It’s no secret that the holiday season is the busiest time for online retailers, with sales starting as early as October and stretching until late December. According to the NRF, census data suggests that 2023 holiday sales experienced a 3.8% growth, reaching a record $964.4 billion (about $3,000 per person in the US).
While the festive season is known for record-breaking sales and a rush of eager shoppers, it is also a time when cyber threats intensify. From malicious bots to API and DDoS attacks, cybercriminals await exploiting vulnerabilities. In this critical period, ensuring your cybersecurity measures are robust is not just a precaution—it’s a necessity.
This blog post leverages data collected from the Imperva global network and years of experience safeguarding online retailers to provide essential recommendations and strategies for protecting your online retail business.
These tips will ensure you and your customers enjoy a safe and successful holiday shopping season. I want to extend a special thank you to Gabriella Sharadin from our Threat Research Team for her invaluable contribution to this blog.
Expect an Influx of Traffic
Retailers should expect a surge in online traffic during the holiday shopping season, with customers keen to secure the best deals and exclusive products.
One thing to note is that traffic is becoming more and more unpredictable during the holiday shopping season. When we look at the traffic to online retailers throughout the last holiday shopping season (October and November of 2023), we can see sporadic peaks in traffic on various days. As a general trend, we saw a 12% increase in traffic between October and November. When we look at individual days, Singles Day (November 11) saw a 42% increase in traffic and another 22% the following day. November 19 saw the highest traffic level of the entire season, with a massive 54% increase, perhaps the opening shot of the Black Friday week. Interestingly, we saw 42% more traffic on Cyber Monday than on Black Friday. While early holiday shopping is becoming increasingly popular, many consumers still prefer waiting until after the holiday to start online shopping.
We recommend that you ensure your infrastructure is prepared to handle increased load without compromising performance. Make sure your servers can scale to meet demand, use a content delivery network (CDN) to distribute traffic more efficiently and consider using a waiting room queuing system during peak periods. A waiting room allows for controlled traffic flow to your site or app using a first-come-first-served approach to ensure a fair experience for legitimate users during high-profile events and on-sales. This approach should be combined with a bot management strategy, which we will discuss next.
Don’t Overlook Bot Traffic
Alongside the influx of legitimate shoppers, there will also be an uptick in malicious bot traffic. As the holiday shopping season approaches, online retailers face a significant increase in malicious bot activity. Bad bots target high-demand products, exploit new user discounts, and engage in price and content scraping, among other activities. These are just a few examples of how bots can target your applications and APIs. The OWASP has a list of 21 automated threats to web applications.
Bot attacks are the most common threat to online retailers, as the industry experiences an average of 101,950 bot-related incidents daily! Bots abusing business logic account for 43% of all attacks, while 12% are other types of automated threats. In comparison, the average across all industries reveals that 22% of all attacks are business logic abuse by bots, and 14% are other forms of automated threats.
Bot traffic: When we compare the profile of traffic to retail websites compared to the average for all industries (measured between July 2023 and July 2024), we can see that the level of automated traffic to both is similar, but the makeup of automated traffic is different. Retail websites had 28% of automated traffic classified as malicious, while the average number is 36%. However, good bot traffic to retail websites was higher than the average, accounting for 21% of traffic. This is due to the prevalence of price scraping by search engines and price comparison websites.
Bot Sophistication: While 28% of traffic originating from bad bots might be lower than the average, considering their sophistication helps us better understand the problem’s complexity. The larger the ratio of advanced bad bots, the more complex the bot problem is and the greater the risks for the industry. The retail industry suffers from some of the most persistent bot problems, as indicated by the high ratio of advanced bad bot traffic, at 58%, compared to the average.
Combined with moderately sophisticated bots, they make up a category called Evasive Bad Bots. These bots use complex tactics like cycling through random IPs, entering via anonymous proxies, using residential proxies, changing their identities, mimicking human behavior, delaying requests, and defeating CAPTCHA challenges. They use a “low and slow” approach to avoid detection and carry out significant attacks using fewer requests. This method reduces the “noise” generated by many bad bot campaigns, making it difficult to detect them. These Evasive Bad Bots make up 70% of all bad bot traffic to retail websites, compared to 51% on other websites.
Developing a comprehensive bot management strategy is crucial to safeguard your platform and ensure a smooth shopping experience for legitimate customers. Here are some key recommendations:
- Identify risks and evaluate traffic: Start by pinpointing potential vulnerabilities within your site, such as login endpoints, account creation pages, payment forms, and product pages. Bots often target these areas for account takeovers, scalping limited-edition items, or exploiting new user discounts. Establish a baseline for failed attempts on your login pages and monitor for any anomalies or spikes. Unexplained surges in traffic—particularly around these critical areas—can indicate bot activity. Use traffic analysis tools to help differentiate between legitimate users and bots, enabling you to respond swiftly to suspicious behavior.
