As the holiday season approaches, retail businesses are gearing up for their annual surge in online (and in-store) traffic. Unfortunately, this increase in activity also attracts cybercriminals looking to exploit vulnerabilities for their gain.
Imperva, a Thales company, recently published its annual holiday shopping cybersecurity guide. Data from the Imperva Threat Research team's six-month analysis (April 2024 – September 2024) revealed that AI-driven threats need to be top of mind for retailers this year. As generative AI tools and large language models (LLMs) become more widespread and advanced, cybercriminals are increasingly leveraging these technologies to scale and refine their attacks on eCommerce platforms.
Imperva Threat Research also found that retail sites collectively experience an average of 569,884 AI-driven attacks each day. Understanding what types of threats are accounting for these attacks, and how to protect against them, is critical for retail businesses to protect their company and customers this holiday season.
Business Logic Abuse Leads the Way in AI Online Retail Threats
Business logic abuse was found to be the most common AI-driven attack on retail sites, accounting for 30.7% of all attacks. Business logic abuse occurs when cybercriminals exploit the intended functionality of an application to achieve unauthorized outcomes. For example, they may manipulate promotional codes or exploit return policies to obtain goods or services at a lower price. Imperva found that indicate that nearly 50% of retailers have experienced some form of business logic abuse.
The danger of this threat is multiplied by AI's ability to analyze patterns in user behavior and identify potential loopholes. As attackers use AI to devise more effective exploitation strategies, retailers must implement stringent controls to monitor and validate user actions on their platforms. Without these protective measures, businesses risk substantial financial losses and damage to their reputation.
DDoS Attacks Remain a Persistent Threat
Distributed Denial-of-Service (DDoS) attacks are nearly as common as business logic abuse, representing 30.6% of AI-driven threats to retailers — and they are becoming progressively more prominent. According to the Imperva 2024 DDoS Threat Landscape report, application-layer DDoS attacks on retail sites increased 61% since last year.
Application-layer DDoS attacks pose a serious threat to online retailers, especially as they prepare for increased traffic during the holiday shopping season. Cybercriminals can leverage AI to orchestrate complex DDoS attacks that overwhelm retail websites, making them inoperable.
The financial impact of a successful DDoS attack can be staggering, with businesses facing revenue loss, increased recovery costs, and potential long-term damage to their brand reputation. To combat this threat, retailers must invest in robust DDoS mitigation solutions that can identify and neutralize attacks before they disrupt operations.
Grinch Bots Continue to Wreak Havoc
Bad bots have become increasingly sophisticated, often employing AI algorithms to mimic human behavior and bypass security measures. Bad bot attacks made up 20.8% of all AI-driven attacks on retail sites. These automated threats are extremely disruptive to normal business functions, with the ability to scrape price data, launch credential stuffing attacks, and create fake accounts.
Around the holidays, retail businesses need to be particularly cautious of Grinch bots — a sophisticated scalping bot that queries online inventories and purchases the most sought-after items of the season for the purpose of reselling them at a significant markup. Grinch bots interfere with holiday sales and product launches, making it more challenging for consumers to buy popular, high-demand items.
The ability of AI to automate these processes means that bad bot attacks can scale quickly, making detection and mitigation more challenging. Retailers must enhance their bot detection capabilities to differentiate between genuine users and malicious bots. Failing to do so can result in lost sales, inventory issues, and a decline in customer satisfaction.
API Violations Emerge as a Growing Concern
As retailers increasingly rely on APIs to facilitate transactions and integrate third-party services, API violations have emerged as a pressing concern — accounting for 16.1% of AI-driven attacks on retailers. Cybercriminals can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data, often using AI to discover and exploit these weaknesses.
The retail industry experiences an average of 5,570 API attacks daily, with the majority being API violations. The potential consequences of API violations are severe, as they can lead to data breaches, financial fraud, and loss of customer trust. Retailers must prioritize API security by implementing strict access controls, conducting regular security audits, and using AI-driven monitoring solutions to detect anomalies in API usage.
Cybersecurity Tips to Stay Safe and Secure This Holiday Season
The holiday season presents a dual opportunity for retail businesses: a chance to make the most of increased consumer spending and a heightened risk of cyber threats. With the proliferation of AI tools, eCommerce businesses will encounter more advanced threats that exploit vulnerabilities and commit fraud with greater precision.
Retail businesses should follow these tips to protect their websites and customers:
- Prepare for Heightened Online Traffic: Retailers should brace for a surge in online traffic during the holiday shopping season. To prepare, they must ensure their infrastructure can handle this increased load without sacrificing performance. This includes scaling servers, using a content delivery network (CDN) for efficient traffic distribution, and implementing a waiting room queuing system to manage traffic flow and maintain a fair experience for legitimate users during peak times.
- Develop a Bot Management Strategy: Alongside the influx of genuine shoppers, retailers can expect a rise in malicious bot traffic. Developing a robust bot management strategy is essential to protect their platforms and ensure a smooth shopping experience for real customers. Key steps include evaluating traffic risks, identifying entry points, blocking outdated user agents, limiting proxies, implementing rate limiting, and monitoring for signs of automation or headless browsers.
- Defend Against Business Logic Abuse: AI allows attackers to automate business logic abuse on a larger scale, making these attacks more challenging to detect. To defend against such threats, retailers should enforce stringent validation on all user inputs, use anomaly detection systems to spot unusual activities, and conduct regular audits of their business processes to identify potential vulnerabilities that could be exploited.
- Invest in a DDoS Solution: DDoS attacks aim to overwhelm website resources, leading to downtime that can result in lost sales and reputational harm, particularly during peak shopping times. Retailers should invest in a DDoS protection solution that employs machine learning to identify and mitigate malicious traffic in real time, ensuring that legitimate customers can access services without interruption.
- Secure APIs: To proactively combat automated application and API abuse, retailers should establish a baseline for expected API behavior, including typical traffic rates and user geographies. This baseline helps detect anomalies, such as unusual spikes in less-used APIs, which may indicate malicious activity. Additionally, applying rate limits by session and IP can curb abuse, and maintaining an audit trail of user activity simplifies monitoring and investigation of potential threats.
By understanding the nature of AI-driven attacks and preparing for the challenges posed, retailers can better protect their operations and ensure a secure shopping experience for their customers. Continued vigilance and the adoption of advanced security technologies are crucial for keeping pace with evolving cybercriminal tactics and ensuring a safe holiday shopping season for both retailers and customers.