API abuse and attacks pose new challenges for retailers

Imperva releases The State of Security within eCommerce 2022 report, Imperva Threat Research’s 12-month analysis of cybersecurity threats targeting the retail industry.

Cybersecurity threats in the retail industry

Account takeover, credit card fraud, web scraping, API abuse, Grinch bots, distributed denial of service (DDoS) attacks, and many other automated threats are a persistent challenge for the e-commerce industry, threatening online sales and customers. jeopardize satisfaction. The ongoing barrage of attacks against retailer websites, applications, and APIs is an ongoing business risk to the retail industry throughout the calendar year and during peak holiday shopping seasons.

Lynn Marks, senior product manager at Imperva, said: “Our industry faces a variety of security risks, most of which are automated and operate around the clock. Retailers need a unified approach to thwart these persistent attacks. It focuses on protecting data and has the means to quickly mitigate attacks without disrupting shoppers.”

automated enemies

In the last 12 months, nearly 40% of retailer website traffic was not human. Instead, it came from bots, often operator-controlled software applications performing automated tasks with malicious intent. In retail, the infamous Grinch bot is notorious for hoarding inventory during the holiday shopping season, scooping up high-demand items, and making it difficult for consumers to buy gifts online.

Key trends include:

• Of all retailer website traffic, 23.7% came from malicious bots, malicious automation that contributes to online fraud. The share of advanced bots (scripts that use modern evasion techniques to mimic human behavior and avoid detection) on retail sites increased year-over-year (from 23.4% to 31.1%). Sophisticated bots are quite a challenge for organizations to stop without proper defenses in place.
• In 2021, attacks on bot-related retail sites increased 10% in October and another 34% in November. This suggests that bot operators are ramping up their malicious efforts during peak holiday shopping.
• Account Takeover (ATO) is another form of online fraud in which cybercriminals attempt to compromise online accounts using stolen passwords and usernames. By 2021, 64.1% of ATO attacks used advanced bad bots. Of all login attempts on retail websites, 22.6% were malicious, nearly double the amount recorded for other industry sites. In credential stuffing attacks targeting retailers, attackers used compromised credentials 94.7% of the time, compared to 69.6% for other industries.

API abuse and attacks are on the rise, posing new challenges for retailers

APIs are the invisible connective tissue that allow applications to share data and call digital services. Traffic from APIs accounted for 41.6% of all traffic to online retailer sites and applications, according to analysis by Imperva Threat Research. Of this, 12% of traffic is directed to endpoints such as databases where personal data (credentials, identification numbers, etc.) is stored. Even more concerning is that 3-5% of API traffic is directed to undocumented or shadow APIs. This is an endpoint that your security team doesn’t know exists or no longer protects.

Publicly exposed and vulnerable APIs are a major threat to retailers. Attackers can use APIs to steal customer data and payment information. API abuse is often carried out by botnets flooding APIs with unwanted traffic and automated attacks looking for vulnerable applications or unprotected data.

In 2021, API attacks increased by 35% between September and October, adding another 22% in November on top of the previous month’s rise in attack levels. The findings suggest that malicious actors are expanding their activities towards the holiday shopping season as more data is exchanged between APIs and applications that power e-commerce services. I’m here.

Watch out for downtime: DDoS attacks continue to threaten retailers

A DDoS attack is an automated threat that floods a network or application infrastructure with malicious traffic in an attempt to disrupt critical business operations. Attacks are often launched by botnets. A botnet is a group of compromised connected devices distributed across the Internet and operated by a single party.

Imperva Threat Research has found that 2022 DDoS attacks will be larger and more powerful across all industries. The number of recorded incidents over 100 Gbps doubled, and attacks over 500 Gbps/0.5 Tbps increased by 287%. Furthermore, those who have been attacked are often attacked again within 24 hours. In fact, 55% of websites hit by application-layer DDoS attacks and 80% of websites hit by network-layer DDoS attacks were hit multiple times.

DDoS attacks are a constant threat to retailers. Downtime from DDoS attacks can lead to site disruptions, reputational damage, and lost revenue. DDoS is a significant threat to online retailers who rely on application performance and availability to power their digital storefronts.