Online retailers’ applications, APIs, and data are under attack from automated threats

SAN MATEO, CA — November 8, 2023 — Imperva, Inc., (@Imperva) the cybersecurity leader that protects critical applications, APIs, and data, anywhere at scale, releases a 12-month analysis of the cybersecurity threats targeting eCommerce websites and applications. Automated attacks on application business logic, carried out by sophisticated bad bots, were the leading threat for online retailers. In addition, account takeover, distributed denial-of-service (DDoS), API abuse, and client-side attacks were significant risks.

The eCommerce industry remains a lucrative target for cybercriminal activity. Built on a vast network of API connections and third-party dependencies, online retailers are increasingly vulnerable to business logic abuse and client-side attacks. Motivated cybercriminals are also eager to compromise user accounts for personal data and payment information. A successful security incident can lead to higher infrastructure and support costs, degraded online services, and, ultimately, customer churn. While these security risks are persistent throughout the calendar year, attacks often peak during the holiday shopping season. 

“The security risks that the retail industry faces are more sophisticated, automated, and harder to detect,” says Karl Triebes, SVP and GM, Application Security, Imperva. “The significant increase in bot sophistication over the past year should be a cause for concern. This breed of automation is harder to stop and capable of abusing business logic, attacking APIs, and taking over user accounts. For vulnerable retailers, this has the potential to impact their bottom line and undermine end-of-year sales.”

Globally, Business Logic Attacks on eCommerce Sites Increase by 2X

The most common attack on retail sites in the past year was associated with business logic — an exploit of an application or API’s intended functionality and processes, rather than its technical vulnerabilities. In retail, attackers will try to exploit business logic to manipulate pricing or access restricted products. 

In the past year, business logic attacks made up 42.6% of attacks on retail sites — up from 26% during the same period in the prior year. The rise in business logic attacks in the past 12 months correlates with the growing volume of traffic to retail sites that comes from APIs (45.8%, up from 41.6% last year). 

The majority of attacks on business logic are automated and often focused on abusing API connections. As reported in the 2023 Imperva Bad Bot Report, 17% of all attacks on APIs came from bad bots abusing business logic. Attack patterns don’t exist to monitor for these exploitations, and it’s impossible to apply a generic rule and assume all application and API deployments are secure. 

Sophisticated, Automated Attacks Create Havoc for Retailers

  • Sophisticated and dangerous bots make up more than 50% of automated traffic. For the first time, more than 50% of bad bot traffic on retail sites was associated with advanced bots, automation that is harder to detect and stop. This breed of sophisticated bot can evade basic defenses and carry out dangerous, disruptive attacks. In comparison to prior years, the sophistication of bots is hard to overlook. In 2022, 31.1% of bots were classified as advanced and in 2021, just 23.4% of bots were classified as the same. Grinch bots — a breed of sophisticated scalping bots — often disrupt holiday sale events and product drops. They query online inventories and purchase the most sought-after items of the season for the purpose of reselling them at a significant markup. 
  • Account takeover (ATO) increased 66% on Black Friday 2022. ATO is a type of attack where cybercriminals attempt to compromise online accounts by using stolen passwords and usernames. Before and during the 2022 holiday shopping season, Imperva recorded elevated levels of ATO events. Attacks rose 12% in October before peaking in December. While the risk is elevated during the holiday season, 15% of login requests, across all websites, are associated with ATO attempts, underscoring this persistent threat for eCommerce.
  • Digital skimming, a silent but nefarious threat. Magecart, formjacking, and other online skimming techniques are associated with client-side security threats. These attacks typically involve injecting malicious JavaScript into first-party code or the code of third-party services (the software supply chain) used on legitimate websites. Almost 400 resources, on average, are loaded per retail site to the client-side. For comparison, that’s nearly double the volume that is loaded on other industries’ sites. Once compromised, attackers can use sophisticated automation to monitor mouse movements and keystrokes, steal cookies, or impersonate users which can result in a long-term, devastating data breach.
  • Application layer DDoS attacks on retailers increased by 417%. In 2023, attackers put an acute focus on application layer (Layer 7) DDoS, with the goal of disrupting or taking applications offline. One of the larger application layer (layer 7) attacks Imperva monitored was in November 2022, correlating with Black Friday and Cyber Monday. These attacks often come from vast networks of automated bots or compromised devices, known as botnets.

As Holiday Shopping Transactions Grow, Security Risks Multiply

There are indicators that suggest the number of attacks on online retailers will rise during the 2023 holiday shopping season.

  • Since July, bad bot attacks on retail sites have increased 14% with most attacks occurring on US-based eCommerce sites, followed by sites in France. The rise of automated attacks are likely to continue through Black Friday and Cyber Monday. Grinch bots could again be involved in the disruption of holiday sales events and limited product launches. 
  • Since September 1, the number of application layer DDoS attacks has been higher in comparison to the same time last year, underscoring the annual trend of cybercriminals increasing attacks at the beginning of the holiday shopping season. 

Additional Information:

About Imperva:

Imperva is the cybersecurity leader that helps organizations protect critical applications, APIs, and data, anywhere, at scale, and with the highest ROI. With an integrated approach combining edge, application security, and data security, Imperva protects companies through all stages of their digital journey. Imperva Threat Research and our global intelligence community enable Imperva to stay ahead of the threat landscape and seamlessly integrate the latest security, privacy, and compliance expertise into our solutions.

© 2023 Imperva, Inc. All rights reserved. Imperva is a registered trademark of Imperva, Inc.