![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
Tim Ayling, Vice President Cyber Security Solutions EMEA for Imperva, explains the rise of bad bots during peak season<\/strong><\/p>\n Cybercriminals are opportunists, channelling their efforts towards the easiest targets and vulnerabilities, and ramping up attacks when there are more online users to target. Black Friday and the Christmas shopping season is one such profitable period \u2013 and not just for retailers.<\/p>\n According to Imperva, some days around Black Friday last year saw a 54% increasein malicious bot traffic, while Cyber Monday experienced a whopping 42% more traffic than onBlack Friday. Needless to say, bad actors capitalise on those seeking the best deals during the festive shopping season, with cyberattacks intensifying. These cybercriminals deploymalicious bots and other tactics to exploit vulnerabilities on ecommerce sites, attacking both the websites themselves as well as targeting consumers to steal their sensitive data.<\/p>\n And the knock-on impact? While the personal accounts and web browsers of everyday consumers could be infiltrated,retailers are at risk of having their operations halted, theirinventory depleted, and the resulting customer experience badly affected. So, what are the risks we\u2019re up against, andhow can retailers proactively mitigate cyberattacks this holiday shopping season?<\/p>\n The risks<\/span><\/p>\n Bad bot attacks<\/span><\/p>\n Alongside the flood of legitimate traffic from shoppers around Black Friday, the online retail industry is victim to an average of 101,950 bot-related incidents daily. These attacks focus on high-demand products, exploit new user discounts, compromise sensitive information, and engage in price and content scraping. Retail websites had 28% of automated traffic classified as malicious, but a whopping 58% of this was \u2018advanced\u2019, showing the scale of the threat.<\/p>\n Denial of service<\/span><\/p>\n Bad bots are also harnessed for Distributed Denial-of-Service (DDoS) attacks, flooding retailers\u2019 networks and servers to overwhelm their capacity with the intention of taking them offline completely. DDoS attacks specifically on retail websites increased 61% since last year, according to the Imperva research.<\/p>\n Account Takeover<\/span><\/p>\n Alongside bad bots, Account Takeover attacks (ATOs) are a frequent way that online accounts are compromised by bad actors. ATOs are usually automated, with attackers trying tactics like credential stuffing, for example \u2013 where bots are used to repeatedly attempt to log into a user account using a common list of common or breached passwords.<\/p>\n Once compromised, attackers can engage in various forms of fraud, from making unauthorised purchases to stealing sensitive data and exploiting stored payment methods like credit card details and gift card codes.\u00a0\u00a0<\/p>\n Evasive Bad Bots<\/span><\/p>\n Complexity is heighted with the growth of Evasive Bad Bots. Using complex tactics like cycling through random IPs, entering via anonymous proxies, delaying requests and mimicking human behaviour, these use a \u2018low and slow\u2019 approach to avoid detection and carry out significant attacks using fewer requests. Reducing the noise in this way makes it more difficult to detect them \u2013 and they\u2019re popular for attacking retail websites. These kinds of bots make up 70% of all bad bot traffic on these sites, compared to 51% on other websites.<\/p>\n In sum, retailers need a comprehensive bot management strategy to safeguard their platforms and ensure smooth shopping experiences. This should include actions like:<\/p>\n 1. <\/span>Identifying risks and evaluating traffic<\/span> \u2013 Security teams should map out potential vulnerabilities within their site, whether that\u2019s login endpoints, account creation pages or product pages. Bring in tools to help monitor for any anomalies or spikes in activity, andanalyse traffic to help respond more quickly to suspicious behaviour.<\/p>\n 2. <\/span>Identify <\/span>API<\/span>s<\/span>: Organisations may not realise the volume of undocumented, unmonitored APIs (Shadow APIs) and outdated, out of use APIs (Zombie APIs) that may existin their networks. Rolling out an API discovery solution would be beneficial to have a better understanding of all potential gateways for bad actors.<\/p>\n 3. <\/span>Safeguard <\/span>those e<\/span>ntry points<\/span>: All exposed APIs and mobile applications need to be secure beyond your website, as they are common malicious entry points. Use strong rate limiting, encryption and authentication to protect and mitigate risk.<\/p>\n 4. <\/span>Limit proxies <\/span>\u2013 Many bulk IP data centres are well known, so it\u2019s possible to limit traffic from these sources and in turn significantly reduce the chances of bot traffic infiltrating your site.<\/p>\n 5. <\/span>Rate limiting<\/span> \u2013<\/span> Set a maximum number of requests that a user can make within a specific timeframe, and in so doing you can help make sure your site stays responsive to genuine customers. Brute-force login attempts or carding, where bots test stolen credit card details repeatedly, are made more difficult by this.<\/p>\n 6. <\/span>Be alert to signs of automation \u2013 <\/span>Modern bots often use special browsers that simulate human behaviour while automating interactions with a website. Whether it\u2019s unnaturally fast interactions, abnormal browsing patterns, or simply navigating through pages too quickly, detection strategies can be established to identify and block these actions before they escalate.<\/p>\n 7. <\/span>Implement client-side security \u2013 <\/span>Client-side in this case refers to securing the side of your web applications that are accessible to customers and end users. Here attacks like digital skimming, where malicious JavaScript is injected into the code used on legitimate websites, often through vulnerable scripts in the software supply chain, are a real risk. Retail websites in particular load largenumbers of client-side resources \u2013 an average of 398 resources per site \u2013 making them prime targets for attackers looking to exploit this blind spot. This is why security standards such as PCI DSS 4.0.1 are in place, placing expectations on retailers to enhance their client-side security, including continuous monitoring and real-time detection.<\/p>\n In summary, retailers should take a layered defence strategy against automated and sophisticated threats. By integrating DDoS, client-side, and bot protection, alongside running a Web Application Firewall (WAF) on their systems, retailers can be assured that their applications and data are safeguarded at scale. In the process, they\u2019ll be in a far better place to maintain business continuity, and offer a secure and stable website experience for customers at such an important time of the year.<\/p>\n<\/div>\n