In 2020, Chinese e-commerce giants Alibaba and JD.com drew approximately US$115 billion in sales across all their platforms during the 11/11 Singles’ Day shopping event, a historic high. Yet, the spike in ecommerce traffic also brings with it a rise in scams.
Cybersecurity firm Imperva’s 12-month analysis on cybersecurity risks in the retail industry suggests that the 2021 holiday shopping season will be no different and may instead see more victims than the previous year. Thus, they have launched an ecommerce report issuing advice around safe retailing to prepare you for the year’s single largest online shopping event on 11 November.
Threats Escalating for Retail Industry
Online retail remains a prime target for automated bot activity in 2021. Bots carry out an array of disruptive, and even malicious, activities on retail sites including price and content scraping, scalping, denial of inventory and other types of online fraud.
In 2021, the volume of monthly bot attacks on retail websites rose 13%, compared to the same months of the previous year. This underscores the growing threat retailers and consumers face from bad bot activity. Imperva Research Labs finds that 57% of attacks recorded on eCommerce websites this year were carried out by bots. In comparison, bad bots made up just 33% of the total attacks on websites in all other industries in 2021.
Incidentally, the top type of security incident in the Singapore retail industry in the past 12 months (Oct 2020 − Sep 2021) has been bad bot traffic (44%). In the December shopping period last year, Singapore’s retail industry saw a marked rise in simple bot traffic of 60% above the monthly average.
More worryingly, the proportion of sophisticated bad bots on retail websites reached 23.4% in 2021. This type of bot is the more challenging to tackle as they are capable of producing mouse movements and clicks that closely resemble human behaviour. Sophisticated bots evade simple defences and are responsible for account takeovers, fraud or denial of inventory that makes it harder for legitimate shoppers to get the goods they want.
Imperva Research Labs has also observed an uptick of Distributed Denial of Service (DDOS) attacks since the holiday shopping season has commenced, with attacks spiking 200% in September 2021. already seeing an uptick in DDoS attacks, compared to the month prior. Part of this uptick in activity is tied to the enormous Meris botnet that has impacted organisations globally.
Throughout the past 12 months, the retail industry experienced the highest volume of application layer (layer 7) DDoS incidents per month of all industries. Layer 7 attacks are highly effective because they consume both network and server resources. Defending against application layer attacks is difficult because it requires the ability to distinguish between attack traffic and normal traffic.
The retail industry websites are particularly vulnerable, with attacks on them from Q4 2020 through the first half of 2021 being notably higher than all other industries, and characterised by more sporadic peaks. Retail sites experienced slightly higher volumes of Data Leakage attacks (31.3%) in 2021 compared to all industries (26.9%) as eCommerce sites are prime targets because they host shoppers’ payment information or loyalty reward points. In January 2021, the Singapore retail industry saw a 59% increase above the monthly average for data leakage attacks, coinciding with the Chinese New Year shopping period.
“The 2021 holiday shopping season is shaping up to be a nightmare for both retailers and consumers,” says Peter Klimek, Director of Technology, Office of the CTO, Imperva. “With the global supply chain conditions worsening, retailers will not only struggle to get products to sell in Q4, but will face increased attacks from motivated cybercriminals who want to benefit from the chaos. Retailers and consumers alike need to take the necessary steps to protect themselves.”
With this, Imperva has dispensed some tips for shoppers and retailers alike to ramp up their cybersecurity as they prepare for the holiday shopping season.
- Before you shop, ensure your software and apps are updated so you have all the latest security patches.
- Do not shop through a public Wi-Fi connection. Instead, use a VPN or your phone as a hotspot.
- Make sure you shop through a reputable site with a padlock symbol and ‘https’ at the start of its URL (not http).
- Be careful of the apps/extensions you download onto your devices. Stick to well-known brands or applications. Be especially wary of free apps.
- Use strong, differentiated passwords for your accounts, and set multi-factor authentication whenever possible.
- Use secure payment methods like PayPal or your credit card.
- Never send your bank or credit card details via email or SMS.
- Don’t let your online shopping accounts or browser save your payment details.
- Ensure your organisation is compliant with all data privacy regulations in your jurisdiction.
- Prepare for a high volume of traffic, as well as DDoS attacks.
- Be sure to have a bot management strategy in place to only allow legitimate customers onto your website.
- Encourage your customers to practice good password practices and offer multi-factor authentication.
- Protect your existing website functionalities and make sure newly added ones are safe, too.