Online retailers should prepare for a holiday season spike in bot-operated attacks

With the holiday shopping season in full swing, retail websites can expect a spike in account takeover fraud, DDoS, and other attacks, including attacks via APIs, which now represent almost half of e-commerce traffic.

According to a recent report from application and data security company Imperva, bots account for more than 40% of traffic to online retail websites on average, with around 24% of traffic coming from “bad bots” that engage in various forms of automated attacks.

“The high risk for e-commerce is more noticeable during the holiday shopping season, which now begins as early as October,” the company said. “Bad actors have gotten wise to consumer shopping patterns, which start weeks before significant events like Black Friday due to shipping delays and item availability concerns, as well as marketing tactics such as shops offering unbeatable deals weeks before Black Friday.”

Advanced bad bots take over

Over the past year almost two-thirds of attacks observed on online retail websites have been automated ones launched with the help of bots. This is a much higher percentage than the general average of 28% across all industries. But not all bots are equal – their sophistication ranges from simple to advanced.

Simple bots are automated scripts that connect from a single IP address and don’t attempt to masquerade as a human-operated browser. A moderately sophisticated bot would be implemented using a headless browser with all the capabilities of a browser engine, such as executing JavaScript on the client side. An advanced bot is one that uses a browser and attempts to emulate human behavior including mouse movements and clicks, making them harder to detect.

Moderate and advanced bots make up two-thirds of bot activity according to Imperva, with the usage rate of advanced bots increasing from 23% two years ago to 31% over the past year. The usage of advanced bots is more prevalent in attacks against e-commerce sites than websites from other industries because they are used to bypass antifraud systems.

Advanced bots also attempt to hide their real location by routing traffic through anonymous proxies, anonymization networks such as Tor, or through public cloud services. Attacks originating from public clouds account for 44% of attacks, remaining the most common origin for malicious attacks against retailers. However, over the past year the percentage of attacks that use anonymity frameworks has jumped from 3.5% to almost 33%.

Account takeover, inventory hoarding and everything in between

One of the most common bot-operated attacks that online retailers face is account takeover. Customer accounts can hold gift cards, discount vouchers, and loyalty points – not to mention saved credit card information – all of which can be abused by hackers to make fraudulent purchases. Buy now, pay later (BNPL), a form of short-term financing, is also an increasingly common option with merchants and can be abused via account takeover and identity theft.

Attackers gain access to customer accounts either with malware that steals their credentials or takes over their browsers and performs actions in their name, or by using automated brute-force methods to guess passwords. Account takeover is responsible for almost one in four login attempts on e-commerce websites, whereas for other industries the average is one in 10. More than 90% of such attacks attempt to guess users’ passwords using credentials leaked from other data breaches, a technique known as credential stuffing.

Mitigating account takeover requires e-commerce site owners to enforce strong password policies, to rate limit login attempts, to monitor the internet for credential dumps from other websites, strongly suggest or force customers to change their passwords, and to encourage the use of two-factor authentication (2FA).

However, it’s worth keeping in mind that 2FA is not bulletproof, with attackers often using proxy-based phishing attacks that can steal 2FA codes. Attacks that abuse customers’ already authenticated and 2FA-authorized sessions would require more advanced detection technologies that monitor for and can spot suspicious activity after a successful login.

Inventory hoarding and scalping

Another type of common holiday season attack operated with bad bots is inventory hoarding or scalping. This targets items with limited stock that are in high demand, including highly discounted products or limited-edition collector’s items that are often the subject of “hyped” marketing campaigns.

Such campaigns and product launches are employed frequently during the holiday shopping season, especially around Black Friday and Cyber Monday. Attackers use bots, also dubbed Grinchbots, to try to grab as much inventory as possible to later resell the items for a profit.

“During the week of Black Friday 2021, Imperva recorded and mitigated a massive scalping attack on a global retailer’s drop of a limited-edition collector’s item,” Imperva researchers said in their report. “The attack consisted of 9 million bot requests to the product page in just 15 minutes! To put things into perspective, that’s 2,500% more than the average web traffic on the retailer’s site.” Mitigation of such attacks can include the implementation of a waiting room queueing system as well as scaling infrastructure in advance to be able to cope with a much higher amount of traffic than usual.

