Automated attacks on application business logic, carried out by sophisticated bad bots, were the leading threat for online retailers, according to Imperva.
In addition, account takeover, DDoS, API abuse, and client-side attacks were significant risks.
The ecommerce industry remains a lucrative target for cybercriminal activity. Built on a vast network of API connections and third-party dependencies, online retailers are increasingly vulnerable to business logic abuse and client-side attacks. Motivated cybercriminals are also eager to compromise user accounts for personal data and payment information.
Security incidents spike amid shopping season
A successful security incident can lead to higher infrastructure and support costs, degraded online services, and, ultimately, customer churn. While these security risks are persistent throughout the calendar year, attacks often peak during the holiday shopping season.
“The security risks that the retail industry faces are more sophisticated, automated, and harder to detect,” says Karl Triebes, SVP and GM, Application Security, Imperva. “The significant increase in bot sophistication over the past year should be a cause for concern. This breed of automation is harder to stop and capable of abusing business logic, attacking APIs, and taking over user accounts. For vulnerable retailers, this has the potential to impact their bottom line and undermine end-of-year sales.”
The most common attack on retail sites in the past year was associated with business logic — an exploit of an application or API’s intended functionality and processes, rather than its technical vulnerabilities. In retail, attackers will try to exploit business logic to manipulate pricing or access restricted products.
In the past year, business logic attacks made up 42.6% of attacks on retail sites — up from 26% during the same period in the prior year. The rise in business logic attacks in the past 12 months correlates with the growing volume of traffic to retail sites that comes from APIs (45.8%, up from 41.6% last year).
The majority of attacks on business logic are automated and often focused on abusing API connections. 17% of all attacks on APIs came from bad bots abusing business logic. Attack patterns don’t exist to monitor for these exploitations, and it’s impossible to apply a generic rule and assume all application and API deployments are secure.
Dangerous bots make up more than 50% of automated traffic
For the first time, more than 50% of bad bot traffic on retail sites was associated with advanced bots, automation that is harder to detect and stop. This breed of sophisticated bot can evade basic defenses and carry out dangerous, disruptive attacks. In comparison to prior years, the sophistication of bots is hard to overlook.
In 2022, 31.1% of bots were classified as advanced and in 2021, just 23.4% of bots were classified as the same. Grinch bots — a breed of sophisticated scalping bots — often disrupt holiday sale events and product drops. They query online inventories and purchase the most sought-after items of the season for the purpose of reselling them at a significant markup.
Account takeover (ATO) is a type of attack where cybercriminals attempt to compromise online accounts by using stolen passwords and usernames. Before and during the 2022 holiday shopping season, Imperva recorded elevated levels of ATO events. Attacks rose 12% in October before peaking in December. While the risk is elevated during the holiday season, 15% of login requests, across all websites, are associated with ATO attempts, underscoring this persistent threat for ecommerce.
Attacks on online retailers will rise during the 2023 holiday shopping season
Almost 400 resources, on average, are loaded per retail site to the client-side. For comparison, that’s nearly double the volume that is loaded on other industries’ sites. Once compromised, attackers can use sophisticated automation to monitor mouse movements and keystrokes, steal cookies, or impersonate users which can result in a long-term, devastating data breach.
In 2023, attackers put an acute focus on application layer (Layer 7) DDoS, with the goal of disrupting or taking applications offline. One of the larger application layer (layer 7) attacks Imperva monitored was in November 2022, correlating with Black Friday and Cyber Monday. These attacks often come from vast networks of automated bots or compromised devices, known as botnets.
There are indicators that suggest the number of attacks on online retailers will rise during the 2023 holiday shopping season.
Since July, bad bot attacks on retail sites have increased 14% with most attacks occurring on US-based ecommerce sites, followed by sites in France. The rise of automated attacks are likely to continue through Black Friday and Cyber Monday. Grinch bots could again be involved in the disruption of holiday sales events and limited product launches.
Since September 1, the number of application layer DDoS attacks has been higher in comparison to the same time last year, underscoring the annual trend of cybercriminals increasing attacks at the beginning of the holiday shopping season.