Retailers can expect a surge in bot-driven account takeovers (ATOs), DDoS attacks, card fraud and more as they prepare for the busiest shopping period of the year, a new report has warned.
Imperva’s State of Security Within eCommerce 2022 report was compiled from data based on the vendor’s engagements with clients in the sector.
It found that 40% of traffic on retailers’ websites over the past 12 months came from bots – automated software that’s often malicious in intent. Automated threats caused 62% of security incidents in the period.
Bot-related attacks on retail sites surged 10% in October and another 34% in November 2021, suggesting that bot operators will again increase their activity around the peak shopping period this year.
This includes ATO attacks, 64% of which were linked to bad bots last year, using techniques such as credential stuffing, where previously breached passwords and usernames are tried against different accounts across the web.
Another popular tactic is using bots to buy up in-demand inventory and then selling it on at a profit.
DDoS attacks are a perennial threat for retailers, who could lose millions during busy shopping periods if their websites and apps are taken offline.
Imperva revealed that the number of attacks greater than 100 Gbps doubled year-on-year in 2021, and attacks larger than 500 Gbps increased by 287%.
It added that organizations targeted by an attack are often hit again within 24 hours – 55% of sites targeted by an application-layer DDoS and 80% by a network-layer DDoS were attacked multiple times.
The report also highlighted the threat from exposed APIs, which could be used as a conduit for stolen payment data.
Once again, the holiday shopping period saw a spike in activity last year. In 2021, API attacks increased by 35% between September and October, and then increased another 22% month-on-month in November.
“The holiday shopping season is a critical period for the retail industry, and security threats could undermine retailers’ bottom line again in 2022,” said Lynn Marks, Imperva senior product manager.
“This industry faces a variety of security risks, the majority of which are automated and operate around the clock. Retailers need a unified approach to stop these persistent attacks, one that focuses on the protection of data and is equipped to mitigate attacks quickly without disrupting shoppers.”