At least that is what one cybersecurity firm’s user base data reflects in rising business logic attacks and account takeover incidents.
Based on data collected over 12 months in its global user protection ecosystem (including 6tn blocked bad bot requests) a cybersecurity services firm has raised the alarm on the rise of threats targeting e-commerce websites and applications.
In the data for 2022, automated attacks on application business logic, carried out by sophisticated bad bots, were the leading threat to online retailers in the firm’s client base. In addition, account takeover, distributed denial-of-service (DDoS), API abuse, and client-side attacks were significant risks.
A business logic attack (BLA) exploits an application or application programming interface’s intended functionality and processes rather than its technical vulnerabilities. Most attacks on business logic are automated and often focused on abusing API connections. In the retail sector, attackers abuse business logic to manipulate pricing or access restricted products.
According to Imperva Inc’s anonymized ecosystem data, the following trends were found:
- In early 2022, as the war in Ukraine began, a 145% spike in automated attacks targeting Ukrainian web applications was observed attempting to disrupt the financial, telecom, and energy sectors.
- Two massive Account Takeover attacks meant to compromise Ukrainian users’ accounts were also noted in the firm’s data.
- There was a significant increase in the number of bad bots choosing Mobile Safari as their preferred disguise because of the additional privacy settings provided by this browser, which sends fewer attributes to the origin. Some browser automation tools, like Puppeteer, can inadvertently support these types of attacks by adding script browser overrides that further assist attackers in mimicking iOS as much as possible.
- Throughout the year, bad bots employed a wide variety of evasion methods, including frequently cycling through IP addresses, hiding behind anonymous proxies and peer-to-peer networks, changing their user agents, and manipulating their login parameters and cookies to make it appear as if the requests were being made from different browsers, besides many more tactics.
- Today’s most sophisticated bad bots can even evade or solve CAPTCHA challenges through integrations with various tools and platforms.
- BLAs made up 25% of all attacks on Singaporean retail sites protected by the firm — up from 10% during the same period in the prior year. This was below the global average (37%), although the volume of BLAs on the firm’s Singaporean retail clients had increased 62% year-on-year.
- 17% of all attacks on APIs in the firm’s 2022 data came from bad bots abusing business logic. As attack patterns do not exist to monitor for these exploitations, it is not possible to apply a generic rule and assume all application and API deployments are secure.
- Built on a vast network of API connections and third-party dependencies, online retailers are increasingly vulnerable to BLAs.
Said the firm’s Senior Vice President (Asia Pacific and Japan), George Lee: “The surge in bot sophistication (in our 2022 data shows that) this breed of automation can exploit business logic, compromise APIs, and take over user accounts, posing a tangible threat to retailers’ year-end sales and impacting their bottom line.”