Retail Technology
| Log in | Subscribe



Subscribe | Log in
Retail Technology
Subscribe

Bad bots

By Retail Technology | Friday November 29 2024

Tim Ayling, Vice President Cyber Security Solutions EMEA for Imperva, explains the rise of bad bots during peak season

Cybercriminals are opportunists, channelling their efforts towards the easiest targets and vulnerabilities, and ramping up attacks when there are more online users to target. Black Friday and the Christmas shopping season is one such profitable period – and not just for retailers.

According to Imperva, some days around Black Friday last year saw a 54% increasein malicious bot traffic, while Cyber Monday experienced a whopping 42% more traffic than onBlack Friday. Needless to say, bad actors capitalise on those seeking the best deals during the festive shopping season, with cyberattacks intensifying. These cybercriminals deploymalicious bots and other tactics to exploit vulnerabilities on ecommerce sites, attacking both the websites themselves as well as targeting consumers to steal their sensitive data.

And the knock-on impact? While the personal accounts and web browsers of everyday consumers could be infiltrated,retailers are at risk of having their operations halted, theirinventory depleted, and the resulting customer experience badly affected. So, what are the risks we’re up against, andhow can retailers proactively mitigate cyberattacks this holiday shopping season?

The risks

Bad bot attacks

Alongside the flood of legitimate traffic from shoppers around Black Friday, the online retail industry is victim to an average of 101,950 bot-related incidents daily. These attacks focus on high-demand products, exploit new user discounts, compromise sensitive information, and engage in price and content scraping. Retail websites had 28% of automated traffic classified as malicious, but a whopping 58% of this was ‘advanced’, showing the scale of the threat.

Denial of service

Bad bots are also harnessed for Distributed Denial-of-Service (DDoS) attacks, flooding retailers’ networks and servers to overwhelm their capacity with the intention of taking them offline completely. DDoS attacks specifically on retail websites increased 61% since last year, according to the Imperva research.

Account Takeover

Alongside bad bots, Account Takeover attacks (ATOs) are a frequent way that online accounts are compromised by bad actors. ATOs are usually automated, with attackers trying tactics like credential stuffing, for example – where bots are used to repeatedly attempt to log into a user account using a common list of common or breached passwords.

Once compromised, attackers can engage in various forms of fraud, from making unauthorised purchases to stealing sensitive data and exploiting stored payment methods like credit card details and gift card codes.  

Evasive Bad Bots

Complexity is heighted with the growth of Evasive Bad Bots. Using complex tactics like cycling through random IPs, entering via anonymous proxies, delaying requests and mimicking human behaviour, these use a ‘low and slow’ approach to avoid detection and carry out significant attacks using fewer requests. Reducing the noise in this way makes it more difficult to detect them – and they’re popular for attacking retail websites. These kinds of bots make up 70% of all bad bot traffic on these sites, compared to 51% on other websites.

In sum, retailers need a comprehensive bot management strategy to safeguard their platforms and ensure smooth shopping experiences. This should include actions like:

1. Identifying risks and evaluating traffic – Security teams should map out potential vulnerabilities within their site, whether that’s login endpoints, account creation pages or product pages. Bring in tools to help monitor for any anomalies or spikes in activity, andanalyse traffic to help respond more quickly to suspicious behaviour.
2. Identify APIs: Organisations may not realise the volume of undocumented, unmonitored APIs (Shadow APIs) and outdated, out of use APIs (Zombie APIs) that may existin their networks. Rolling out an API discovery solution would be beneficial to have a better understanding of all potential gateways for bad actors.
3. Safeguard those entry points: All exposed APIs and mobile applications need to be secure beyond your website, as they are common malicious entry points. Use strong rate limiting, encryption and authentication to protect and mitigate risk.
4. Limit proxies – Many bulk IP data centres are well known, so it’s possible to limit traffic from these sources and in turn significantly reduce the chances of bot traffic infiltrating your site.
5. Rate limiting Set a maximum number of requests that a user can make within a specific timeframe, and in so doing you can help make sure your site stays responsive to genuine customers. Brute-force login attempts or carding, where bots test stolen credit card details repeatedly, are made more difficult by this.
6. Be alert to signs of automation – Modern bots often use special browsers that simulate human behaviour while automating interactions with a website. Whether it’s unnaturally fast interactions, abnormal browsing patterns, or simply navigating through pages too quickly, detection strategies can be established to identify and block these actions before they escalate.
7. Implement client-side security – Client-side in this case refers to securing the side of your web applications that are accessible to customers and end users. Here attacks like digital skimming, where malicious JavaScript is injected into the code used on legitimate websites, often through vulnerable scripts in the software supply chain, are a real risk. Retail websites in particular load largenumbers of client-side resources – an average of 398 resources per site – making them prime targets for attackers looking to exploit this blind spot. This is why security standards such as PCI DSS 4.0.1 are in place, placing expectations on retailers to enhance their client-side security, including continuous monitoring and real-time detection.

In summary, retailers should take a layered defence strategy against automated and sophisticated threats. By integrating DDoS, client-side, and bot protection, alongside running a Web Application Firewall (WAF) on their systems, retailers can be assured that their applications and data are safeguarded at scale. In the process, they’ll be in a far better place to maintain business continuity, and offer a secure and stable website experience for customers at such an important time of the year.

Related items

Automation to scale peak season

By Retail Technology | Retail Technology

Retail’s annual pressure pot

By Ed Betts | Ed Betts

Target adds new chatbot

By Retail Technology | Retail Technology

Babydump picks robotics

By Retail Technology | Retail Technology

Making the most of Christmas

By Retail Technology | Retail Technology

Amazon trials humanoid warehouse robots

By Retail Technology | Retail Technology

The Golden Quarter: Planning for profit with intelligent merchandising

By Retail Technology | Retail Technology

Zalando expands robot fleet

By Retail Technology | Retail Technology

Carrefour expands robotic fleet

By Retail Technology | Retail Technology

Orbis automates to accumulate

By Retail Technology | Retail Technology