs, degraded online services, and customer churn. Although these security risks are persistent throughout the year, attacks often peak during the holiday shopping season when there is greater online traffic.

Karl Triebes, SVP and GM of Application Security at Imperva says, “The security risks that the retail industry faces are more sophisticated, automated, and harder to detect. The significant increase in bot sophistication over the past year should be a cause for concern. 

“This breed of automation is harder to stop and capable of abusing business logic, attacking APIs, and taking over user accounts. For vulnerable retailers, this has the potential to impact their bottom line and undermine end-of-year sales.”

Business logic attacks on eCommerce sites

The most common attack on retail sites in the past year was exploiting business logic, which is the intended functionality and processes of an application or API, rather than its technical vulnerabilities. Attackers exploit business logic in retail in order to manipulate pricing or access restricted products. 

Business logic attacks accounted for 42.6% of attacks on retail sites in the past year, up from 26% the year before. This increase correlates with the growing volume of traffic to retail sites from APIs, which accounted for 45.8% of traffic in the past year, up from 41.6% the year before. 

Most business logic attacks are automated and often target API connections. As reported in the 2023 Imperva Bad Bot Report, 17% of all attacks on APIs came from bad bots abusing business logic. There are no attack patterns to monitor for these exploits, making it impossible to apply a universal rule and assume the security of all application and API deployments.

Which kind of attacks are causing havoc for retailers?
  • Sophisticated and dangerous bots which make up more than 50% of automated traffic
  • Account takeover (ATO) which increased 66% on Black Friday 2022
  • Digital skimming, a silent but nefarious threat
  • Application layer DDoS attacks on retailers
  • API attacks, as API connections are prime targets for exfiltrating data

Staying safe this festive season

Experts expect the number of attacks on online retailers to increase during the 2023 holiday shopping season, and in the same way that shoppers need to be mindful of the potential risks linked to online shopping, retailers must also stay vigilant.

To avoid cyber risks during the festive period, Imperva has advised that organisations should: 

  • Prepare for high-traffic volume and distributed denial-of-service (DDoS) attacks.
  • Prioritise client security, as well as the security of marketing and e-commerce campaigns, which are likely to be targeted by bots. 
  • Protect critical paths and website functionalities from bots seeking to abuse business logic. 
  • Protect APIs and mobile apps. 
  • Encourage good account credential hygiene and safety. 
  • Stay ahead of scammers by monitoring for new threats and vulnerabilities.


For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Net Zero LIVE on 6 and 7 March 2024.  


BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events. 


Featured Articles

Gigamon Sound Alarm on Cloud Security as Unseen Attacks Soar

Gigamon's latest Hybrid Cloud Security Survey shows unseen cyber attacks have increased 20% year on year

Helping APAC Curb the Threat of Cyber Attacks

With cyberattacks continuing to rise across the Asia-Pacific (APAC) region, technology advancements are having to intensify to thwart threat actors

SolarWinds: IT Staff Dubious on Organisation's AI Readiness

A recent trends report by SolarWinds reveals that very few IT professionals are confident in their organisation's readiness to integrate AI

Is Stress a Driving Force Behind the Cyber Skills Shortage?

Operational Security

Rapid7 AI Engine Update Sees Gen AI Supporting SOC With MDR

Technology & AI

Google Securing WFH with Zscaler and Netskope Partnership

Network Security