The 2017 holiday season is projected to bring sales revenue gains of 18 to 21 percent over last year, Cybercriminals read the same forecasts we do, and have been sharpening their tools - such as more advanced attack bots and databases of stolen credentials and credit cards - to carry out six major types of attacks on retail websites and mobile apps.
Bot-masters and their bot armies are the ultimate CyberGrinch - out to ruin the holidays for everyone else. CyberGrinch - the archetypal ecommerce cybercrook - is destructive, clever, sneaky, and there are millions of him. Don’t underestimate him.
The Intellectual “Bot Arms Race”
Those who direct bot attacks have relentlessly improved their weaponry, adding capabilities to impersonate human users and their behaviors in ways that often fool traditional lines of defense, such as volumetric and signature-detection tools, upon which many retailers rely today. Also, retailer’s mobile apps tend to be less protected than their websites, so attackers shift their attacks there.
Bots have displayed startling rates of success in some cases when they infiltrate websites, mobile apps, and customer accounts. For example, they “recruit” millions of innocent consumers as foot-soldiers by infecting their browsers with malware, and then stealthily riding along when the consumer logs into a website or account. At that point, the bots can steal, copy, place fraudulent orders, or claim payment for the customer visit as a phony marketing affiliate -- whatever means profit for the bot-master.
CyberGrinch: He’s Ready for the Holidays. Are You?
Once a bot attack gets past the web application firewall or signature-detection tools, it is too late. Understanding the most likely bot attacks will help you recognize what is happening and take the right protective measures to foil the CyberGrinch and protect your revenue.
1. Account Takeover – Attacking both your site and your customers
With billions of account credentials stolen in recent years, and probably sold many times over in a nefarious “dark marketplaces”, account takeover (ATO) has escalated to become a major threat. Bots are used to verify and curate the databases of credentials, attacking through proxy networks or rotating IP addresses to avoid detection. They try out the stolen usernames and passwords on many retail sites, to see where they work. Once inside an account, attackers can monetize it by placing fraudulent orders and stealing credit card and gift card information.
2. Web Scraping – That [really] big guy is watching you
No matter how unfair it seems, all major industry players constantly scrape prices from the websites of their competitors - including your own, most likely. As a result, your price changes can be matched immediately, jeopardizing your promotion strategy.
Web Scraping also gives competitors insights into your pricing strategy, category management, inventory levels, and marketing information like keywords. Scraping can support illegal republishing. Nobody is allowed to take your copyrighted content, such as product descriptions and reviews, and repost it on another site. There’s real harm in content scraping; good content is expensive to produce, and illegal reposting can trigger search engine penalties against the copyright owner’s site, for apparent duplication of content.
3. Online Credit Card and eGift Card Fraud – Holiday cheer for attackers
On-card chips have impacted credit card fraud in several ways. First, they made in-person card misuse riskier. This has driven criminals toward the relative safety of online credit card fraud; according to Fortune, card-not-present fraud was up 40% in 2016. This trend may well continue, fueled by enormous volumes of stolen credit card and identity data in the Equifax and other data breaches. For efficiency and scale, attackers use bots to test stolen credentials and card data. When stolen cards are found to work, they are used to make purchases or are sold on the dark web.
Sales of digital gift cards were estimated at $10 billion in 2016, with a startling estimated fraud loss rate of 9.5%, or $950 million. Attacks can use brute-force testing to quickly crack a four-digit code on e-gift cards. The card balances are often cashed out immediately.
4. Scalper and Hoarder Bots – Human customers left out in the cold
Your legitimate customers are far too slow to beat out the bots, when they try to buy hot in-demand products the moment they go on sale online. During the holiday season, scalpers often target the hottest new toys, confident they can get 2x to 10x the list price from parents determined to avoid disappointing their child. During the 2016 holiday season, the wildly popular Hatchimals toys were often monopolized by scalper bots, then marked up from $60 to as much as $1,000.
Hoarding is another form of checkout abuse whereat sabotages the victim by keeping its inventory out of the marketplace. Bots tie up hot products - where inventory is limited -- by selecting them for purchase. The units are frozen in the bots’ shopping cart, typically locked out of available inventory for several minutes. The ecommerce merchant may interpret “no available inventory” as meaning that it’s time to reorder the item, although it may not actually have sold any units. If bots lock up all the inventory, the retailer achieves no revenue, and legitimate consumers are annoyed to find that “We’ve got it in stock!” claims are untrue. Meanwhile, competitors benefit by attracting those customers and selling their inventory of the hot item to them. .
This is a very damaging denial-of-service attack at the business level, and can drag on for many hours. When the time-hold expires, and a unit is returned to available inventory, the bot immediately tries to lock it up again. Often, after such a prolonged attack, the retailer is forced to sell at a heavy discount and kill margins, because scarcity-fed demand has subsided by that time. Meanwhile, competitors were able to sell their inventory and soak up the demand. The victim takes a hit to revenue, margins, and customer trust.
5. Marketing Fraud – A long-established scam that distorts marketing analytics
Bots can carry out prolonged attacks that take advantage of pay-per-click advertising and affiliate marketing. Bots are used to click away on pay-per-click ads, devouring the online ad budget while bringing zero real customers. In a more complicated scam, thousands of browsers - belonging to individual users -- are infected with malware bots.The bot waits until the human user visits a targeted ecommerce site, then claims credit for the visit. As a result, the site pays a fraudulent marketing affiliate for traffic that would have come regardless.
6. Mobile Apps and APIs Are the New Target
Mobile commerce now also has the attention of cybercriminals. Research by Nokia indicates that smartphone malware attacks increased 400% in 2016, and a significant portion of that came from bots targeting mobile apps. The better the protection on websites, the more motivation criminals have to shift to targeting mobile apps.
There are three primary vectors for mobile app attacks. First, attackers can call the apps’ APIs directly from any computer without using the app itself, nor even a mobile device. Attackers could also use the genuine app, or a hacked version of the app, by running on mobile device emulators. Emulators are widely used for legitimate purposes, to measure performance and test security of mobile apps. Automated emulators can spin up thousands or millions of them to perpetrate bot attacks that appear to be legitimate users on normal apps and actual smartphones. The third approach is to actually hack a device (or, more likely, an app on a device) and then take over the app to launch the attack. This involves a legitimate device and application that are commandeered by an attacker.
The Achilles Heel of All Bots and All Bot Attacks
All these attacks are conducted using bots of different generations and methods. The attacks present different signatures, but they share one characteristic which the approach known as web behavior analytics (WBA) excels at catching: they don’t exactly match up to human behavior.WBA uses artificial intelligence to understand how humans behave on specific web pages and mobile apps. Then it picks out any user behavior that deviates from the subtle human ways of moving a mouse, interacting with a page, or carrying out a series of actions.
Protect Both Sites and Mobile Apps During the 2017 Holidays
Behavior-based detection can immediately pick out non-human behavior to determine if online purchases are legitimate, or the work of a legion of CyberGrinch bots, and immediately block automated attacks. To “Grinch” the holiday season for cyber-criminals and bot-masters, while protecting your revenue, it’s wise to not only know the principal attack modes, but to also get a jumpstart now on the technology that stops all bot attacks. Check out PerimeterX Bot Defender Web and Bot Defender Mobile here.
You can learn much more about holiday-season bot attacks by downloading our white paper on the Six Most Damaging Bot Attacks on eCommerce Sites and Mobile Apps. Or, to talk about making the holidays bot-free -- for your site, mobile app, and customers -- just contact us and we will have a security engineer reach out to you.