Automated Attack Trends Impacting E-Commerce

According to recent data, 91 percent of the U.S. population will be online shoppers by 2023, making e-commerce sites the preferred platforms for consumers. Unfortunately, cybercriminals are following this trend and are leveraging it to make money.

Bot-based attacks are on the rise, with a year-over-year growth of 106 percent percent in 2021, according to the PerimeterX 2022 Automated Fraud Benchmark Report. Retailers need to understand the different types of bot-based attacks in order to create a defense plan and be able to respond.

The report found the automated attacks that caused the most damage to e-commerce sites are as follows:

Credential Stuffing and Account Takeover

Credential stuffing and account takeover attacks involve attackers testing stolen user credentials on e-commerce sites and then taking over accounts. Once they have access to accounts, they can purchase goods, cash in loyalty points, sell the credentials on the dark web, or even take out lines of credit. Malicious log-in attempts out of total logins trended upwards during 2021, reaching a staggering 93.8 percent of all log-in attempts in August, which was an 8 percent increase on the 2020 peak.

Carding

Carding attacks occur when criminals test stolen credit cards on e-commerce sites to make purchases of goods and gift cards. The percentage of carding attacks out of total checkout attempts rose steadily throughout much of 2021, averaging 5.06 percent over the course of the year. Successful carding attacks cause financial losses for retailers as a result of refunds to customers and because products and gift cards are being shipped to cybercriminals.

Scalping

In scalping attacks criminals will use bots to purchase coveted goods, such as concert tickets or limited-edition fashion items, with the purpose of either putting the product out of stock or selling it online for a higher price. Looking specifically at online retailers that sold those high-demand products last year, scalping attacks were more than four times as prevalent than the industry average. Scalping bots comprised 40.13 percent of total checkout requests for hot products, while the percentage across all e-commerce segments was 8.32 percent.

Scraping

Scraping occurs when attackers use bots to crawl websites and capture pricing information and product details. Competitors will often use this to gain intelligence on other e-commerce sites and it can end up costing victims up to 14.7 percent of their annual website revenue. The threat is a significant problem for retailers today. It's estimated that in 2021, scraping bot activity remained between 23 percent to 26 percent of total traffic volume.

Disrupt the Web Attack Lifecycle

Considering the scale and potential costs of automated attacks, it's important that organizations disrupt the web attack lifecycle in order to protect users’ account and identity information everywhere along their digital journey.

Here are a few steps e-commerce retailers can take to prevent automated fraud:

• Assess your risks. Conduct an audit of malicious activity on your applications, including malicious log-in attempts, checkout attacks and overall bad bot traffic.
• Identify target pages. Make key product pages harder to scrape by using JavaScript elements or other techniques to slightly modify page code and composition.
• Review your security infrastructure. Identify the strengths and weaknesses of your existing tools. Web application firewalls (WAFs), for example, can stop the OWASP Top 10, but not sophisticated bots that mimic human behavior or botnets that rotate through thousands of different IP addresses.
• Analyze the impact on consumers. Some tools, such as CAPTCHAs or multifactor authentication (MFA) add friction to the user journey, causing frustration and driving cart abandonment.
• Protect your revenue and reputation. Leverage machine learning and behavioral analysis to detect and mitigate malicious bots without adding friction to the buyer journey.

The threat of bot-based attacks is increasing, however, with proper planning and security partners, you can reduce or even eliminate the threats and protect your customers, your company and its reputation.

Liel Strauch is director of cybersecurity research at PerimeterX, the leading provider of solutions that detect and stop the abuse of identity and account information on the web.