‘Tis the Season: The Top 5 Bot Attacks that Online Retailers Should Prepare For
By Prakash Sinha, Sr. Director, Technology Evangelist, Radware
Prakash Sinha, Senior Director & Technology Evangelist, Application Security & Delivery
Prakash Sinha is Senior Director & Technology Evangelist, Application Security & Delivery for Radware and brings over 30 years of experience in strategy, product management, product marketing and engineering. Prakash has been a part of executive teams of four software and network infrastructure startups, all of which were acquired. Before Radware, Prakash led product management for Citrix NetScaler and was instrumental in introducing multi-tenant and virtualized NetScaler product lines to market. Prior to Citrix, Prakash held leadership positions in architecture, engineering, and product management at leading technology companies such as Cisco, Informatica, and Tandem Computers. Prakash holds a Bachelor in Electrical Engineering from BIT, Mesra and an MBA from Haas School of Business at UC Berkeley.
During the holiday season, retailers generally expect big surges in sales. However, this season may be different as shoppers contend with rising prices and inflation. According to a recent Deloitte report, 37% of U.S. households say their financial outlook is worse this year compared to last year. As a result, they only plan to buy on average nine gifts instead of the 16 gifts they bought in 2021.
Online retailers are especially challenged as they face not only stiffer competition for shopping dollars, but also a heightened cyber threat landscape. As competitive pressures mount and the number of cyberattacks rise at unprecedented rates, here are the top 5 bot attacks online retailers face along with tips on how to defend against them.
- Account takeover (ATO): ATO attacks occur when bots take over a user account without permission from the account owner. When retailers have online sales events, for instance, they see a surge in online traffic from shoppers. Unfortunately, they also see a spike in ecommerce traffic from fraudsters, who use malicious bots to make fraudulent purchases with stolen user credentials. To gain account access, these fraudsters take advantage of the fact that most people reuse the same credentials on multiple sites. Cybercriminals can also use stolen credentials to make unauthorized transfers of virtual currencies, such as reward points, wallet balances, air miles, gift cards, and more.
How to handle: Online retailers should use advanced bot detection and mitigation mechanisms that leverage intent-based behavioral analysis to help prevent ATO attacks on retail applications.
- Inventory exhaustion: This typically occurs during a sales event when a bot is used to add hundreds of items to a shopping cart, only to later abandon it, holding up inventory and preventing real shoppers from buying the products. Attackers can use multiple single IP addresses to make multiple requests or use different user agents with multiple IPs to breach the application.
How to handle: Online retailers can prevent these attacks by using behavior analysis of visitor interactions on product pages and shopping carts. This can help discern human traffic from bot traffic and block bots from carrying out inventory hold-ups.
- Bandwidth choking: This occurs when thousands of bots simultaneously hit a retailer’s website. The surge in bot traffic increases the chance that the site will choke, disrupting the purchase experience and preventing genuine buyers from accessing the webpages.
How to handle: To keep bots at bay and customers happy with their online experience, throttling or restricting a certain number of events during a timeframe can be effective while still allowing legit sources access to an application.
- Price and content scraping from the competition: Price scraping is the process of using bots to conduct illegal competitive price monitoring and track other valuable pricing intelligence from e-commerce sites. Price scraping exposes retailers to competitors matching or undercutting prices to lure away customers, which impacts revenue.
How to handle: To ensure their pricing is not exploited by bad bots, online retailers can conduct security audits using third-party applications along with their own to identify and seal any loopholes in their system prior to the shopping season.
- Gift card spam: This occurs when fraudsters deploy bots to steal reward points, gift cards, air miles, and wallet balances. Ultimately, this can result in a loss of trust by customers, negative publicity, and even litigation.
How to handle: Online retailers can use sophisticated handling mechanisms to detect sudden spikes in traffic and anomalous gift card behaviors as well as identify and curb fraudulent gift card transactions.
As competitive pressures mount and the number of cyberattacks rise at unprecedented rates, online retailers should focus on security strategies, embrace best practices and ensure customer trust via a seamless, secure online experience.
Getting Ready for the Biggest Shopping Days of the Year
It’s never too early to address nefarious bots and develop a security strategy to combat them. With this year’s historic inflation and uncertainty in the economy, there is no time like the present for online retailers to prioritize cybersecurity.