A report from Imperva Threat Research has found that cyberattacks against Australian retailers are on the up. The company warns that retailers and consumers should proceed with caution this shopping season.
Imperva’s Key findings:
- Automated Threats Caused 62% of Security Incidents in the Past 12 Months
- Cyberattacks against Australian retailers almost tripled (285 per cent) in H1 (Jan-Jun) 2022 (compared to H2 (Jul-Dec) 2021).
- Notable growth has come from automated threats, which makes up 69 per cent of all security incidents in the past 12 months.
- There has been a sharp rise in account takeover (ATO) attacks, a form of online fraud in which cybercriminals attempt to compromise online accounts by using stolen passwords and usernames. In the peak shopping period of Q4 (Oct-Dec) 2021, ATO attacks increased fourfold (315 per cent), compared to the previous quarter. In H1 (Jan-Jun) 2022, ATO attacks were 185 per cent higher than H2 (Jul-Dec) 2021.
The report is available to download here.
Imperva describes itself as a cybersecurity leader whose mission is to help organisations protect their data and all paths to it. The company’s State of Security Within eCommerce 2022 report is a 12-month analysis of cybersecurity threats targeting the retail industry. A range of automated threats including account takeover, credit card fraud, web scraping, API abuses, Grinch bots and distributed denial of service (DDoS) attacks.
In Australian retail, overall cyberattacks have almost tripled (285 per cent) in H1 (Jan-Jun) 2022 compared to H2 (Jul-Dec) 2021. Notable growth has come from automated threats, which made up 69 per cent of all security incidents in the past 12 months. Within this category, there has been a sharp rise in account takeover (ATO) attacks, a form of online fraud in which cybercriminals attempt to compromise online accounts by using stolen passwords and usernames. In the peak shopping period of Q4 (Oct-Dec) 2021, ATO attacks increased fourfold (315 per cent), compared to the previous quarter. In H1 (Jan-Jun) 2022, ATO attacks were 185 per cent higher than H2 (Jul-Dec) 2021.
Tony Mascarenhas, Imperva’s Area Vice President for Australia and New Zealand said, “Events in recent weeks have highlighted that cybercriminals are targeting the personal data of Australians and the companies that hold that information. The holiday shopping season is a critical period for the retail industry, and security incidents could disrupt business operations, damage consumer trust and undermine retailers’ bottom line. Retailers need to be reviewing their cybersecurity defences to ensure their data stores are properly protected, as well as the pathways to those data stores, namely the applications and APIs that connect to the data.
“The fact that the majority of threats against retailers are automated and operate around the clock highlights the need for a unified approach, one that focuses on the protection of data and is equipped to mitigate attacks quickly without disrupting shoppers.”
“Bad Bots and Online Fraud Plague Retail Sites“
Imperva says that, in the past 12 months, nearly 40 per cent of traffic on retailers’ websites didn’t come from a human. Instead, it came from a bot, software applications controlled by operators that run automated tasks, often with malicious intent. In the retail industry, the infamous Grinch bot is notorious for inventory hoarding during the holiday shopping season, scooping up high-demand items and making it challenging for consumers to purchase gifts online.
Some of the key trends monitored by Imperva include:
- Of all the traffic on retailers’ websites, nearly one-quarter (23.7 per cent) was attributed specifically to bad bots, malicious automation that contributes to online fraud. The proportion of advanced bots – scripts that use the latest evasion techniques to mimic human behaviour and avoid detection – on retail sites grew over the prior year (from 23.4 per cent to 31.1 per cent). Advanced bots are a considerable challenge for organisations to stop without the right defences in place.
- In 2021, bot-related attacks on retail sites grew 10 per cent in October and grew another 34 per cent in November, suggesting that bot operators increase their nefarious efforts around peak holiday shopping periods.
- In 2021, 64.1 per cent of ATO attacks used an advanced bad bot. Of all login attempts on retail websites, 22.6 per cent were malicious, nearly twice the volume of recorded on sites across other industries. Attackers used leaked credentials 94.7 per cent of the time in credential stuffing attacks targeting retailers, compared to 69.6 per cent of the time in other industries.
“API Abuses and Attacks Multiply, Creating New Challenges for Retailers”
APIs are the invisible connective tissue that enable applications to share data and invoke digital services. Imperva Threat Research analysis found that traffic from an API accounts for 41.6 per cent of all traffic to online retailers’ sites and applications. Of that, 12 per cent of traffic directs to endpoints, like a database, where personal data is stored (credentials, identification numbers, etc.). More concerning, 3 to 5 per cent of API traffic is directed to undocumented or Shadow APIs, endpoints that security teams don’t know exist or no longer protect.
Exposed or vulnerable APIs are a considerable threat for retailers because attackers can use the API as a pathway for exfiltrating customer data and payment information. API abuses are often carried out through automated attacks where a botnet floods the API with unwanted traffic, seeking vulnerable applications and unprotected data. In 2021, API attacks increased by 35 per cent between September and October, and then spiked another 22 per cent in November on top of the previous months’ elevated attack levels. This finding suggests that bad actors scale their efforts around the holiday shopping season as more data is exchanged between APIs and applications that power eCommerce services.
“Beware of Downtime: DDoS Attacks Continue to Threaten Retailers“
A distributed denial of service (DDoS) attack is an automated threat that attempts to disrupt critical business operations by flooding the network or application infrastructure with malicious traffic. The attacks are often launched by a botnet, a group of compromised connected devices that are distributed across the Internet and operated by a single party.
Imperva found that DDoS attacks in 2022 were larger and stronger across all industries. The number of incidents recorded that were greater than 100 Gbps doubled, and attacks larger than 500 Gbps/0.5 Tbps increased 287 per cent. What’s more, those targeted by an attack are often attacked again within 24 hours. Imperva found that 55 per cent of websites hit by an application-layer DDoS and 80 per cent hit by a network-layer DDoS were attacked multiple times.
A DDoS attack is a nonstop threat for retailers. The downtime caused by a DDoS attack can lead to site disruption, reputational damage, and revenue loss. A DDoS is a critical threat to online retailers that rely on application performance and availability to enable digital storefronts.