- Identify entry points: Ensure all exposed APIs and mobile applications are secure beyond your website, as these are common gateways for bots to access your web applications and sensitive data. Protect these digital entry points with strong authentication, encryption, and rate limiting. These measures will help prevent unauthorized access and mitigate the risk of bots exploiting these channels to disrupt your operations or steal valuable information.
- Block outdated user agents: Many bots use outdated browser versions, lacking the latest security updates. In contrast, human users are typically forced to auto-update their browsers to newer versions. To mitigate bot traffic, block user-agent strings associated with browsers that have reached their End of Life more than three years ago and require CAPTCHA verification for those two years past their End of Life. This approach helps ensure that only up-to-date, legitimate browsers interact with your site, reducing the risk of bot-driven attacks.
- Limit proxies: Bots often use proxy services to obscure their true origins by rotating through IP addresses provided by bulk IP services. This makes detecting and blocking them more challenging. Restrict access from known bulk IP data centers, such as Host Europe GmbH, Dedibox SAS, Digital Ocean, OVH SAS, and Choopa, LLC, to counteract this. Limiting traffic from these sources can significantly reduce the likelihood of bot traffic infiltrating your site, especially during high-demand periods like the holiday shopping season.
- Implement rate limiting: Rate limiting is critical for managing traffic flow and preventing bots from overwhelming your site. By setting a maximum number of requests that a user (not IP!) can make within a specific timeframe, you can protect your resources and ensure your site remains responsive to genuine customers. This strategy also helps mitigate the risk of bot-driven attacks, such as brute-force login attempts or carding, where bots repeatedly test stolen credit card details.
- Look out for signs of automation and headless browsers: Many modern bots use headless browsers—such as Puppeteer, Selenium, and WebDriver—that simulate human behavior while automating interactions with your site. Detecting these bots requires vigilance in monitoring for signs of automation, such as unnaturally fast interactions or abnormal browsing patterns. Look for behaviors like rapid clicks, navigating through pages too quickly, or the consistent and unusual accessing of specific resources. Implementing detection strategies focused on these signs can help you identify and block headless browsers before they can cause harm, ensuring that your genuine customers enjoy a seamless shopping experience.
It’s important to note that these are not silver bullet solutions, but they can help effectively reduce unwanted bot traffic. Suppose you have a problem with evasive, persistent bots. In that case, you should assess your need for a dedicated bot management solution—ideally, highly customizable and adaptable to the ever-evolving threat landscape. By taking these steps, you can maintain a seamless shopping experience for your customers while keeping malicious bots at bay, ensuring your business thrives during the holiday rush.
Implement Client-Side Security Practices
As the holiday season draws near, online retailers must focus on securing the client side of their web applications to protect against stealthy, sophisticated threats. With application logic rapidly shifting to the client side and websites incorporating more third-party code, the risk of client-side attacks like digital skimming grows. These attacks, such as Magecart and formjacking, occur when malicious JavaScript is injected into first-party or third-party code used on legitimate websites, often through vulnerable scripts in the software supply chain.
Even a single line of malicious code can enable attackers to exfiltrate sensitive customer data, leading to long-term breaches since these attacks are challenging to uncover. Retail websites, which load an average of 398 resources per site—many third-party—are prime targets for attackers looking to exploit this blind spot.
JavaScript is present in almost every modern web application and can be abused by attackers to steal data, track user behavior, and inject malicious scripts. With retail relying on third-party services for 76% of its JavaScript code, the risk of a supply chain compromise is high. This is why PCI DSS 4.0 now emphasizes securing client-side payment pages against unauthorized modifications. Retailers must implement protective measures to monitor and prevent malicious script injections that target vulnerable third-party code, ensuring a secure customer shopping experience.
However, the holiday shopping season isn’t the only thing that draws near, as the deadline for compliance with the final phase of new PCI DSS 4.0 requirements is fast approaching, too. These will take effect on March 31, 2025, and there are two new requirements for client-side security. The recent Polyfill supply chain attack was a frightening example of the potential risks associated with the client side. Here’s a short reminder of what these new requirements are:
PCI 6.4.3: Maintain an inventory of all payment page scripts with written justifications, ensuring authorized confirmation and integrity assurance. This requirement aims to reduce the risk of JavaScript-based web skimming and Magecart attacks by detecting undesired actions, such as a script altering its behavior to access payment form data.
PCI 11.6.1: Deploy change and tamper detection mechanism on payment pages to detect unauthorized modifications to the HTTP headers and payment page content. The essence of PCI DSS 11.6.1 is to implement a tamper detection mechanism that can compare the current version of HTTP headers and payment page content with prior known versions to identify unauthorized changes. This mechanism must alert personnel to any such modifications, thereby mitigating the risk of sensitive payment information being compromised.
