It was the biggest online shopping weekend in history, and PerimeterX saw more action than in any previous five-day holiday shopping period. We also protected 140% more commercial transactions than in the 2019. A good portion of this increase in transactions protected was due to PerimeterX adding many new customers over the year. Controlling for new customer additions, we estimate that 20% to 40% of the transaction volume increase in 2020 was the result of unprecedented traffic and retail transaction levels we saw during the Thanksgiving and the subsequent shopping days. This elevated activity level is likely the new normal for online transactions and activities. Businesses will need to plan for bigger and more sophisticated holiday shopping attacks on their applications next year and beyond.
A Record-setting Period for Sales, An Earlier Start
During the “Cyber 5” shopping period between Thanksgiving and Cyber Monday, U.S. shoppers spent a record $34.36 billion on retail websites, according to Adobe, a 20.6% increase from 2019. This actually fell below projections for huge spikes in online shopping due to the ongoing pandemic. That said, Adobe’s researchers believe that missed projections resulted from shoppers pressing the “buy” button before Cyber 5 to avoid out-of-stock items and shipping delays.
The earlier start to the holiday shopping season was likely influenced by retailers launching promotions prior to Cyber 5 to pull demand forward. In addition, the gravitational pull of Amazon Prime Days and competing efforts by Target and Walmart to pull more shoppers in earlier in the Fall likely detracted from the Cyber 5 take. Still, shoppers are spending faster in the holidays than in years previous. Adobe found that from November 1 through Cyber Monday, global consumer spending for the first time eclipsed $100 billion, reaching $106.5 billion. The spending total passed $100 billion nine days earlier than in 2019. Globally, consumers followed the U.S. lead, sending online shopping to new records over Cyber 5. For its part, Salesforce reported 2020 global digital channel retail sales of $62 billion on Black Friday alone, a 30% increase over the previous year.
Overview: Traffic Processed Rose By 2x to 3x, Depending on the Day
All of this was driven by significant spikes in traffic to online shopping sites. For Cyber 5 in 2020, PerimeterX processed record traffic of 93.7 billion total requests. As compared to 2019, PerimeterX recorded a 113% spike in requests processed on Thanksgiving, a 158% increase in requests processed on Black Friday and a 148% increase in requests processed on Cyber Monday. Some of this increase was due to the PerimeterX customer base expanding, contributing to a traffic increase of roughly 100% from 2019 to 2020. Still, controlling for this organic growth, we saw the average level of traffic seen by our customers on these specific days increase by between 20% and 40% over 2019.
The peak volume of requests PerimeterX processed exceeded 1.5 million per second. Based on internal estimates of traffic and purchasing volumes, PerimeterX protected more than $12 billion in global e-commerce transactions for Cyber 5 2020, setting a new company record.
Figure: Web traffic processed rose by 2x to 3x year over year.
Account Takeover and Fraudulent Transactions Prevented
Surprisingly, in 2020 we saw a decline in the percentage of malicious traffic requests at checkout over Cyber 5. This Black Friday, for example, 60% of requests were malicious, a 7% decline from 2019. The percentage of login attempts detected to be malicious also fell, from 94% in 2019 to 87% in 2020. We attribute the decline to the growing tendency of attackers seeking to commit account takeovers (ATO) attacks to more quickly terminate attacks against targets that have sophisticated defenses. These defenses identify and proactively block credential stuffing on login pages or fraudulent checkout attempts. This decline also translated into a considerable reduction in the load placed on our clients’ infrastructure, including their CDNs and origin servers. This reduced traffic load ensures better application performance, which delivers higher conversions and higher revenues. Because many of our clients depend on Cyber 5 for up to 35% of their annual sales, a 5% to 10% improvement in application performance can translate into a seven or eight-figure improvement in e-commerce revenues.
