Cyberattacks on online retailers and shoppers are projected to rise in November in conjunction with Singles’ Day, Black Friday and Cyber Monday. Here are some protective measures that shoppers and retailers can practise.
According to the Imperva’s “The State of Security Within eCommerce 2021” report, threats are escalating for the retail industry.
Imperva has released a new eCommerce report and issued advice around safe retailing in conjunction with the world’s biggest online shopping event on Nov 11 − Singles’ Day.
“The 2021 holiday shopping season is shaping up to be a nightmare for both retailers and consumers. With the global supply chain conditions worsening, retailers will not only struggle to get products to sell in Q4, but will face increased attacks from motivated cybercriminals who want to benefit from the chaos. Retailers and consumers alike need to take the necessary steps to protect themselves,” says Peter Klimek, Director of Technology, Office of the CTO, Imperva.
The company helps organisations protect their data and all paths to it – securing their applications, data and websites from cyber attacks.
Last year, Chinese e-commerce giants Alibaba and JD.com racked up around US$115 billion in sales across their platforms during the Singles Day shopping event, setting a new record.
Singles’ Day online sales in China usually surpass the US Cyber Monday sales, Black Friday or any other 24-hour shopping campaign by a wide margin making it the biggest shopping holiday in the world.
Scams typically rise in tandem with the number of online shoppers, and Imperva’s 12-month analysis on cybersecurity risks in the retail industry suggests that the 2021 holiday shopping season will be no different.
In fact, in Imperva’s “The State of Security Within eCommerce 2021” report, the number of victims this year is projected to surpass that of last year’s.
More details below from the report
Retailers globally are experiencing higher levels of security incidents.
In Singapore, for instance, the number of security incidents in the industry have increased 31% in the April-Sept 2021, compared to the previous six-month period.
Malicious Bots
Online retail remains a prime target for automated bot activity in 2021.
Bots carry out an array of disruptive, and even malicious, activities on retail sites including price and content scraping, scalping, denial of inventory and other types of online fraud.
Tips for Shoppers
Here are some steps that consumers can take to prevent monetary and data loss:
- Before you shop, ensure your software and apps are updated so you have all the latest security patches.
- Do not shop through a public Wi-Fi connection. Instead use a VPN or your phone as a hotspot.
- Make sure you shop through a reputable site with a padlock symbol and ‘https’ at the start (not http).
- Be careful of the apps/extensions you download onto your devices. Stick to well-known brands or applications. Be especially wary of free apps.
- When setting up your shopping accounts be sure to use strong, differentiated passwords for each account, and set multi-factor authentication where possible.
- Use secure payment methods like PayPal or your credit card.
- Never send your bank or credit card details via email or SMS.
- Don’t let your online shopping accounts or browser save your payment details.
In 2021, the volume of monthly bot attacks on retail websites rose 13%, compared to the same months of the previous year.
This underscores the growing threat retailers and consumers face from bad bot activity.
Imperva Research Labs finds that a majority (57%) of attacks recorded on eCommerce websites this year were carried out by bots.
In comparison, bad bots made up just 33% of the total attacks on websites in all other industries in 2021.
Incidentally, the top type of security incident in the Singapore retail industry in the past 12 months (Oct 2020 − Sep 2021) has been bad bot traffic (44%).
In the December shopping period last year in particular, Singapore’s retail industry saw a marked rise in simple bot traffic of 60% above the monthly average.
More worryingly, the proportion of sophisticated bad bots on retail websites reached 23.4% in 2021.
This breed of bot is the hardest to stop because they are capable of producing mouse movements and clicks that closely resemble human behaviour.
Sophisticated bots evade simple defences and are responsible for account takeover, fraud or denial of inventory that makes it harder for legitimate shoppers to get the goods they want.
Distributed Denial of Service (DDoS) Attacks
As the holiday shopping season commences, Imperva Research Labs is already seeing an uptick in DDoS attacks − spiking 200% in September 2021, compared to the month prior.
Part of this uptick in activity is tied to the enormous Meris botnet that has impacted organisations globally.
Tips for Retailers
Just as consumers should be mindful of the risks of online shopping, retailers must adopt measures to protect their customers and operations. Here’s what retailers should do:
- Ensure your organisation is compliant with all data privacy regulations in your jurisdiction.
- Prepare for a high volume of traffic, as well as DDoS attacks.
- Be sure to have a bot management strategy in place to only allow legitimate customers onto your website.
- Encourage your customers to practice good password practices and offer multi-factor authentication.
- Protect your existing website functionalities and make sure newly added ones are safe, too.
- Take inventory of all your JavaScript-based services.
Throughout the past 12 months, the retail industry experienced the highest volume of application layer (layer 7) DDoS incidents per month of all industries.
Layer 7 attacks are highly effective because they consume both network and server resources.
Defending against application layer attacks is difficult because it requires the ability to distinguish between attack traffic and normal traffic.
Website Attacks
Attacks on retail industry websites from Q4 2020 through the first half of 2021 were notably higher than all other industries, and were characterised by more sporadic peaks in attacks.
Retail sites experienced slightly higher volumes of Data Leakage attacks (31.3%) in 2021 compared to all industries (26.9%) as eCommerce sites are prime targets because they host shoppers’ payment information or loyalty reward points.
Data leakage occurs when data is transmitted from an organisation’s corporate network to an external destination, whether accidentally or deliberately, without authorisation.
In January 2021, the Singapore retail industry saw a 59% increase above the monthly average for data leakage attacks, coinciding with the Chinese New Year shopping period.
Tags: cybersecurity, eCommerce, Imperva, security, shopping