According to Deloitte, this holiday shopping season will make a strong comeback, with spending expected to surpass pre-pandemic levels for the first time. Consumers are gearing up to spend an average of $1,652, reflecting a 14 percent year-over-year increase, while retailers look forward to boosting sales.
Retailers, however, aren’t the only ones hoping to reap the benefits of motivated holiday shoppers. Cybercriminals are laying the groundwork for a season of campaigns focused on harmful activities that include stealing website content, account hacking, and distributed denial of service (DDoS) attacks. Their partners in crime? Sophisticated bots. Retailers need to be prepared for these ill-intentioned adversaries that are programmed to run criminal activities to interfere with user experience, damage brands, and threaten sales.
A Surge in Bot Activity
As we approach the biggest shopping days of the year, retailers should prepare for a major surge in bot traffic. For example, on the run up to Black Friday last year, a global retailer with multiple website domains experienced a substantial escalation in attacks (Figure 1). Fraudsters targeted the retailer’s domains, driving nearly 54 million bot attacks in just one week. These attacks included account takeovers, content and price scraping, and API abuse.
More Disruptions in Website Functionality
Not only should retailers expect to see more bots during the 2023 holiday season, but more website disruption. Cybercriminals are skillful at deploying malicious bots designed to cause website performance issues such as slowdowns, crashes, or rendering pages unavailable to genuine customers. For shoppers, this translates to poor online experiences, frustration, and abandoned carts. For retailers, it can lead to a loss of revenue.
Often these disruptive activities are orchestrated through DDoS attacks. A DDoS attack occurs when multiple machines operate together to flood a server with internet traffic and prevent users from accessing online services. As shown in Figure 2, one retailer encountered application DDoS attempts on their login page originating from rotating IPs.
A Rise in Account Takeover Incidents
When they are not busy disrupting website performance, bad bots can also be used for account takeovers (ATO). Unfortunately, ATOs are on the rise, resulting in increased financial losses.
ATOs are a form of identity theft where a fraudster illegally uses bots to acquire a customer’s login and password and then gain access to personal information, credit card details, store rewards, and more. Their goal? Unauthorized purchases. The holiday shopping season is prime time for takeover attempts because the volumes of unsuspecting online shoppers are so high.
To infiltrate accounts, cybercriminals employ unscrupulous methods, including credential stuffing, and guessing techniques such as credential cracking. In the lead-up to Black Friday, there is often an increase in compromised login credentials circulating on underground forums, providing cybercriminals with even more resources for account takeover attacks.
As shown in Figure 3, a footwear retailer faced a staggering surge of more than 16 million account takeover attempts on its global website in the weeks leading up to Black Friday.
A Defensive Strategy
To defend against malicious bots and improve their security posture, retailers can take several steps in preparation for the holiday season. Relying solely on an in-house solution or a web application firewall (WAF) may not provide the level of protection required.
- Implement a zero-trust architecture: To strengthen their security posture, retailers should adopt a ‘trust nothing, verify everything’ approach for granting and controlling access to critical systems used by employees and affiliates.
- Educate customers on security: The busy shopping season is the perfect time for retailers to remind online shoppers to be cautious of phishing campaigns that use brand names and to verify the authenticity of websites. Also, encourage shoppers to safeguard their personal and payment data.
- Conduct regular audits: Cyberthreats can come from various sources, including third-party software. Regular audits of third-party software are important to close security gaps and address vulnerabilities. This includes ensuring that only authenticated users have access to protected resources and that patching is up to date.
- Foster awareness of cybersecurity best practices: Begin by educating employees about the dangers of phishing attacks and social engineering tactics that can compromise security and access to sensitive business and customer data.
- Limit the storage of PII: To reduce the risk of Personally Identifiable Information (PII) falling into the hands of malicious actors, retailers should limit storage to the minimum required for business purposes. By doing so, they can reduce the threat of data breaches.
- Comply with PCI-DSS: To protect against payment-related risks and safeguard customer data, retailers must comply proactively with the Payment Card Industry Data Security Standard (PCI-DSS) requirements.
- Adopt specialized bot mitigation: The reality is traditional security solutions may not be sufficient to counter the growing sophistication of bot-driven cybercrimes. Dedicated bot management solutions permit legitimate visitors to access retail websites and applications while thwarting malicious bots engaged in activities such as cart abandonment, carding, denial of inventory, application DDoS, scalping, price and content scraping, spamming, and other harmful actions.
As retailers gear up for the holiday season, strengthening their digital presence against cyberthreats is critical. By implementing proactive security measures, retailers can ensure a seamless, secure shopping experience for their customers.
Neetu Singh is a cybersecurity solution lead with Radware. In her role, she specializes in application security and threat intelligence, working closely with Radware’s product and threat research teams. Neetu has diverse domain expertise across many industry sectors, including banking, financial services, insurance (BFSI), and travel. She has led marketing initiatives, partnerships, collaborations, and campaigns for enterprise and SMB markets. She frequently writes about cloud trends, industry 4.0, and SMAC (social, mobile, analytics, and cloud) among other topics. Neetu holds an MBA in marketing from NMIMS University in Mumbai.