The top cyber-threats facing retailers this holiday season

The top cyber-threats facing retailers this holiday season

Peter Klimek at Imperva shares his insights into which cyber threats businesses need to guard against over the coming weeks

From online fraud and supply chain attacks to ransomware or DDoS-related outages, retailers are constantly dealing with a flood of IT security issues. Faced with so many competing threats, it can be difficult for businesses to know where to invest to best protect themselves.

But what are the biggest dangers this holiday season? The latest research report from Imperva Research Labs found three key threats that retailers should watch out for this holiday shopping season.

Bad Bots

Bad bots are used by a host of different actors to carry out both illegal activities (such as Account Takeover attacks) and quasi-legal activities (data scraping, denial of inventory attacks and so on) against retailers. This year, the volume of bot attacks per month against retail websites has increased by 13% over 2020. Indeed, the new report from Imperva Research Labs found that bots are responsible for more than half (57%) of attacks on eCommerce sites this year, nearly double the average for all other industries (33%).

Even worse, nearly a quarter (23.4%) of these attacks came from sophisticated bad bots. This breed of bot is the hardest to stop because they’re able to mimic human behaviour, allowing them to evade simple defences. These bots are the ones responsible for serious attacks such as Account Takeover attempts, fraud or denial of inventory that makes it harder for legitimate customers to get the items they want.

DDoS attacks

Over the past 12 months, no industry has been targeted by application layer DDoS attacks as much as retail. These attacks are favoured by hackers because they are highly effective, consuming both network and server resources, while defending against them is difficult because it requires the ability to distinguish between attack traffic and normal traffic.

Moreover, the threat from DDoS attacks is mutating rapidly. The Imperva 2021 Global DDoS Threat Landscape Report found that the size, volume, frequency, and complexity of DDoS attacks have all evolved in the last 12 months. For example, while the volume of DDoS attacks is increasing, the duration of attacks is actually going down. These shorter attacks are dangerous as they may be a distraction tactic and part of a wider multi-vector attack. In particular, for those retailers with legacy DDoS solutions – which are often configured to ignore this level of activity – this approach allows hackers the opportunity to stay under the radar and scope out larger attacks to cause maximum damage.

Website attacks

Finally, attacks on retail websites have been notably higher than all other industries since Q4 2020. Notably, because retail sites are prime targets due to the payment information they hold, they were also subjected to higher volumes of data leakage attacks than all other industries (31.3% to 26.9%).

Part of the reason that this is such a common route of attack is because common website functionalities – such as chatbots, payment services, and web analytics – are enabled by third-party JavaScript that executes on the client side (i.e. the browser) where it is less likely to be noticed. These features are essential for eCommerce, but are increasingly vulnerable to attack.

Worse, since many of the services operate outside of the security team’s control, it’s a blindspot for organizations and a potential fraud risk for consumers. If not properly secured, compromised third-party JavaScript code can lead to formjacking, cryptojacking, malicious ad injection, data skimming and many more risks that impact both retailers and consumers.

Surviving the holiday season

So how should retailers prepare themselves this holiday season? The first step is making sure that all aspects of your IT infrastructure are able to handle an uptick in traffic — for bot traffic, legitimate human traffic and even DDoS attacks traffic. For example, on the DDoS side, Black Friday and Cyber Monday are often favourite times for hackers to attack, so retailers need to carry out rigorous stress-testing to ensure sudden and dramatic increases in web traffic won’t cause an unexpected outage.

In the same vein, retailers need to review their bot management capabilities and be confident that, even during times of high traffic, they can identify and filter out bad bots, while not disrupting the online experience for legitimate customers or blocking good and necessary bots.

Secondly, it’s crucial to protect existing website functionalities and make sure newly added ones are safe, too. This is especially true for those website functionalities that are highly exploitable by bad bots. For example, if you add or change the login functionality, this can open up the possibility of more Credential Stuffing and Credential Cracking attacks.

Finally, take inventory of all your client and server-side JavaScript-based services. Magecart style attacks are notorious for making use of compromised first or third-party JavaScript to exfiltrate sensitive information out of website forms such as login and checkout. For hackers, targeting eCommerce sites with a lot of transactions – especially during times of high traffic – is an ideal strategy. Therefore, retailers need to ensure they have the capabilities in places to identify and assess the risks of each JavaScript-based service, as well as enabling blocking unauthorized ones from executing.

Planning ahead

Getting to grips with the plethora of threats facing retailers this holiday season can be a bit dispiriting. As cyber-criminals increasingly turn to automation, attacks are coming in round the clock and, for retailers, the signs suggest this year may be the worst yet.

However, while it can be hard to keep up with the speed at which hackers tactics evolve, it’s far from an impossible challenge, especially with some good forward planning. Forewarned is forearmed as they say, and those retailers that have proper protection against DDoS attacks, bots, and website attacks are the ones that are best placed to succeed as we look to 2022. 

Peter Klimek is Director of Technology at Imperva,

Main image courtesy of

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”” /]