Christmas Time, Bots Time

Imperva has published an annual analysis of cyber attacks in e-commerce. In Germany, automated attacks on the business logic of applications carried out by bots are the biggest threat to online retailers. Other threats include account takeovers, distributed denial-of-service (DDoS) attacks, API abuse and client-side attacks.

Black Friday and Cyber Monday

There are indications that the number of attacks on online retailers will increase during the 2023 holiday season. Since July, bot attacks on retail websites have increased by 14 per cent globally. The increase in automated attacks is likely to continue on Black Friday and Cyber Monday. Since 1 September, the number of DDoS attacks at the application level has increased compared to the same period last year, underlining the annual trend of cybercriminals stepping up their attacks at the start of the holiday season.

In particular, merchants with a large network of API connections and dependencies on third-party providers are increasingly vulnerable to the misuse of business logic. In addition, cybercriminals often target user accounts to gain access to personal data and payment information. A successful attack can lead to higher infrastructure and support costs, degradation of online services and ultimately loss of customers. Such attacks usually peak during the Christmas period, although the security risks exist all year round.

“The security risks that retailers face online are becoming increasingly sophisticated. They are mostly automated and difficult to detect,” says Stephan Dykgers from Imperva, which recently published an annual analysis of cyber attacks in e-commerce. “The significant increase in sophisticated bots last year should be a cause for concern. This type of automation is difficult to stop. For affected retailers, it has the potential to impact business and affect year-end sales.”

Increase in business logic attacks in e-commerce

The most common type of attack on retail websites last year was related to business logic – exploiting an application’s or API’s proprietary functions and processes rather than its technical vulnerabilities. Such attacks were particularly prevalent in Germany. Hackers use business logic to manipulate pricing or obtain limited products for sale.

Last year, attacks on business logic accounted for 74 per cent of attacks on German retail websites – compared to 71 per cent in the previous year. This makes Germany the global leader in such attacks.

Most attacks on business logic are automated and focus on the misuse of API connections. However, there are no attack patterns that help to monitor such attacks. Applying a general rule and assuming that all applications and API deployments are secure is hardly possible.

Automated attacks wreak havoc in retail

Sophisticated bots accounted for 42 per cent of automated data traffic in German commerce last year. Although this puts Germany below the global average for sophisticated bots, the number of malicious (bad) bots is slightly higher at 37.4 per cent (22.7 per cent globally). However, this automation is more difficult to recognise and stop. Such sophisticated bots can bypass basic defence measures and carry out dangerous attacks. The development of such bots can hardly be overlooked compared to previous years.

The number of account takeovers (ATO) increased significantly on Black Friday 2022. ATO is a type of attack in which cybercriminals attempt to compromise online accounts with stolen passwords and usernames. Before and during the 2022 holiday season, Imperva recorded an increased level of ATO events. The number of attacks increased in the fourth quarter and peaked in December.

Grinch bots and account takeovers

At Christmas time, so-called “grinch bots” – a type of sophisticated scalping bot – often disrupt sales and product redemptions. They scour online inventories and buy the most sought-after items of the season to resell them at a significant markup.

Application-layer DDoS attacks on retailers increased 5.5-fold in Germany in 2022. In 2023, attackers have focused heavily on DDoS attacks at the application layer (layer 7) with the aim of disrupting applications or taking them offline. One of the larger application layer (layer 7) attacks took place in November 2022 and correlated with Black Friday and Cyber Monday. These attacks often come from large networks of automated bots or compromised devices (botnets).”