We are in an unprecedented time with COVID-19. Around the world, we are seeing decisive actions put in place to prevent a catastrophic scenario where health care systems are overwhelmed and care is rationed due to lack of ventilators, beds and trained medical staff. We know that “social distancing” is critical. This means all social activity where people congregate must stop. Now families and individuals are spending more time in their homes or outdoors at a six-foot distance from others, and many common daily interactions are moving online.
Virtual meetings are now the only way companies have face-to-face connections. People are ordering online delivery services to avoid going to stores. This is particularly pronounced for food and medicine, two essentials that people had previously purchased in physical locations. The already rapid rise of online shopping for clothes, electronics and sporting goods is continuing to accelerate. School districts around the world are running virtually, if at all. This is increasing adoption of e-learning and encouraging schools and individuals to consider it as their primary channel of education.
As we have observed over the years, the trends we see in daily life and in online activities are often reflected in the trends we see in the cyber world. The coronavirus disruption is no exception.
Attackers always follow the money, and at times where the industry and the workforce operating technology and running websites are going through dramatic transitions, attackers identify new opportunities. We see this play out in the data we gather from our platform; it reveals interesting trends in web traffic and attack patterns.
Web Traffic Surges in Food, Food Delivery and Home Goods
Since January, overall web traffic across the e-commerce industry has remained fairly constant, but recently we have seen large traffic surges as well as increases in conversion rates in certain segments. In addition, the amount of malicious traffic in the e-commerce industry has increased. Here are highlights for key segments:
- Food and Food Delivery: From mid-January to mid-March, these segments experienced a 41% increase in traffic. Since March 1, the industries’ conversion rate has soared by 80%. This means that shoppers are more decisive, and that orders are growing at a faster rate than the traffic growth alone.
Figure 1: Food delivery traffic spikes - both bots (red) and legitimate users.
- Home Goods: In the past two months, this segment experienced an increased number of account takeover (ATO) attacks. In recent days, these attacks comprised almost 80% of all login attempts. In addition, conversion rates doubled. Since March 11, searches for toilet paper have increased by 1400% and searches for outdoor furniture doubled since January. We have even seen some sites experience larger spikes in single-day traffic during March than they saw during the last Cyber Monday, in some days more than 300% of the Cyber Monday peak.
Figure 2: Increased ATO attacks (in red) on Home Goods retailers. The blue line represents legitimate log-ins.
Figure 3: On some segments, last week’s daily traffic is more than double the peak of Cyber Monday.
Figure 4: Recent buying trends show increases in high-demand products.
Cyber Threats Increase From Scraping Attacks
Malicious traffic has increased noticeably in the overall e-commerce segment. This can mainly be attributed to a rise in scraping attacks to capture key price and inventory data. Our hypothesis is that increased competition for business in key segments has fueled scraping growth as competitors seek to capture more online customers with deals and pricing offers. Scraping growth has been concentrated on hot items such as toilet paper, face masks and disinfectants. Unlike scraping for general merchandise, which usually is fueled by competitive inventory and price collection, we see new scrapers that are typically used by hoarders trying to get their hands on highly coveted items.
Figure 5: Scraping bot traffic (in red) in overall e-commerce segment.
How Website Owners Can Protect Their Business and Their Customers
Now is the time to be more vigilant than ever since along with traffic spikes, web attacks are on the rise. Businesses should pay attention to the five ways to identify a bot attack. To combat these threats businesses need to undertake the following strategies:
- General: Regularly analyze server log and traffic logs to look for noticeable changes. This advice spans all attack types. Your log analysis tools should be able to handle this.
- ATO: Look for behavioral anomalies of ATOs. For example, visitors that go straight to the log-in page without clicking on any other links or scrolling around the site are likely to be bots executing an ATO. (Read more on this here.)
- Scraping: Turn off caching in Google and look for spikes in specific category pages that are in high demand. (Read more on this here.)
- General: Consider adopting automated web application protection technologies that can leverage sophisticated machine learning engines to spot emergent anomalies in real time and that block malicious visitors from scraping or attempting ATOs.
For ongoing analysis on the rapidly changing application threat landscape, you can subscribe to the PerimeterX blog.