The newest international holiday is likely to attract not only record sales but also record levels of malicious traffic.
Summer is here and Amazon Prime Day is around the corner. Deals are being leaked and media coverage is ramping. The shopathon that Bezos built has become a genuine retail holiday, eclipsing other more traditional holidays in sales activity. This also makes Prime Day more important to all retailers, as the entire e-commerce universe reacts to the gravitational pull of a holiday powered by Amazon’s promotional might.
Retailers Must Be Ready to Defend Well Before Prime Day
Just as they need to ready deals and promotions to compete for shopper mindshare, e-commerce retailers should also ready themselves for a wave of automated fraud attacks. In fact, they had better be ready before Prime Day hits. That’s because over the past year a new pattern of elevated fraud attacks emerged around every holiday period. Driven in part by the rapid growth of e-commerce activity during the COVID-19 pandemic, cybercriminals have doubled down on malicious holiday hacking. Now it’s the new normal.
Over the course of 2020 the PerimeterX research team tracked automated attacks closely to gain intelligence and understand emerging trends. We compiled this research into the Automated Fraud Benchmark Report — E-commerce Edition. In creating our report, we analyzed and identified significant fraud attempt spikes around every major holiday. This included Valentine’s Day, Mother’s Day, Father’s Day and, for the first time, the Fourth of July.
Attacks Starting Earlier As Fraudsters Test And Prepare
For most holidays, the fraud attacks began a few days before the holiday itself. For the Cyber 5 period, the five days between Thanksgiving and Cyber Monday, which sees the highest volume of fraud attempts, the probing began nearly two months prior with notable spikes in malicious activity and blocked attempts to access e-commerce websites and applications. The pre-holiday activity is likely an indicator of cyber fraudsters testing out their attack infrastructure — such as proxies and botnets — and validating credential pairs of password and usernames. The validated pairs are more useful because people tend to reuse passwords and they often use the same email address for all their e-commerce activities. On the dark web, validated pairs may be worth $15 or $20, significantly more than unvalidated pairs.
These credentials are most frequently used for account takeovers (ATOs) — also referred to as account fraud. In ATO attacks, fraudsters use botnets and other forms of automation to login and then take control of valid user accounts with the user’s own password and email or username combination.
Another form of attacks we saw markedly increase around holidays is gift card hacking. In this form of attack, cybercriminals attempt to drain the balances from valid gift card accounts by using them to make purchases and shipping those purchases to a forwarding address for subsequent resale. Gift card hacking also can be paired with “buy online, pickup in store” (BOPIS) transactions. For gift card hacking, early attacks to validate gift card balances or verify that balances exist set the table for more significant fraud during the holiday, when sales are in effect and gift card balances can go further.
The scope of the holiday attacks are eye-opening. For example, looking at gift card attacks, for July 4th, 2020, the malicious fraud traffic peak was roughly 7 times the baseline of normal traffic, while the increase in legitimate holiday shopping traffic was only 2 times the normal baseline. Memorial Day 2020 saw a malicious fraud traffic peak at 5 times baseline while the spike in legitimate traffic was only 2 times the baseline.
As the U.S. economy continues its roaring recovery from the yearlong downturn, shoppers are fueled by continued government financial support that is well above pre-pandemic levels. Not surprisingly, most retailers are expecting Prime Day sales to break all previous records. To reap the full benefits of this shopping rush, e-commerce security and revenue teams will need to be ready for an onslaught of automated fraud. That means making sure all firewalls are up to date and all security controls are tuned to handle high volumes of malicious traffic. The more savvy retailers now understand that given the volume and diversity of attacks — spanning thousands of IP addresses, professional botnets, and fraud-as-a-service offerings — the only way to keep pace is by deploying machine learning that can instantly recognize new patterns of fraud and questionable behavior.
The scope and scale of automated fraud will only grow as the world continues its rapid shift away from physical shopping to e-commerce. For Prime Day and every holiday after that, retailers can protect their customers, their infrastructure and their brand if they realign their security stance to make sure they can handle the massive fraud attack that is the new normal for every holiday.
For more insights on automated attack activity in e-commerce and how to stay protected, read the Automated Fraud Benchmark Report.