Bot Protection

Holiday Shopping = More Bot Attacks: It Just Makes Cents

Holiday shopping bot attacks

It’s practically an economic law that revenue growth for e-commerce companies translates to both more shoppers and more bad actors. This is precisely why the 2019 holiday shopping season is expected to set records not only for online sales but also for losses due to malicious bot activity.

Let’s face it, the size of the bad bot problem is already significant.

  • ATO attacks, where bots use stolen credentials to hijack customer accounts, have resulted in approximately $10 billion in losses over the past two years
  • Malicious bots are largely responsible for the $6.5 billion to $19 billion in losses expected in 2019 from digital advertising fraud
  • More than 50 percent of the traffic to retail sites overall comes from bots and they represent between 40 percent and 80 percent of retail login attempts

The situation is likely to get even worse, though, as bots continue to proliferate. For several years now, bot-generated traffic has surpassed human-generated traffic on the Internet. That’s not to say that all bots are bad. For example, search engine crawlers are generally regarded as beneficial. However, it does stand to reason that bots designed for malicious purposes – ones intent on making money off of e-commerce companies and their customers – will not only expand in number but also evolve in sophistication as the e-commerce attack surface keeps getting bigger and richer.

There are several reasons to expect online merchants will face the most sophisticated bot-based attacks yet during the 2019 holiday shopping season.

Online and mobile sales growth attracts attackers. As online and mobile commerce expands, cybercriminals follow the money and scale up their activity.

Up from $2.86 trillion in 2018, retail e-commerce sales worldwide are expected to hit $3.53 trillion in 2019, as they head for an estimated $6.54 trillion in 2022. Citing data from 451 Research’s Global Unified Commerce Forecast, this excerpt from a Forbes article is particularly relevant:

“Consumers are increasingly turning to online and mobile channels to make purchases that they traditionally would have made at the cash wrap in years past. This deflection of spending has been fueled, in part, by the rise of online marketplaces and the on-demand economy against the backdrop of new purchase experiences like click-and-collect and mobile order-ahead. This year, one out of every ten dollars spent globally will occur in a digital channel. By 2022, more than 17% of B2C sales around the world will occur online.

The same article goes on to indicate that the number of mobile commerce transactions - those conducted with a smartphone or tablet - will exceed the number of traditional e-commerce transactions - those conducted using a desktop or laptop - globally, for the first time in 2019.

As usual, it is also reasonable to expect a disproportionate percentage of these online transactions – and, therefore, associated bot attacks – to occur during the highly-active holiday shopping season.

More stolen credentials at cybercriminals’ and bots’ disposal. As the volume of viable credentials available for purchase on the dark web increases, so too does the volume of bad bots looking to exploit them.

2018 continued an all-too-familiar pattern, as numerous high-profile data breaches were revealed, including Marriott Starwood hotels with 500 million records breached, Google+ with 52.5 million records, and Panera with 37 million records. Overall, it is estimated there are more than 1.4 billion stolen email/password combinations available on the dark web for purchase.

The result is a truly worrisome situation where the login credentials of most consumers have already been stolen and resold and, due to poor password practices, are likely to work on multiple websites and accounts. Moreover, it’s pretty clear that cybercriminals are already geared up to take advantage of the situation. The evidence: according to the 2019 Verizon Data Breach Investigations Report, 29 percent of reported breaches involved the use of stolen credentials, with web apps being the most popular vector of attack.

Retailers’ outmoded defenses cannot stop increasingly sophisticated bots. As one line of defense is put in place, cybercriminals will invariably advance bot technology to overcome it.

Cybercriminal syndicates, which increasingly deploy the most sophisticated bots available, are engaged in an arms race with retailers’ IT security teams. The latest generation of sophisticated bots impersonates real users and legitimate system behaviors either by injecting a malicious extension into the user’s browser or by simply executing the browser in a hidden window. The bots or their operators then piggyback other attacks on the valid identities and systems of real users.

Because these bots often have valid user credentials, do not make many requests from any single IP address and mimic key aspects of human behavior, they won’t trigger volumetric or IP reputation alarms. Typically, they’re also able to evade commonly deployed signature-based defenses and web application firewalls.

The bottom line: if you’re an online merchant, then you’d better hold onto your hat as we head into the holiday shopping season. Sophisticated bad bots are likely to be out in force, alongside or in front of the customers you’re looking to serve.

If you’d like to learn more about the impact of malicious bots on e-commerce and what you can do to stop them, download our new white paper, Five Major Bot Threats to Holiday E-commerce and How To Stop Them. Or, register for a Bot Defender demo.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.