Imperva study shows: Automated threats jeopardize Black Friday and holiday shopping.
Automated threats such as account takeovers, credit card fraud, web scraping, API abuse, Grinch bots and distributed denial of service (DDoS) attacks, among others, are putting online sales and customer satisfaction at risk. The ongoing spate of attacks on retailers’ websites, applications and application programming interfaces (API) throughout the calendar year is a constant business risk for the retail industry.
Automated adversaries: malicious bots and online fraud
In the past twelve months, nearly 40 percent of traffic to online store websites came from bots. These software applications often perform automated tasks with malicious intent. In the retail industry, the infamous Grinch bot is known for hoarding inventory during the holiday shopping season, grabbing the most coveted items and making it difficult for consumers to buy gifts online.
Nearly a quarter of all traffic to retailers’ websites is attributed to “bad bots,” malicious, automated software that contributes to online fraud. The percentage of advanced bots on retail websites has risen to 31.1 percent. These are scripts that use the latest techniques to mimic human behavior and avoid detection. Advanced bots pose a significant challenge to businesses if they do not have the right defenses in place. German online retailers are particularly at risk of being harmed by bad bots. They account for 32 percent of total traffic in Germany, nine percent above the global average. A similar picture emerges with regard to advanced bots: with a share of 44 percent, Germany is 13 percent above the global average here.
Account takeover (ATO) is a type of online fraud in which cybercriminals attempt to take over online accounts with stolen passwords and usernames. In 2021, 64.1 percent of ATO attacks involved an advanced bad bot. Of all login attempts on retail websites, 22.6 percent were malicious, nearly twice as many as on websites in other industries. Attackers used leaked credentials in 94.7 percent of credential-stuffing attacks targeting retailers, compared to 69.6 percent in other industries. Overall, the number of ATO attacks in EMEA increased 159 percent year-over-year.
Attacks on APIs on the rise
An analysis by Imperva Threat Research shows that 41.6 percent of all traffic to online merchants’ websites and applications goes through an API. Out of that, 12 percent of traffic leads to endpoints, such as a database that stores personal data, such as login credentials or identification numbers. Even more concerning, three to five percent of API traffic is directed to undocumented or shadow APIs, endpoints that security teams are unaware exist or are no longer protecting.
Unprotected or vulnerable APIs pose a significant threat to retailers, as attackers can use the API as a way to exfiltrate customer data and payment information. API misuse often occurs through automated attacks in which a botnet floods the API with unwanted traffic, looking for vulnerable applications and unprotected data. In 2021, API attacks increased 35 percent between September and October and then increased another 22 percent in November, on top of increased attack numbers in previous months. This finding suggests that malicious actors are ramping up their efforts around the holiday shopping season, when more data is shared between APIs and applications that use e-commerce services.