According to recent dataOpens a new window , by 2023, 91% of the US population will be online shoppers. This massive figure highlights that e-commerce sites have become the preferred platforms for consumers. But, as more people flock online, cybercriminals are following in their wake, using these e-commerce watering holes as money-making opportunities. Robert Kusters, senior manager and security evangelist at PerimeterX, discusses why it’s time that online retail provides better protection from automated threats.
One of the biggest threats to e-commerce platforms comes from automated bot attacks, where cybercriminals deploy malicious bots to steal from retailers and customers. These bots steal credit card numbers, customer login details, and personally identifiable information (PII) and commit automated fraud attacks. These attacks cause severe damage to retailers, harming their brand and reputation, eroding customer trust, and hitting them financially.
Bot-based attacks are on the rise, with year-over-year growth of 106% percent in 2021, according to the PerimeterX 2022 Automated Fraud Benchmark ReportOpens a new window . Criminals are attacking e-commerce sites in full force with their bot armies. Retailers need to understand the different types of bots-based attacks to create a defense plan and be able to respond.
The Bot Threat Landscape
The PerimeterX study also revealed that in 2021, website traffic to e-commerce sites dropped by over 3%. However, despite the decrease in traffic, the percentage of malicious bot traffic remained the same. This highlights that cybercriminals aren’t slowing down just because consumers are spending more time offline. Additionally, bot traffic doesn’t always correlate to its severity because sophisticated bots will often keep their attack volumes purposely moderate to evade detection tools and come across as genuine traffic.
When it comes to the automated attacks that caused the most damage to e-commerce sites, these can be broken down into four categories:
Scraping
Scraping occurs when attackers use bots to crawl websites and capture pricing information and product details. Competitors will often use this to gain intelligence on other e-commerce sites, and it can end up costing victims up to 14.7% of their annual website revenue. The threat is a significant problem for retailers today, and it is estimated that in 2021 scraping bot activity will remain between 23 – 26% of total traffic volume.
Carding
Carding attacks occur when criminals test stolen credit cards on e-commerce sites to make purchases of goods and gift cards. The percentage of carding attacks out of total checkout attempts rose steadily throughout much of 2021, averaging 5.06%. Successful carding attacks cause financial losses for retailers due to refunds to customers and because products and gift cards are being shipped to cybercriminals.
See More: Using Biometrics to Create Personalized Yet Secure Customer Experiences
Credential Stuffing and Account Takeover
Credential stuffing and account takeover attacks involve attackers testing stolen user credentials on e-commerce sites and then taking over accounts. Once they have access to accounts, they can purchase goods, cash in loyalty points, sell their credentials on the dark web, or even take out lines of credit. Malicious login attempts out of total logins trended upwards during 2021, reaching a staggering 93.8% of all login attempts in August, an 8% increase on the 2020 peak.
Scalping
In scalping attacks, criminals will use bots to purchase coveted goods, such as concert tickets or limited-edition fashionware, to either put the product out of stock or sell it online for a higher price. Looking specifically at online retailers that sold those high-demand products last year, scalping attacks were more than four times as prevalent as the industry average. Scalping bots comprised 40.13% of total checkout requests for hot products, while the percentage over all e-commerce segments was 8.32%.
A retailer’s website has steadily evolved into its digital headquarters, and today it is the primary platform to interact with customers, sell goods and build brands and reputation. But with such a high dependence on digital, the security stakes have also been raised, and attackers now have a treasure trove of data to steal and exploit. As a result, e-commerce sites must take steps to protect their data and their customers against automated threats.
Considering the scale and potential costs of automated attacks, organizations must disrupt the web attack lifecycle to protect users’ account and identity information everywhere along their digital journey. because of the scale and potential costs of automated attacks
Here are a few steps ecommerce retailers can take to prevent automated fraud:
- Assess your risks: Conduct an audit of malicious activity on your applications, including malicious login attempts, checkout attacks and overall bad bot traffic.
- Identify target pages: Make key product pages harder to scrape by using JavaScript elements or other techniques to modify page code and composition slightly.
- Review your security infrastructure: Identify the strengths and weaknesses of your existing tools. For example, web application firewalls (WAFs) can stop the OWASP Top Ten, but not sophisticated bots that mimic human behavior or botnets that rotate through thousands of different IP addresses.
- Analyze the impact on consumers: Some tools, such as CAPTCHAs or multifactor authentication (MFA), add friction to the user journey, causing frustration and driving cart abandonment.
- Protect your revenue and reputation: Leverage machine learning and behavioral analysis to detect and mitigate malicious bots without adding friction to the buyer journey.
The threat of bot-based attacks is increasing, but you can reduce or even eliminate the hazards and protect your customers, company, and reputation with proper planning and security partners.
How can online retail manage bot threats better? Share your ideas with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!