‘Entering through the Gift Shop: Attacks on Commerce’ report found Web attacks in these sectors were largely driven by Australia, China and India.

As we approach the mid-year shopping and travel season, Akamai Technologies released its timely State of the Internet report, Entering through the Gift Shop: Attacks on Commerce, which found that over 1.15 billion web attacks were launched against retail and hotel & travel sectors in Asia Pacific and Japan.

Web attacks were largely driven by Australia, China and India, and web attacks on APJ’s hotel and travel sectors ranked second highest globally. Globally, commerce remains the most targeted web attack vertical accounting for over 14 billion (34%) of observed incursions, largely due to the industry’s continued digitalization and the attackers’ available selection of web application vulnerabilities to breach their intended targets.

Other key findings include:

    • The top web attack target areas in APJ for retail are India and China. Loyalty and rewards programs, in combination with a proliferation of shopping days across these areas, present attractive opportunities for cybercriminals to ply their trade.
    • Hotel and travel emerged as a particularly attractive target in APJ to attackers, with the bulk of all transactions conducted online. This was driven by Australia (63.72%), followed by India (22.44%).
    • APJ is the fastest-growing market for online travel bookings and is expected to expand at a compound annual growth rate of 9.8% from 2022 to 2030.
    • The most common attack vector used against the commerce vertical is Local File Inclusion (LFI), with attacks increasing by 300% between Q3 2021 and Q3 2022. Just a few years ago, SQL injection (SQLi) was the most common incursion. This indicates an attack trend toward remote code execution and hackers leveraging LFI vulnerabilities to gain a foothold for data exfiltration.

      Attack vectors such as Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Code Injection have also been gaining popularity. They pose a significant threat to commerce organizations and other verticals, preventing online sales and damaging a company’s reputation.

Retail

As retail organizations increasingly rely on web applications to drive customer experience and online conversions, adversaries target vulnerabilities, design flaws or security gaps to abuse web-facing servers and applications. Globally, retail remains the most targeted subvertical within commerce, accounting for 62% of attacks on the sector. 

The top web attack target areas in APJ for retail are India and China. Loyalty and rewards programs, in combination with a proliferation of shopping days across these areas, present attractive opportunities for cybercriminals to ply their trade.

Hotel & travel

The hotel and travel subvertical also emerged as a particularly attractive target to attackers, with the bulk of all transactions conducted online, driven by Australia (63.72%), followed by India (22.44%).

APJ is the fastest-growing market for online travel bookings, expected to expand at a compound annual growth rate of 9.8% from 2022 to 2030. In addition to vulnerabilities in existing workflows and supply chains, these factors could be contributing to the jump in cybercrime in the region, and more specifically, attacks on this sub-vertical.

Malicious bot activity

Akamai observed malicious bots targeting the APJ commerce vertical surpassing 765 billion in 15 months, contributed by the number and frequency of holiday shopping events throughout APJ and the growth in online travel booking. 

Notably, after quarter-on-quarter growth throughout 2022, malicious bot activity decreased substantially in Q1 2023. 

“As we approach the mid-year shopping and travel season, these insights around the commerce sector present a timely reminder that commerce organizations need to be on high alert to adapt to a myriad of methods used by attackers – from web applications and bots to phishing and the use of malicious third-party scripts,” explained Reuben Koh, Security Technology and Strategy Director (APJ), Akamai.

“To stay ahead of attack attempts, commerce organizations should stay updated on the latest attack trends and constantly re-evaluate their security posture and controls. When considering specific cyber defense solutions, organizations need to make sure that the chosen solutions are adaptive enough to counter against the ever-changing threat landscape and minimize the risks posed by adversaries who are getting more sophisticated every day,” concluded Koh.