Jakub Jirsák - stock.adobe.com

Automated threats biggest source of cyber risk for retailers

Threat actors targeting retailers during the coming holiday season are increasingly turning to automated forms of cyber attack, according to a report

From bots to distributed denial-of-service (DDoS) attacks, web scraping to application programming interface (API) abuse, and account takeover to credit card fraud, a range of increasingly automated cyber threats are set to present a serious challenge to the e-commerce sector as it heads into its busiest time of year.

Although such issues are a persistent threat for online retailers and their ilk, such attacks are always seen peaking during the holiday shopping season, and 2022 is set to be no exception, according to a report from data protection specialist ImpervaThe state of security within e-commerce 2022.

“The holiday shopping season is a critical period for the retail industry, and security threats could undermine retailers’ bottom line again in 2022,” said Lynn Marks, Imperva senior product manager.

“This industry faces a variety of security risks, the majority of which are automated and operate around the clock. Retailers need a unified approach to stop these persistent attacks, one that focuses on the protection of data and is equipped to mitigate attacks quickly without disrupting shoppers.”

In the past 12 months, Imperva reported that nearly 40% of traffic hitting the average ecommerce website was not generated by humans, but instead came from often-malicious bots running automated tasks. Nearly a quarter of traffic – 23.7% – was attributable to advanced bots using cutting-edge evasion techniques to mimic human behaviour and avoid detection.

Last year, bot-related attacks grew by 10% during October and another 34% in November, providing clear evidence that the actors behind such automated bot networks are keenly aware of the value of the holiday period to retailers. Indeed, one variety of automated bot has become known as a Grinch Bot – scooping up inventory that is in high-demand and hoarding it, making it harder for legitimate consumers to purchase gifts online.

Other malicious bots are engaged in account takeover (ATO) activities, with over 64% of ATO attacks using some kind of bot in 2021. The attackers behind these bots are generally using leaked customer details in credential stuffing attacks, and in an indication of the volume of their activity, Imperva found 22.6% of all login attempts on retail websites are malicious.

Imperva also saw rises in application programming interface (API) abuse – with traffic from an API now accounting for 41.6% of all traffic to online retailer sites or mobile apps. Of this, 12% of traffic is directed to to endpoints such as databases containing personal data, and up to 5% of API traffic is directed to so-called shadow or undocumented APIs, that security teams may not even know exist.

Vulnerable or exposed APIs present a growing threat to retailers as they can be used to exfiltrate customer data or payment information, and attacks that exploit APIs are also increasingly automated and conducted by botnets flooding the API with unwanted traffic as they seek vulnerable applications and insecure data.

Again, Imperva found that such attacks saw dramatic rises during the autumn of 2021 as attackers scale their efforts to mask their activities behind spikes in legitimate traffic between APIs and retail applications. There is no indication that 2022 will be any different.

Then, there is the long-established threat of DDoS attacks causing retailers to lose hours, or even days, of business when their websites or applications collapse under the weight of malicious traffic. Again, such attacks tend to be run through botnets – networks of compromised connected devices distributed globally and operated by a single entity.

DDoS attacks have been in the news in 2022 – many of them have been conducted by groups linked to Russia against countries or organisations aligned with Ukraine – with the number of incidents recorded at higher than 100GBps doubling, and those larger than 500GBps increasing by 27%, said Imperva.

The report also claimed that those targeted by attacks are often attacked again in short order – 55% of those hit by an application-layer DDoS and 80% of those hit by a network-layer DDoS experienced multiple attacks, often within 24 hours.

“A DDoS attack is a nonstop threat for retailers. The downtime caused by a DDoS attack can lead to site disruption, reputational damage and revenue loss. A DDoS is a critical threat to online retailers that rely on application performance and availability to enable digital storefronts,” said Imperva.

Read more on Network security management