Tackling bad bots

As the holiday shopping season approaches, Tim Ayling at Imperva argues that retailers need multi-layered security to tackle AI and bot-driven threats

 

It’s not for nothing that retailers call a large part of Q4 the “golden quarter”. Last year, the period covering November and December generated over £24bn in online sales in the UK—over a fifth of the annual total. 

 

But the busiest time of the year also attracts attention from opportunistic cyber-criminals keen to make a quick buck. Retailers can expect a surge in attempts to steal personal and card data, hijack shoppers’ accounts, and use AI-powered bots to down sites, defraud retailers and more.

 

Mitigating these risks without impairing the shopping experience will require a multi-layered approach focused on bots, APIs, web apps, website infrastructure and user accounts.

 

Primed for attack

The UK’s retailers certainly need a good festive period. Last year’s bumper sales figures were only possible due to heavy discounting and buy now pay later (BNPL) purchases. In fact, online sales in December slumped 2% from the previous month, according to a separate report. 

 

But with digital now occupying a growing share of total retail sales—27% versus 20% back in 2020—it’s a bigger target than ever for threat actors. In fact, the NCSC has issued a warning to Black Friday shoppers as rising losses to scams may make 2024 the most costly yet.

 

Why choose the golden quarter? Because cyber-criminals know retail staff are distracted, especially IT workers who may be focused more on uptime than security. They also know that there’ll be more limited-time Black Friday promotions to hijack and gift cards and loyalty points to steal from customer accounts. 

 

And there’s more traffic in which to hide their malicious activities. Last year, we recorded a 12% increase in traffic between October and November, with figures for November 19 up a massive 54%.

 

What to look out for

Retail cyber-security teams should be on the lookout for several AI and bot-driven threats. Most common is what we call “business logic abuse”. That is, attacks which exploit legitimate app or API functionality at scale for malicious ends, such as manipulating prices, bypassing authentication, or abusing discount codes. 

 

DDoS attacks are not far behind in terms of threat volumes, and can be particularly impactful during Black Friday, when even a few minutes of website downtime could cost a retailer dear.

 

DDoS isn’t the only use to which bad bots are being put. They are also deployed for credential stuffing, scraping pricing data, and inventory hoarding (scalping). Malicious bot traffic may also be used to exploit API vulnerabilities, in order to reach customer data or access sensitive functionality.

 

AI is an increasingly important component of such threats, enabling bad actors to automate attacks at scale more easily, mimic human behaviour to make them harder to detect, and identify weaknesses in API infrastructure. The end result for retailers could be significant financial and reputational damage.

 

How to tackle bot threats

Fortunately, there are several ways to mitigate these risks. The retail sector experiences an average of 101,950 bot-related incidents daily, so mitigating this threat should be a priority. 

 

Find a way to calculate a baseline for ‘normal’ activity on the website such as failed logins and then monitor for anything unusual, such as sudden surges in traffic. Also consider traffic analysis tools to help differentiate between legitimate users and bad bots. And deploy strong authentication, encryption and rate limiting to prevent bots accessing web apps and sensitive data.

 

Other tactics could include blocking outdated user agents, which are more likely to be associated with malicious automated traffic. And limiting traffic from the proxy services often used by bots to hide their true origins. 

 

Many bots also use headless browsers like Puppeteer. So monitor for signs of these, as well as unnaturally fast interactions and unusual browsing patterns, which may indicate automation.

 

Gearing up for success

DDoS mitigation is also crucial, especially at an application layer. Research reveals that application-layer DDoS attacks on retail sites surged by 61% annually this year. With outages on average lasting 30 hours per site, it pays to call in the experts on this one. 

 

Client-side security is also important to mitigate the risk of attacks like digital skimming, which is often achieved through the software supply chain. It will help retailers to comply with PCI DSS 4.0, which contains new requirements designed to harden payment pages against malicious JavaScript and unauthorised modifications.

 

Account takeover increased by 85% during Black Friday last year and will be another area of focus for -criminals during the peak shopping season. The best way to make sure they don’t succeed is to enforce strong password requirements and encourage multi-factor authentication (MFA) as well as passkeys—the most secure and user-friendly option. API security is the final piece of the puzzle. Retailers experience an average of 5,570 API attacks daily. 

 

There is also the growing issue of ‘shadow APIs’ being orphaned but still having access to vital data and systems. As such, retailers should undertake a round of API discovery, to build a solid inventory of what APIs they have, where they are deployed, and what they have access to in order to conduct a risk assessment. This will help to protect the highest-risk APIs.

 

It’s also a good idea to deploy continuous monitoring for suspicious behaviour, apply rate limits to prevent abuse, and maintain an audit trail to streamline investigations.

 

Bad bots now account for a quarter (24%) of traffic to retailers, while the average site in the sector experiences 570,000 AI-driven attacks per day. These are concerning figures. But with the right blend of security tooling, they need not take the shine off the golden quarter. 

 

---

 

Tim Ayling is VP EMEA for Imperva, a Thales Company

 

Main image courtesy of iStockPhoto.com and solarseven