What are the biggest cybersecurity threats affecting online retailers today? The State of Security Within eCommerce in 2022 Report from Imperva is now available and answers that question. For this report, Imperva’s cybersecurity experts analyzed 12 months of data, collected from our global network of customers, and have made this information available just in time for the holiday shopping season.
Following its meteoric growth, mostly owing to the global pandemic, the eCommerce market is now facing new challenges like difficulties in customer acquisition due to user privacy updates, inflation, and more. Despite those challenges, the industry is projected to maintain its overall growth trajectory and is estimated to account for a quarter of all retail sales worldwide by 2025. With new technologies and financing options constantly being introduced to help support growth, the risks to an already highly targeted industry are bigger than ever.
Included among the threat vectors covered in this threat intelligence report are:
- Bad bots remain a top concern for online retailers: Almost two-thirds of all attacks targeting online retailers over the past 12 months have been classified as automated threats. According to the OWASP, there are 21 of these automated threats, but the most common ones affecting retailers are account takeover, web scraping, and scalping.
- The risk of downtime is greater than ever: During the previous holiday season, the average potential downtime due to a DDoS attack targeting online retailers was 70 hours. During the week of Black Friday alone, that average potential downtime was 13 hours! With attacks becoming more frequent and intense, we expect to see record-breaking numbers this year as well.
- Online fraud is on the rise, as new financing options peak in popularity: With the Buy Now, Pay Later (BNPL) market size projected to reach $3.98 trillion by 2030, the risk of online fraud grows. Account-based fraud and especially account takeover (ATO) are the favorite methods that bad actors use, and they are more prevalent in online retail than in other industries.
- API abuse is a growing concern: The diversity of devices that customers have at their disposal and can be used to shop online has led to an increase in API usage to support them. In turn, that means almost half of all traffic to online retailers goes to APIs (vs. web). Of that, 12% of traffic directs to endpoints holding sensitive information, like personal data (e.g., credentials, identification numbers, etc.).
- Log4j ruined the holiday season: As web attacks increased steadily throughout October and November, in December we saw a 48% increase in web application attacks month-over-month. The increase is tied directly to the discovery of the Log4j vulnerability on December 11th, 2021. The vulnerability, which allowed for unauthenticated remote code execution, has led to RCE attacks topping the list of most common web attacks this past year.
- Client-side attacks continue to wreak havoc: On average, online retail websites have 47 JavaScript resources executing on the client side, most of them being third-party. This creates an ideal attack surface for attackers: a single compromise of a widely used JavaScript resource allows them to hit multiple users on multiple sites, all by exploiting the same vulnerability. This is a major cause for concern not only for retailers, but any online business accepting or processing payments. So much so that a script management solution is now recommended by PCI DSS and will be mandatory from 2025.
Advanced threats call for advanced protection
Despite the challenges, the popularity of online shopping continues to grow, making retailers even more lucrative targets for bad actors. While the importance of investing in traditional security tools cannot be overstated, it is clearer than ever that emerging attack vectors beyond the reach of traditional tools are not to be overlooked. Bots are committing online fraud, client-side attacks exploit JavaScript to steal customer data, and bad actors are abusing APIs.
Retailers must stay one step ahead of attackers: Investing in an integrated platform like Imperva Application Security, which provides protection against the leading attacks and optimizes web performance, will help retailers operate efficiently and securely this holiday season and beyond.
Get the report today to gain valuable insights into the nature and impact of the various attacks targeting online retailers, the trends that are shaping up the future of the industry as well as recommendations ahead of the year’s busiest shopping events.
Try Imperva Application Security today, and start your free trial now.
Try Imperva for Free
Protect your business for 30 days on Imperva.