Imperva, the cybersecurity leader whose mission is to help organisations protect their data and all paths to it, has launched a new e-commerce report and issued advice around safe retailing in conjunction with the world’s biggest online shopping event on November 11.
The company noted that Chinese e-commerce firms Alibaba and JD.com racked up a record-breaking US$115 billion in sales across their platforms during Singles Day 2020, and that as the number of online shoppers grow, so do the scams. Imperva’s new The State of Security Within eCommerce 2021 report projects the number of victims in 2021 to surpass that of last year’s.
In Singapore, for instance, the number of security incidents in retail increased 31% from April to September 2021 compared to the previous six-month period, Imperva said, highlighting the following trends:
Malicious bots
Online retail has remained a prime target for automated bot activity in 2021. Bots can carry out disruptive or malicious, activities on retail sites including price and content scraping, scalping, denial of inventory and other types of online fraud.
According to Imperva, the volume of monthly bot attacks on retail websites rose 13% in 2021 compared to the same months of the previous year. Imperva Research Labs found that 57% of attacks recorded on e-commerce websites this year were carried out by bots. In comparison, bad bots made up just 33% of the total attacks on websites in all other industries in 2021.
Incidentally, the top type of security incident in the Singapore retail industry in the past 12 months (October 2020 − September 2021) has been bad bot traffic (44%). In the December shopping period last year in particular, Singapore’s retail industry saw a marked rise in simple bot traffic of 60% above the monthly average.
The proportion of sophisticated bad bots on retail websites reached 23.4% in 2021. This breed of bot is the hardest to stop because they are capable of producing mouse movements and clicks that closely resemble human behaviour. Sophisticated bots evade simple defences and are responsible for account takeover, fraud or denial of inventory that makes it harder for legitimate shoppers to get the goods they want, Imperva said.
Distributed Denial of Service (DDoS) attacks
Imperva Research Labs is already seeing an uptick in DDoS attacks − spiking 200% in September 2021, compared to the month prior. Part of this uptick in activity is tied to the Meris botnet that has impacted organisations globally.
Throughout the past 12 months, the retail industry experienced the highest volume of application layer (layer 7) DDoS incidents per month of all industries. Layer 7 attacks are highly effective because they consume both network and server resources. Defending against application layer attacks is difficult because it requires the ability to distinguish between attack traffic and normal traffic.
Website attacks
Attacks on retail industry websites from Q420 through the first half of 2021 were notably higher than all other industries, and were characterised by more sporadic peaks in attacks.
Retail sites experienced slightly higher volumes of data leakage attacks (31.3%) in 2021 compared to all industries (26.9%) as e-commerce sites are prime targets because they host shoppers’ payment information or loyalty reward points. Data leakage occurs when data is transmitted from an organisation’s corporate network to an external destination, whether accidentally or deliberately, without authorisation. In January 2021, the Singapore retail industry saw a 59% increase above the monthly average for data leakage attacks, coinciding with the Chinese New Year shopping period.
Imperva's advice for shoppers includes:
- Before you shop, ensure your software and apps are updated so you have all the latest security patches.
- Do not shop through a public Wi-Fi connection. Instead use a VPN or your phone as a hotspot.
- Make sure you shop through a reputable site with a padlock symbol and ‘https’ at the start (not http).
- Be careful of the apps/extensions you download onto your devices.
- Stick to well-known brands or applications. Be especially wary of free apps.
- When setting up your shopping accounts be sure to use strong, differentiated passwords for each account, and set multifactor authentication where possible.
- Use secure payment methods like PayPal or your credit card.
- Never send your bank or credit card details via email or SMS.
- Don't let your online shopping accounts or browser save your payment details.
Imperva's advice to retailers includes:
- Ensure your organisation is compliant with all data privacy regulations in your jurisdiction.
- Prepare for a high volume of traffic, as well as DDoS attacks.
- Be sure to have a bot management strategy in place to only allow legitimate customers onto your website.
- Encourage your customers to practice good password practices and offer multifactor authentication.
- Protect your existing website functionalities and make sure newly-added ones are safe, too.
- Take inventory of all your JavaScript-based services.
“The 2021 holiday shopping season is shaping up to be a nightmare for both retailers and consumers,” said Peter Klimek, Director of Technology, Office of the CTO, Imperva.
“With the global supply chain conditions worsening, retailers will not only struggle to get products to sell in Q4, but will face increased attacks from motivated cybercriminals who want to benefit from the chaos. Retailers and consumers alike need to take the necessary steps to protect themselves.”
Explore
Download the State of Security within e-Commerce Report
