62% of Security Incidents on eCommerce Retailers Originate from Bots, Including Account Takeover, DDoS and API Attacks

Imperva’s The State of Security Within eCommerce 2022 report indicated that bots were responsible for most security incidents, including automated account takeover attacks on eCommerce retailers.

According to the report, 40% of traffic on retail websites originated from bots programmed to perform automated actions, usually with malicious intent. Subsequently, 62% of attacks on retailers’ websites originated from automated scripts compared to 28% from other industries. These include Grinch bots hoarding high-demand items and bad bots frequently executing attacks on retailers’ websites, applications, and APIs.

Imperva found that attacks ranging from account takeover, credit card fraud, web scraping, API abuse, Grinch bots, and DDoS attacks were a significant challenge for eCommerce retailers, threatening online sales and customer satisfaction.

Bot traffic threatens eCommerce retailers

Although the majority of all traffic to online retailers’ sites and applications remained human, bot traffic increased significantly in 12 months.

While bad bot traffic remained relatively unchanged at 23.7%, good bots increased to 16.6%, bringing total automated traffic to 40.3%.

Surprisingly, malicious bot traffic volume on eCommerce retailers’ websites was less than the general average of 30.7%, although their level of sophistication was higher than average. In 12 months, the presence of advanced bad bots on retail websites increased from 23.4% to 31.1% compared to the general average of 22.1%.

While good bots didn’t mean harm, the researchers warned that they still posed an online threat by skewing analytics and hampering conversion rates. Similarly, low bad bot traffic does not indicate reduced risks, as sophisticated bots could achieve their goals with fewer requests.

“They often choose “low and slow” tactics, which enable them to carry out significant attacks using fewer requests and even delay requests, allowing them to not stand out from the normal traffic patterns and avoid triggering ratebased security detection thresholds,” the report stated.

According to the researchers, bot operators went to great lengths to cover their tracks by employing various evasion tactics. For example, they mimicked human behavior and leveraged anonymity frameworks, such as anonymous proxies and TORs, to avoid identification.

During the observation period, the volume of anonymized attacks increased from 3.5% to 33% within a year. Thus, while bad bot traffic volume on retail websites remained constant in 2021, it was more destructive and difficult to detect and block than a year before.

eCommerce retailers experience more account takeover attacks

Account takeover (ATO) attacks involve cybercriminals using stolen passwords and usernames to compromise online accounts. These attacks might also include creating fake accounts using stolen credentials.

According to Imperva’s State of Security report, ATO attacks disproportionately target eCommerce retailers more than other industries. For example, eCommerce retailers experienced 22.6% of malicious account takeover login attempts, nearly twice the general average (11.6%). Attackers also used leaked credentials in 94.7% of credential-stuffing attacks against eCommerce retailers, compared to 69.6% in other industries. Additionally, there was widespread use of sophisticated bots in account takeover attacks, with threat actors deploying advanced bad bots in 64.1% of ATO attacks.

The end goal of account takeover attacks was to steal saved credit card information, gift card balances, loyalty points, and other customer benefits. According to the researchers, account takeover attacks intensify during the holiday season or other global events, such as the war in Ukraine.

Distributed denial of service (DDoS) attacks intensified across industries

Imperva threat research found that DDoS attacks in 2022 are larger and stronger across all industries. Such attacks originate from a group of compromised connected devices across the Internet operated by a single threat actor.

According to Imperva, DDoS attacks were a persistent and critical threat for eCommerce retailers relying on application performance and availability for online business.

Imperva found that attacks with rates of over 100 Gbps tripled while those over 500 Gbps increased by 287%. Additionally, 55% of all applications hit by application layer DDoS attacks, and 80% of those struck by network layer DDoS, suffered attacks multiple times.

Imperva stated that the downtime caused by a DDoS attack could lead to disruption, reputational damage, and revenue losses to eCommerce retailers.

API abuse is a growing problem

Application programming interfaces (APIs) are the “connective tissue” that allows applications to share data, consume and provide digital services. As such, APIs were the source of 42% of online traffic on eCommerce retailers’ websites.

Additionally, 12% of API traffic directs to endpoints with access to sensitive personal data such as credentials, identification numbers, etc.

It was noted that 3-5% of API traffic flows to shadow APIs that security teams are not aware of their existence and hence cannot protect them. Subsequently, exposed or shadow APIs abuses were avenues for exfiltrating customer data and payment information.

Imperva found that API abuse increased by 35% between September and October 2021 before spiking again by another 22% in November, above the previous months’ elevated attack levels. These observations suggested that bots were more active during the peak holiday shopping season, and the situation would be no different in 2022.

#eCommerce retailers face the most significant risk from automated malicious software, with hackers deploying advanced bad bots in nearly two-thirds of #accounttakeover attacks. #cybersecurity #respectdataClick to Tweet

Imperva advised eCommerce retailers to prepare for high traffic and DDoS attacks during the peak holiday season and expect bots to target their marketing campaigns. Other recommendations include protecting their website functionalities, taking inventory of client-side javascript and services, and staying ahead of scammers by warning customers about phishing attacks.


Leave a Reply

Your email address will not be published. Required fields are marked *