Peter Klimek at Imperva shares his insights into which cyber threats businesses need to guard against over the coming weeks
From online fraud and supply chain attacks to ransomware or DDoS-related outages, retailers are constantly dealing with a flood of IT security issues. Faced with so many competing threats, it can be difficult for businesses to know where to invest to best protect themselves.
But what are the biggest dangers this holiday season? The latest research report from Imperva Research Labs found three key threats that retailers should watch out for this holiday shopping season.
Bad bots are used by a host of different actors to carry out both illegal activities (such as Account Takeover attacks) and quasi-legal activities (data scraping, denial of inventory attacks and so on) against retailers. This year, the volume of bot attacks per month against retail websites has increased by 13% over 2020. Indeed, the new report from Imperva Research Labs found that bots are responsible for more than half (57%) of attacks on eCommerce sites this year, nearly double the average for all other industries (33%).
Even worse, nearly a quarter (23.4%) of these attacks came from sophisticated bad bots. This breed of bot is the hardest to stop because they’re able to mimic human behaviour, allowing them to evade simple defences. These bots are the ones responsible for serious attacks such as Account Takeover attempts, fraud or denial of inventory that makes it harder for legitimate customers to get the items they want.
Over the past 12 months, no industry has been targeted by application layer DDoS attacks as much as retail. These attacks are favoured by hackers because they are highly effective, consuming both network and server resources, while defending against them is difficult because it requires the ability to distinguish between attack traffic and normal traffic.
Moreover, the threat from DDoS attacks is mutating rapidly. The Imperva 2021 Global DDoS Threat Landscape Report found that the size, volume, frequency, and complexity of DDoS attacks have all evolved in the last 12 months. For example, while the volume of DDoS attacks is increasing, the duration of attacks is actually going down. These shorter attacks are dangerous as they may be a distraction tactic and part of a wider multi-vector attack. In particular, for those retailers with legacy DDoS solutions – which are often configured to ignore this level of activity – this approach allows hackers the opportunity to stay under the radar and scope out larger attacks to cause maximum damage.
Finally, attacks on retail websites have been notably higher than all other industries since Q4 2020. Notably, because retail sites are prime targets due to the payment information they hold, they were also subjected to higher volumes of data leakage attacks than all other industries (31.3% to 26.9%).
Surviving the holiday season
So how should retailers prepare themselves this holiday season? The first step is making sure that all aspects of your IT infrastructure are able to handle an uptick in traffic — for bot traffic, legitimate human traffic and even DDoS attacks traffic. For example, on the DDoS side, Black Friday and Cyber Monday are often favourite times for hackers to attack, so retailers need to carry out rigorous stress-testing to ensure sudden and dramatic increases in web traffic won’t cause an unexpected outage.
In the same vein, retailers need to review their bot management capabilities and be confident that, even during times of high traffic, they can identify and filter out bad bots, while not disrupting the online experience for legitimate customers or blocking good and necessary bots.
Secondly, it’s crucial to protect existing website functionalities and make sure newly added ones are safe, too. This is especially true for those website functionalities that are highly exploitable by bad bots. For example, if you add or change the login functionality, this can open up the possibility of more Credential Stuffing and Credential Cracking attacks.
Getting to grips with the plethora of threats facing retailers this holiday season can be a bit dispiriting. As cyber-criminals increasingly turn to automation, attacks are coming in round the clock and, for retailers, the signs suggest this year may be the worst yet.
However, while it can be hard to keep up with the speed at which hackers tactics evolve, it’s far from an impossible challenge, especially with some good forward planning. Forewarned is forearmed as they say, and those retailers that have proper protection against DDoS attacks, bots, and website attacks are the ones that are best placed to succeed as we look to 2022.
Peter Klimek is Director of Technology at Imperva,
Main image courtesy of iStockPhoto.com