In early 2020, e-commerce was already growing far faster than sales at brick-and-mortar stores Now, with much of the world sheltering-in-place in an attempt to flatten the curve of new coronavirus cases, online shopping has surged beyond levels typically seen during holiday shopping periods. People have stopped leaving their homes. Non-essential businesses are closed, so online shopping has become the only way to make many types of purchases.
Homebound consumers have even cranked up e-commerce orders in categories deemed essential like grocery stores and pharmacies, where shops remain open. According to the Adobe Digital Economy Index, online grocery shopping has doubled while overall e-commerce sales jumped by 25% through March 15. Online sales of computers, monitors, fitness equipment and toilet paper were all soaring, even before the full effects of shelter in place kicked in.
This extraordinary crisis is creating major e-commerce security challenges for companies across vertical segments. Spikes in traffic means it’s easier for anomalies to hide in the noise. Already stretched security and IT resources - many of them also working from home - are pushing to make sure infrastructure is operational and can handle the increased scale. Relying on security products that are built on historical pattern recognition rather than continuous machine learning to guide the business can result in missed attacks and bad decisions that outlive the crisis.
Food Delivery, Home Goods, E-learning New Targets Of Automated Bot Attacks
Food and Food Delivery Services Heating Up: After Experiencing a 41% increase in traffic from mid-January to mid-March, food and food delivery is one sector of the online economy experiencing growth during the COVID-19 crisis.
As shoppers began a shelter-in-place period of unknown length, normally quiet or slow traffic categories such as exercise equipment experienced rapid demand. They also grew in value to cybercriminals because of the increased traffic on some of these sites. Cybercriminals can use stolen credentials to buy luxury goods or electronics for subsequent resale at a huge profit on secondary sites. Alternatively, they can pursue fraudulent refund requests, or they can skim personally identifiable information (PII) or execute a Magecart or account takeover (ATO) attack.
Small- and medium-sized vendors of exercise equipment, for example, may be inexperienced with major attack types like ATO because cybercriminals have previously focused on other high-dollar items like luxury goods and travel. Many of these vendors may not have sophisticated algorithmic and pattern-matching detection systems in place to discern fraudulent attempts from legitimate ones. And this is just one segment. Educational and e-learning services, home goods stores, and food delivery services have similar characteristics: they are seeing increased traffic volumes and may lack the e-commerce security systems necessary to protect their growing customer base and their business.
Product Demand Shift Can Wreak Havoc With E-commerce Security
With the flood of traffic has also come big shifts in product demand. Traffic to large e-commerce sites selling groceries has spiked over historical levels for this time of year and from previous months. Demand for items like hand sanitizer, alcohol, toilet paper and home cleaning products has seen tremendous growth. Since the spike is not seasonal or historical, but an entirely emergent trend, it is especially challenging to understand. So we have a rare situation where both the mix of products and the time of year don’t match past patterns. Adding to the confusion, we have seen a spike in bot attacks on e-commerce sites. These elements combine to make it significantly harder for e-commerce site operators to quickly and securely handle a real customer while mitigating bot traffic and stopping bot attacks that are underway. This is a perfect storm in the e-commerce security world, and one that is challenging for even the most-experienced operator to navigate.
To Address the Threat, Measure the Little Things
Because this is an anomalous event, manual approaches to e-commerce security will come up short. Usually, you can compare historical records to get a baseline idea of what traffic should look like for any given weekly or monthly period, and break it down to include more detail like geography, types of devices and browsers accessing the site, number of site searches and rate of shopping cart abandonment.
In this situation, such comparisons may not work. An alternative strategy may be to perform day-to-day comparisons starting with the initial burst of traffic. These comparisons and analysis of log files should provide directional guidance. For example, if traffic volume to a log-in page spikes, then it’s likely a sign of an ATO attack. Or if traffic to a specific category page and related product pages spikes and there is no logical reason for this behavior, then chances are a web scraping attack is underway.
Performing all of these analyses manually is doable, although quite time consuming: it usually requires additional full-time resources. Alternatively, e-commerce operators can adopt web application security solutions that identify anomalous patterns in real time and constantly retune its algorithms to accurately identify bad actors and spot bad behaviors. Given the rapid increases in e-commerce activity and revenues, moving quickly with this approach is particularly desirable. Failure to properly shore up e-commerce security to address web attacks can mean significant lost revenues, time wasted on remediation efforts, and disappointed customers - at a time when they need you the most.