Layer 7 DDoS attacks and sophisticated bad bots are being primed now in preparation for the year end e-commerce frenzy.

A week to go before Singles’ Day sales, and scammers are sharpening their slaughtering knives for the kill.

In tandem with the number of online shoppers attracted by Double Day events and the year-end sales season, scams typically rise to catch a piece of the pie. This year’s Singles’ Day will be no different, according to Imperva’s 12-month analysis on cybersecurity risks in the retail industry.

In fact, the analysis suggests that the number of victims this year may surpass that of last year’s.

Bad bots, DDoS and website attacks

Online retail remains a prime target for automated bot activity in 2021, according to Imperva. Bots can carry out an array of disruptive, and even malicious, activities on retail sites, including price and content scraping, scalping, denial of inventory and other types of online fraud.

In 2021, 57% of attacks recorded on e-commerce websites this year were carried out by bots. In comparison, bad bots made up just 33% of the total attacks on websites in all other industries in 2021.

More worryingly, the proportion of sophisticated bad bots on retail websites reached 23.4% in 2021. This breed of bot is the hardest to stop because they are capable of mimicking mouse movements and clicks that closely resemble human behaviour. Sophisticated bots evade simple defenses and are responsible for account takeover, fraud or denial of inventory that makes it harder for legitimate shoppers to get the goods they want.  

As the holiday shopping season commences, Imperva is already seeing DDoS attacks spiking 200% in September 2021, compared to the month prior. Part of this uptick in activity is tied to the enormous Meris botnet that has impacted organizations globally.

Throughout the past 12 months, Imperva’s data showed that the retail industry experienced the highest volume of application layer (layer 7) DDoS incidents per month of all industries studied. Layer 7 attacks are highly effective because they consume both network and server resources. Defending against application layer attacks is difficult because it requires the ability to distinguish between attack traffic and normal traffic.

Finally, retail sites experienced slightly higher volumes of data leakage attacks (31.3%) in 2021 compared to all industries (26.9%) in the Imperva study, as e-commerce sites are prime targets because they host shoppers’ payment information or loyalty reward points. Data leakage occurs when data is transmitted from an organization’s corporate network to an external destination, whether accidentally or deliberately, without authorization.

Staying safe this year end

According to Peter Klimek, Director of Technology, Office of the CTO, Imperva: “With the global supply chain conditions worsening, retailers will not only struggle to get products to sell in Q4, but will face increased attacks from motivated cybercriminals who want to benefit from the chaos. Retailers and consumers alike need to take the necessary steps to protect themselves.”

Klimek offers the follow safety precautions to both consumers and e-tailers:  

  • Before shopping, ensure your software and apps are updated with the latest security patches.
  • Do not shop through a public Wi-Fi connection. Instead use a VPN or a phone’s internet connection as a hotspot.
  • Shop only at reputable protected websites (look for the padlock symbol and ‘https’ at the URL).
  • Be careful of the apps/extensions you download onto your devices. Stick to well-known brands or applications. Be especially wary of ‘free’ apps
  • Use strong, differentiated passwords for each account, and set multi-factor authentication where possible
  • Use secure payment methods
  • Never send your bank or credit card details via email or SMS
  • Do not let your online shopping accounts or browser save your payment details
  • Likewise, e-tailers should be fastidious over compliance with all data privacy regulations
  • Prepare the web backend for a high volume of traffic, as well as DDoS attacks 
  • Have a bot management strategy in place to only allow legitimate customers onto your website 
  • Encourage customers to practice good password practices and offer multi-factor authentication
  • Protect existing website functionalities and make sure newly added ones are safe, too 
  • Take inventory of all JavaScript-based services