PerimeterX has released its annual Automated Fraud Benchmark Report, which details the web app traffic and threat patterns experienced by some of the largest and most respected brands in retail e-commerce. Read on for the key takeaways or click here to get the full report.
1. Malicious bot traffic to online retailers increased 106.21% YoY
In 2021, web traffic fell 3.38% on average from the previous year. However, despite the dip in web traffic overall, the percentage of malicious bot traffic remained virtually the same YoY: 29.5% in 2020 and 29.4% in 2021. This translated to an increase of 106.21% in terms of normalized requests. This shows that cybercriminals aren’t leaving digital stores just because consumers are.
Cybercriminals have long understood that attacking web apps had monetization potential. However, the pandemic opened their eyes to even more possibilities for financial gain. Not only do consumer accounts contain payment data, gift cards and loyalty points, but they also hold a piece of a user’s identity — and that’s much more valuable than a stored credit card. If a cybercriminal can hide behind a legitimate user’s identity, the opportunities to commit fraud increase significantly.
2. Bot attacks continue to plague digital stores
As you might expect, the increase in malicious bot traffic corresponded to a rise in bot attacks to retail e-commerce sites. Still, I was surprised by the magnitude. Carding attacks increased 111.61% on average in 2021, and scraping attacks rose 240%. Malicious login attempts increased 9.13% during attack peaks. And peak scalping attacks rose from 46% in 2020 to 71% in 2021.
Even as social distancing regulations have become more relaxed and some people are once again shopping in-store, their online accounts remain intact — meaning web apps are as rich a target for bot attacks as they ever were. Furthermore, supply chain issues have increased the scarcity and demand for certain products, drawing more attention from scalpers.
3. The pandemic continued to drive bot attacks across e-commerce segments
The Health and Wellness segment saw the most malicious bot traffic in 2021: 36.28% of total traffic. This is likely because activity in the space increased during the pandemic as more people began using apps to purchase health-related goods and services. Cybercriminals jumped on this trend, mostly to take over accounts and scrape pricing and product information.
In second and third place were Hardware, Software and Electronics with 33.2% malicious bot traffic of total traffic and Sports and Recreation with 27.9%. These segments include electronic devices and limited-edition sports apparel: hot products whose demand has only increased with pandemic-era supply chain shortages. This makes them a prime target for scalping bots, which led to a bump in malicious bot traffic to sellers.
Although their overall bot traffic was lower, businesses in the Home, Kitchen and DIY, and Fashion and Beauty segments experienced the highest percentage of credential stuffing and account takeover (ATO) attacks. This is likely because accounts with those companies are more likely to contain gift card balances with a higher resale value, especially given the pandemic-driven growth in online shopping.
Stop bot attacks by disrupting the web attack lifecycle
As digital channels have become the primary way that many consumers discover, shop and interact with a brand, e-commerce sites and apps are prime targets for bot attacks. Although they might seem like one-off attacks, they’re part of a much larger lifecycle of cybercrime.
Modern cybercrime is integrated, continuous and cyclical. One kind of attack fuels another, propagating and prolonging an attack lifecycle that hits consumers everywhere along their digital journey.
- Cybercriminals steal credentials, payment data and other PII via digital skimming, formjacking and phishing attacks. Next, this information is often sold on the dark web.
- Attackers unleash bots to validate stolen credentials and payment information on e-commerce sites via login and checkout attempts. They can use valid information to take over accounts, commit fraud or sell it on the dark web.
- Bad actors use validated information to take over accounts, make fraudulent purchases, drain gift card balances and impersonate a user’s identity. This can mean submitting fake credit applications, creating fake accounts, submitting fake warranty claims and posting fake reviews. Furthermore, compromised accounts can be used to distribute malware and steal even more PII, beginning the cycle all over again.
In order to really stop bot attacks, e-commerce businesses must disrupt the web attack lifecycle. This means identifying and preventing the use of compromised credentials. It means making it expensive and time-consuming to complete successful attacks. It means continuously authenticating users and monitoring behavior even after a successful login. Only with a comprehensive approach can you proactively prevent automated fraud from occurring on your e-commerce site.