25% Of All Gift Card Requests Were Carding Attacks
As we reported earlier this month, e-gift card hacking is now a part of every holiday and a growing fraud risk to e-commerce operations. This trend held for Cyber 5 2020. PerimeterX identified that 25% of all requests to e-gift card endpoints during this period were malicious bot carding attacks. We believe this percentage is actually well below industry averages because sophisticated attackers recognize when a target has deployed advanced behavioral blocking, like that delivered by PerimeterX Bot Defender, and discontinue their attack rather than waste precious infrastructure capacity and monetary resources. Automated carding attacks leverage data dumps and validated credential pairs - logins and passwords - to attempt to gain access to card balances, or to accounts where cards could be purchased with pre-loaded credit cards. Another related attack type, gift card cracking, happens when attackers use brute force to attempt to guess passwords or pin codes to gain account access. This growth in attacks on e-gift cards is not surprising, given the rapid growth of online gift card purchases. According to the 2020 Consumer Pulse: Gift Cards Report, online purchases of gift cards more than doubled in the first two quarters of 2020 versus the previous period. This compares to 24% year-over-year growth for the same period from 2018 to 2019. Ongoing e-gift card hacks are notoriously hard to spot because they play out over time. For this reason, these attacks can become a source of significant reputational damage. Based on our findings on attack volumes, even assuming a low success rate, as many as 1% of all gift card accounts on unprotected e-commerce sites face the risk of being hacked and then drained or defrauded.
Scalper Bots Trying to Take Advantage of Limited Edition, Flash Sales
In the last two years, limited edition sales have become a common marketing tactic to drive sales. The creation of this limited edition economy has attracted scalpers who use automated bots to buy up in-demand items as soon as they hit the virtual shelves. This angers loyal customers and damages the brands of companies that fail to control this problem and afford equal access to all buyers. According to research by the CMO Council, 47% of shoppers will abandon a favorite brand if they feel they are not treated properly.
The challenges posed by scalper bots have been prominent in the run-up to Cyber 5 2020. In November and December, game console and electronics company, Sony was victimized by scalpers using bots that scooped up multiple units of the new, in-demand Play Station 5 (PS5) console and placed them for resale at 100% to 200% markups. This set off a wave of online protests against Sony’s handling of the PS5 release process. During Cyber 5, PerimeterX blocked the vast majority of scalper bot attempts and ensured that over 90% of all purchasers were humans and not bots. This translates into tens of millions of dollars worth of products going to tens of thousands of loyal customers who might otherwise have been unable to buy what they wanted due to scalper bots.
Conclusion: Five Lessons for the New Normal
Without a doubt, the pandemic has forced more daily interactions online. For online shopping, it rapidly accelerated the ongoing trend from bricks to clicks. The new normal for online shopping is markedly above pre-pandemic levels. During this unprecedented year, retailers regularly saw shopping levels that eclipsed many previous cyber holiday daily peaks. The 2020 holiday peak demonstrated that online shopping is even more rapidly displacing legacy channels than previously forecasted. Prior to Cyber 5, the extended strength of shopping throughout the Fall might also indicate that the pandemic has reset the fall shopping baseline at a new and previously unseen level.
For e-commerce operators and site reliability teams, security teams, and revenue teams, 2020 holds a number of crucial lessons:
- Increases in online shopping traffic will put additional capacity and security pressures on applications going forward.
- Risks to online stores are broadening from ATO attacks being the primary concern to scalper bots and e-gift card attacks posing equally serious risks.
- Online retailers who deploy advanced solutions to identify anomalous behaviors and malicious bots experience fewer attacks against their applications after they are recognized as hardened targets.
- Controlling the impact of malicious bots is now crucial to protecting an application’s customer experience. Ensuring loyal customers have a fast, responsive application and can buy what they want when they are on a site or app is business critical
- Because of the impact of Amazon Prime and other promotions, the peak holiday shopping season is starting earlier. This means e-commerce operators need to put new technologies in place or upgrade their sites at least one month earlier than they have in the past.
The pandemic and this record-setting Cyber 5 demonstrated the critical importance of detecting and stopping automated attacks as early as possible - ideally before a CDN or origin server sends back an initial response. Blocking automated attacks ensures that customers get the experience they deserve while maximizing online revenue and minimizing infrastructure costs and brand risks. Cyber 5 is a make or break period for many e-commerce stores. During these five crucial days, all the previous work to improve applications and secure online storefronts can pay off handsomely. An excellent New Year’s Resolution for 2021 is to start planning technology improvements for Cyber 5 even earlier - and to put stopping automated attacks at the top of the list.