Price scraping is another attack – or more precisely a generator of unwanted traffic –that is achieved with the help of bots. This activity involves scraping prices on e-commerce websites to offer better deals on websites operated by the attackers or their customers for the same products.

The exploitation of vulnerabilities that can lead to remote code execution or file inclusion is also automated with the help of bots. Hackers use these attacks to inject malicious code that steals information input by users into web forms, including payment pages. Known as Magecart, online skimming. or formjacking, these attacks have plagued many retailers over the past few years and are still common.

Researchers from Sansec reported an attack campaign in November 2022 they dubbed TrojanOrders that exploits a mail template vulnerability (CVE-2022-24086) in Magento 2 and Adobe Commerce that was patched in February. Sansec estimates that one third of retailers using these platforms have not yet patched the vulnerability. Exploiting this vulnerability requires hackers to be able to force the system to send an email with the exploit code in one of the fields. An email is usually triggered when placing an order, hence the attack’s name, but this is not the only trigger. Functionality such as shared wish lists can also be abused.

JavaScript another entry point for attackers

Attempts to exploit vulnerabilities account for around 15% of attacks on e-commerce websites, according to Imperva’s data, but it’s worth noting that Magecart-style code injection can also be achieved by compromising third-party JavaScript resources that are loaded into e-commerce websites.

“On average, there are 47 JavaScript based resources executing on the client-side at any given moment, putting the industry at a very high risk of Magecart attacks that threaten to steal customers’ most sensitive data,” the Imperva researchers said. Moreover, 73% of JavaScript code loaded on retail websites is from third-party resources.

To mitigate these code injection attacks, website owners need to patch vulnerabilities and maintain an inventory of all of JavaScript-based services that are also allowed to run and perform a risk assessment for each of them. The newly released PCI DSS 4.0 standard contains guidance on how to protect payment pages and other sensitive forms from Magecart attacks.

Finally, distributed denial-of-service (DDoS) is also a common form of attack executed with the help of bots and can be highly disruptive to business during the holiday shopping season.

Imperva estimates that DDoS attacks account for around 23% of all attacks against retail websites and they are split into two categories: application layer (Layer 7) which target the web applications themselves with requests trying to exhaust the processing resources available to the web server; and network layer which aims to exhaust the available bandwidth.

Retailers should expect stronger DDoS attacks 

“Online retailers should expect to see bigger and stronger DDoS attacks than before,” the Imperva researchers warned. “The number of attacks larger than 100 Gbps doubled from Q1 to Q2 2022, and attacks larger than 500 Gbps/0.5 Tbps increased by as much as 287%.”

For application layer DDoS, attackers now use sophisticated techniques such as HTTP pipelining and multiplexing that allows them to achieve unprecedented request-per-second (rps) rates for extended periods of time and from fewer IP addresses. In 2022, Imperva observed a record-breaking attack that peaked at 10M rps and was launched from a 12,000 IP botnet.

Retailers are advised to stress-test their infrastructure regularly, especially before huge shopping events like Black Friday and Cyber Monday where they anticipate a significant spike in traffic. Using a DDoS mitigation service for all web resources, including the DNS infrastructure, is also highly recommended.

APIs can also be a weak spot for online retailers because almost half of their traffic now comes through such API endpoints from mobile applications and other smart devices, such as home or car assistants that can make purchases online for their owners. According to Imperva, 12% of API traffic goes to endpoints that handle sensitive data such as credit card numbers, credentials and customer information and represent a target for attackers.

Another 3% to 5% go to undocumented APIs that their owner doesn’t actively know. This shadow API problem can happen because of various reasons, such as improper deprecation of an API endpoint without removing it from public access, undocumented releases of new API endpoints by developers, or accidental exposure of non-public APIs due to misconfigurations. It’s therefore very important for organizations to perform regular inventories of their API endpoints and treat them with the same level of security as their web resources.

During the holiday shopping season last year Imperva saw API attacks increase by 35% between September and October and another 22% in November.