Security researchers are warning of a spike in cyber-attacks against retailers this year which may impact the coming Black Friday and holiday season shopping spree.
Imperva’s State of Security Within e-Commerce report was compiled using data from its various security products.
It noted several attack trends this year likely to have been influenced by the greater numbers of shoppers heading online during COVID-19 lockdowns.
First, it claimed that e-retailers experienced more than twice as many account takeover (ATO) attempts than any other industry this year — 62% of login pages were hit versus 25%. Nearly 79% of retailers suffered credential stuffing, where previously breached credentials are used in automated attacks across large numbers of sites.
This chimes with an Akamai study which found that retail accounted for over 90% of the 64 billion credential stuffing attempts detected over 2018-2020.
Bots are used to power such attempts, and indeed 98% of the attacks featured in Imperva’s report originate from automated bot activity. While many are used by cyber-criminals, bots can also be deployed by retailers for price scraping and inventory tracking of competitors, the report claimed.
Elsewhere, API attacks have surged past usual levels this year, with cross-site scripting (42%) and SQLi (40%) together accounting for the majority as attackers sought to access customer databases.
However, XSS only accounted for 16% of the total volume of attacks on retailer websites this year: more common were remote code execution (21%) and data leakage (20%) raids, with 49% aimed at US sites by attackers using anonymizing tools.
DDoS attacks have also increased in volume and intensity this year. Imperva monitored an average of eight application layer attacks per month against online retail sites, with a significant peak occurring in April 2020, when major lockdowns came into force.
Imperva also warned that retailers are particularly exposed to Magecart and similar attacks, given that on average the industry uses 31 JavaScript resources per site.
This all bodes ill for e-commerce players this Black Friday, when traffic is expected to be higher than ever.
“The holiday shopping season is a crucial revenue period for retailers every year, but in 2020, they face a two-pronged threat: managing unprecedented levels of human and attack traffic to their websites and APIs,” said Edward Roberts, application security strategist at Imperva.
“Amid this historic holiday shopping season, the retail industry is likely to experience a peak in human traffic that exceeds anything measured this year and unlike anything in recent memory. The question is, how many attackers are going to hide within this expected traffic spike?”
Imperva’s State of Security Within e-Commerce report was compiled using data from its various security products.
It noted several attack trends this year likely to have been influenced by the greater numbers of shoppers heading online during COVID-19 lockdowns.
First, it claimed that e-retailers experienced more than twice as many account takeover (ATO) attempts than any other industry this year — 62% of login pages were hit versus 25%. Nearly 79% of retailers suffered credential stuffing, where previously breached credentials are used in automated attacks across large numbers of sites.
This chimes with an Akamai study which found that retail accounted for over 90% of the 64 billion credential stuffing attempts detected over 2018-2020.
Bots are used to power such attempts, and indeed 98% of the attacks featured in Imperva’s report originate from automated bot activity. While many are used by cyber-criminals, bots can also be deployed by retailers for price scraping and inventory tracking of competitors, the report claimed.
Elsewhere, API attacks have surged past usual levels this year, with cross-site scripting (42%) and SQLi (40%) together accounting for the majority as attackers sought to access customer databases.
However, XSS only accounted for 16% of the total volume of attacks on retailer websites this year: more common were remote code execution (21%) and data leakage (20%) raids, with 49% aimed at US sites by attackers using anonymizing tools.
DDoS attacks have also increased in volume and intensity this year. Imperva monitored an average of eight application layer attacks per month against online retail sites, with a significant peak occurring in April 2020, when major lockdowns came into force.
Imperva also warned that retailers are particularly exposed to Magecart and similar attacks, given that on average the industry uses 31 JavaScript resources per site.
This all bodes ill for e-commerce players this Black Friday, when traffic is expected to be higher than ever.
“The holiday shopping season is a crucial revenue period for retailers every year, but in 2020, they face a two-pronged threat: managing unprecedented levels of human and attack traffic to their websites and APIs,” said Edward Roberts, application security strategist at Imperva.
“Amid this historic holiday shopping season, the retail industry is likely to experience a peak in human traffic that exceeds anything measured this year and unlike anything in recent memory. The question is, how many attackers are going to hide within this expected traffic spike?”