The peak Christmas shopping season is just around the corner, and just as retailers are busy trying to make the most of that time to make a profit, so are cybercriminals.
From Imperva Area Vice President for Australia and New Zealand Tony Mascarenhas.
Imperva Area Vice President for Australia and New Zealand Tony Mascarenhas.
The industry is already facing challenges with the global supply chain crisis and an overloaded parcel delivery system. For some retailers, the effects of a single cyberattack could be devastating.
Imperva's 12-month retail cybersecurity risk analysis suggests that cybercriminals step up efforts during rush hour to wreak havoc for online retailers. Last year, cybersecurity incidents in Australian retail peaked from September 2020 to January 2021. Retailers should expect the same this year, but at a higher level. In fact, cybersecurity incidents this year are already 12% higher than in the same period in 2020.
To help companies prepare, I'll highlight the top three cybersecurity threats facing the industry and how retailers can mitigate their risk.
Malicious bots
Online trading remains a major target for automated bot activity in 2021. There are both good and bad bots. Good bots are used for productive purposes, for example to collect data for search engines or price comparison services. Bad bots are used by a wide variety of different actors to conduct both illegal activities (like account hijacking attacks) and quasi-legal activities (like data scraping and inventory denial) against retailers.
The majority (57%) of the attacks registered on ecommerce websites this year have been carried out by bots, and the monthly attack volume is increasing, 13% more than last year. Australia is one of the top destinations for bot activities and ranks fourth in the world.
One of the most malicious bots – Account Takeover (ATO) – is particularly high in retail. This is where cyber criminals take over online accounts with stolen passwords and usernames. That year, ATO logins accounted for a third (32.8%) of all bot traffic in retail.
To reduce ATO risk, retailers should encourage their customers to practice good login habits and security, set strict password requirements, and offer multi-factor authentication (MFA). They should also stay up to date on big data breaches that could affect their customers and advise users to change their passwords after a breach occurs.
Regardless, the use of bots to hoard inventory has increased during the pandemic, creating friction for legitimate human customers. These bots generally target products that are scarce but in high demand. For example, Imperva Research Labs recently saw an 88% increase in bad bot traffic to global retail sites days before the Nintendo Switch OLED was launched.
Because of this, this shopping season online merchants need to be prepared for high traffic and have a bot management solution that only allows legitimate customers to visit their websites. Otherwise, the traffic will contain a high proportion of advanced bots, which will skew website performance and analysis.
Stock hoarding bots can also cause retailers to lose customers and revenue, and damage the brand's reputation. If a retailer doesn't have the product they want, they'll quickly go to a competitor's site. Once they're gone, they may never come back. Consumers can also quickly blame the retailer for inventory shortages. For example, when the launch of a new GPU sold out in just 1.2 seconds, consumers used Twitter to voice their outrage.
Website attacks
Many websites have vulnerabilities in web applications that can be exploited by cyber criminals to manipulate the source code, collect sensitive data or gain unauthorized access.
Around this time last year, Imperva found that attacks on retail websites were significantly higher than any other industry. In Australia, the top three attacks on retail web applications over the past year were data leakage, remote code execution (RCE) / remote file inclusion (RFI) and cross site scripting (XSS).
Common applications targeted by such attacks are online forms and JavaScript-based services, including live chat services and payment gateways. These attacks are commonly known as Magecart attacks. Retail websites are particularly vulnerable to these attacks because retail websites perform more client-side JavaScript-based services than any other industry. The volume of JavaScript plugins in retail has doubled in the last 12 months, which offers more options for use.
Magecart-style attacks are notorious for using compromised first-party or third-party JavaScript to extract sensitive information from website forms such as login and checkout. Targeting high-volume e-commerce sites, especially during peak shopping hours, is an ideal strategy for attackers.
To mitigate risk, retailers need to ensure that their existing website functionality is protected and that any newly added functionality is secure. It's a good idea to keep an inventory of all of your client-side and server-side JavaScript-based services. Consider using a dedicated tool that can help identify and assess the risks of any JavaScript-based service and allow you to block unauthorized services from running.
DDoS attacks
Australian retail is a prominent target for DDoS attacks at the application layer (Layer 7), ranking third in the world in 2021.
For the past 12 months, retail had the highest number of application-level DDoS incidents per month of any industry, and in September 2021, Imperva Research Labs was up 200% from the previous month. The increase in attacks shows that the threat actors are tough on the busy shopping season.
Peak shopping days like Boxing Day are popular times for attackers to launch DDoS attacks on online retailers. As such, retailers should regularly stress test their infrastructure and ensure that they are properly protected from DDoS attacks on all web resources, including DNS.
The end of the year is always particularly busy and stressful in retail. However, it's important that you don't let cybersecurity fall by the wayside. As recent history has shown us, the holiday season is a "perfect storm" for bad actors to bring mischief to online retailers. Hence, this is a time to strengthen your security posture. Retailers that stay ahead of the cyber risks that threaten the integrity and continuity of their business this shopping season will survive and thrive in 2022.
About Tony Mascarenhas
Tony Mascarenhas is Area Vice President for Australia and New Zealand at Imperva. He has over 25 years of experience managing, selling and advising a variety of industries including retail in Australia, Asia, America and Europe. Tony's strong customer relationships and understanding of their business have enabled him to put together the right enterprise technology solutions to solve their unique business challenges.
About Imperva
Imperva is the leading cybersecurity provider helping companies protect their data and all paths to it. Customers trust Imperva to protect their applications, data and websites from cyberattacks. With an integrated approach that combines edge, application and data security, Imperva protects companies at all stages of their digital journey.