As the holiday season approaches, retailers are bracing for the annual surge in online (and in-store) traffic. Unfortunately, this increase in activity also attracts cybercriminals who want to exploit vulnerabilities to their advantage.
Imperva, a Thales company, recently published its annual release Guide to Cyber Security Holiday Shopping. Data from Imperva Threat Research’s six-month analysis (April 2024 – September 2024) showed that retailers should be mindful of AI-driven threats this year. As generative artificial intelligence tools and large language models (LLMs) become more common and sophisticated, cybercriminals are increasingly using these technologies to scale and refine their attacks on e-commerce platforms.
Imperva Threat Research also found that retail sites are subject to an average of 569,884 AI attacks every day. Understanding the types of threats these attacks pose and how to defend against them is critical for retailers to protect their company and customers this holiday season.
Business logic abuse leads online retail threats
Business logic abuse was found to be the most common AI attack on retail sites, accounting for 30.7% of all attacks. Business logic abuse occurs when cybercriminals use intended functions of an application to achieve unauthorized results. For example, they may manipulate promotional codes or use return policies to obtain goods or services at a lower price. Imperva found that nearly 50% of retailers have experienced some form of business logic abuse.
The danger of this threat increases several times due to the ability of artificial intelligence to analyze patterns in user behavior and identify possible loopholes. As attackers use artificial intelligence to develop more effective usage strategies, retailers must implement strict controls to monitor and verify user actions on their platforms. Without these safeguards, businesses risk significant financial losses and reputational damage.
DDoS attacks remain a constant threat
Distributed Denial of Service (DDoS) attacks are almost as common as business logic abuse, accounting for 30.6% of threats to AI-driven retailers, and they are becoming more prominent. According to Imperva 2024 DDoS Threat Landscape ReportApplication-level DDoS attacks on retail sites have increased by 61% since last year.
Application-level DDoS attacks pose a serious threat to online retailers, especially as they prepare for increased traffic during the holiday shopping season. Cybercriminals can use artificial intelligence to orchestrate sophisticated DDoS attacks that overwhelm retail websites, rendering them inoperable.
The financial impact of a successful DDoS attack can be staggering, with businesses facing lost revenue, increased recovery costs, and potential long-term damage to their brand reputation. To combat this threat, retailers must invest in robust DDoS mitigation solutions that can identify and neutralize attacks before they disrupt operations.
The Grinchbots continue to wreak havoc
Bad bots are becoming more sophisticated, often using artificial intelligence algorithms to mimic human behavior and bypass security measures. Bad bot attacks accounted for 20.8% of all attacks on AI-powered shopping sites. These automated threats are extremely disruptive to normal business functions, with the ability to scrub pricing data, launch credential spoofing attacks, and create fake accounts.
During the holidays, retailers should be especially wary of Grinch bots—sophisticated scalping bots that request inventory online and purchase the most in-demand items of the season in order to resell them at a significant markup. Grinch bots disrupt holiday sales and product launches, making it more difficult for consumers to purchase popular, high-demand items.
The ability of AI to automate these processes means that malicious bot attacks can scale quickly, making detection and mitigation more difficult. Retailers must improve their bot detection capabilities to distinguish genuine users from malicious bots. Failure to do so can result in lost sales, inventory issues, and reduced customer satisfaction.
API breaches are a growing concern
As retailers increasingly rely on APIs to facilitate transactions and integrate third-party services, API breaches have become a major concern, accounting for 16.1% of attacks on AI-driven retailers. Cybercriminals can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data, often using artificial intelligence to detect and exploit these flaws.
The retail industry is exposed to an average of 5,570 API attacks every day, most of which are API breaches. The potential consequences of API breaches are serious, as they can lead to data leaks, financial fraud, and loss of customer trust. Retailers should prioritize API security by implementing strict access controls, conducting regular security audits, and using AI-based monitoring solutions to detect anomalies in API usage.
Cybersecurity tips to stay safe this holiday season
The holiday season presents a dual opportunity for retailers: a chance to capitalize on rising consumer spending and an increased risk of cyber threats. With the proliferation of artificial intelligence tools, e-commerce businesses will face more sophisticated threats that exploit vulnerabilities and commit fraud with greater precision.
Retail businesses should follow these tips to protect their websites and customers:
- Prepare for increased internet traffic: Retailers should prepare for a surge in online traffic during the holiday shopping season. To prepare, they need to ensure that their infrastructure can handle this increased load without compromising performance. This includes scaling servers, using a content delivery network (CDN) to distribute traffic efficiently, and implementing a waiting room queuing system to manage traffic flow and maintain a fair experience for legitimate users during peak times.
- Develop a bot management strategy: Along with the influx of genuine shoppers, retailers can expect an increase in malicious bot traffic. Developing a robust bot management strategy is critical to protecting their platforms and ensuring seamless shopping for real customers. Key steps include assessing traffic risks, identifying entry points, blocking outdated user agents, limiting proxies, implementing rate limiting, and monitoring for signs of automation or headless browsers.
- Protect yourself from business logic abuse: Artificial intelligence allows attackers to automate business logic abuses on a larger scale, making these attacks more difficult to detect. To protect against such threats, retailers must perform rigorous validation of all user input, use anomaly detection systems to detect unusual activity, and conduct regular audits of their business processes to identify potential exploitable vulnerabilities.
- Invest in a DDoS solution: DDoS attacks aim to overload a website’s resources, causing downtime that can lead to lost sales and reputational damage, especially during peak shopping times. Retailers should invest in a DDoS protection solution that uses machine learning to identify and combat malicious traffic in real-time, ensuring that legitimate customers can access services seamlessly.
- Secure APIs: To proactively combat automated programs and API abuse, retailers must establish a baseline for expected API behavior, including typical traffic figures and user geographies. This baseline helps detect anomalies, such as unusual spikes in less-used APIs, that may indicate malicious activity. In addition, application of session and IP rate limits can deter abuse, while maintaining an audit trail of user activity simplifies monitoring and investigation of potential threats.
By understanding the nature of AI attacks and preparing for emerging challenges, retailers can better protect their operations and ensure safe shopping for their customers. Constant vigilance and adoption of advanced security technologies are critical to keeping pace with evolving cybercriminal tactics and ensuring a safe holiday shopping season for both sellers and shoppers.
