2021 holiday season saw a sharp increase in eCommerce bot attacks
The past holiday season saw an unusually high level of malicious bot activity in the retail and commerce industries according to new data from Akamai and RH-ISAC (Retail and Hospitality Information Sharing and Analysis Center).
Attacks included credential stuffing and account takeover (ATO) attacks unleashed by malicious bot operators, as well as Log4j exploitation attempts and web application firewall (WAF) assaults, all of which have been about bad actors setting their sights and pointing their tools at eCommerce players.
This isn't simply a Western problem either, attacks have been seen targeting holidays around the world too, including India’s Diwali and China’s Singles Day.
Numbers of bots targeted at eCommerce have grown 41 percent since April 2021. Partly this is about grabbing limited inventory ahead of actual customers in order to resell it at higher prices on other online marketplaces. Bots have also been busy with credential stuffing in order to steal loyalty points -- Akamai data shows a 226 percent increase in credential stuffing attempts.
The disclosure of Log4j in December also saw attackers keen to take advantage. According to Akamai the eCommerce sector accounted for 58 percent of observed Log4j exploit attempts.
Susan McReynolds, retail industry strategist at Akamai Technologies writes on the RH-ISAC blog, "In the wake of increasing malicious bot activity and WAF-directed attacks, commerce organizations must have the right security controls in place to help reduce risk and attack surfaces alike. But defensive solutions must balance the need for more robust security with the need to run the business -- without turning off customers. As part of the fallout from the pandemic, consumers became less loyal to brands as products became more difficult to find, with 46 percent percent of US consumers switching brands or retailers."
You can read more on the RH-ISAC blog.