PCI DSS recently released version 4.0.1, which provides merchants with much-needed clarification about the applicability of these requirements.
While tools like Content Security Policy (CSP) and SRI can help you meet some of the new PCI DSS requirements, they are not foolproof. Content Security Policy, for instance, controls which domains can load scripts but does not address the behavior of those scripts once loaded. Similarly, SRI verifies script integrity but requires constant updates as scripts change, which can be burdensome.
To fully comply with PCI DSS 4.0 and enhance your client-side security, consider adopting more comprehensive security solutions that combine CSP, SRI, and real-time monitoring. Automated tools can simplify maintaining script integrity and authorization, reducing the manual workload and ensuring continuous compliance. Additionally, these tools can provide visibility into script behavior, helping you detect and mitigate potential threats before they can cause harm. Such solutions can also streamline PCI 11.6.1 compliance by ensuring continuous monitoring and real-time detection of unauthorized modifications to your payment pages.
Safeguard Account Authentication
Account takeover (ATO) is a form of identity theft where cybercriminals gain unauthorized access to a user’s online account, usually by exploiting weak or stolen credentials. User accounts on eCommerce websites are typically rich with financial incentives, making them a prime target for hackers and fraudsters. Once inside, attackers can engage in various forms of fraud, from making unauthorized purchases to stealing sensitive data or exploiting stored payment methods like credit card details and gift card codes.
Account takeover attacks are becoming increasingly sophisticated. They involve tactics like using leaked credentials, which we see in 14% of attacks. These attacks aren’t limited to a few regions; they span the globe, with hotspots in the U.S., France, Australia, Brazil, and Turkey. Attackers typically make 41 login attempts per account takeover (ATO) event. This number may seem low, but it is intentional. Attackers distribute these attempts across multiple events, timing them at varying intervals to avoid triggering security rules. This technique is commonly called a “low and slow” attack.
Still, some attackers flood the login endpoint with a high volume of malicious requests. Imperva has recorded surges as high as 102,742 malicious logins in a single incident targeting an online retailer. It’s important to note that these incidents usually comprise just a single part of a larger-scale attack, which amounts to millions of malicious login attempts.
During the holiday shopping season, account takeover attacks rise due to increased transactions and user activity. Data from Imperva Threat Research shows that during the 2023 holiday shopping season, there was a noticeable surge in these attacks. Beginning September 2023, there were significant spikes, with peaks on key shopping days like November 8, 14, and 24 (Black Friday). On Black Friday alone, the number of ATO attacks spiked by 85%, compared to a 66% increase on Black Friday 2022. Furthermore, the intensity of these attacks is growing, as evidenced by an 82% rise in malicious login requests between October and November.
Given these alarming trends, businesses must implement strong security measures to protect their login and account creation endpoints, safeguarding their customers and operations.
Promoting strong credential hygiene among users is crucial to safeguarding account authentication effectively. This involves setting stringent password requirements, including a mix of characters, numbers, and symbols, and encouraging multi-factor authentication (MFA). Additionally, retailers should consider implementing passkeys—cryptographic keys that are safer and easier to use than traditional passwords. Be vigilant about data breaches, as account takeover (ATO) attacks typically surge following such events.
Consider implementing a dedicated account takeover protection solution for the best all-around login endpoint protection. Such a solution can help detect and mitigate all ATO attacks, distinguish between malicious and authentic login attempts, and identify compromised credentials and users at risk of fraud before it’s too late. Look for a solution that employs the latest cutting-edge detection techniques, such as user behavior anomaly detection and machine learning, working in a multi-layered formation. This ensures you can mitigate attacks from the first malicious request and significantly reduce the risk of fraudulent activity on your user accounts.
Secure Your APIs
APIs, the backbone of modern retail applications, are not spared either. Retail experiences an average of 5,570 API attacks daily, with the majority being API violations, where usage rules like rate limits are broken (36%), followed by business logic abuse, where flaws in the API’s processes are exploited without violating technical constraints, (26%) and data leakage, where the API unintentionally exposes sensitive data, (11%). The most common clients used in these attacks include bots (30%), Go (17%), and okHTTP (7%), with the top attack origins spanning the U.S., Brazil, Indonesia, Australia, and Singapore.
As the holiday shopping season approaches, online retailers must prioritize API security to safeguard against the heightened threat of cyberattacks. Retailers should begin by discovering, classifying, and maintaining an up-to-date inventory of all APIs, endpoints, parameters, and payloads. This continuous discovery process ensures visibility into the API landscape and helps identify exposure points where sensitive data may be at risk.
Given the elevated threat environment, performing risk assessments targeting APIs is crucial, focusing on endpoints susceptible to vulnerabilities like broken authorization, authentication, and excessive data exposure. Protecting these high-risk APIs is essential to preventing unauthorized access and data breaches. Additionally, retailers should establish a robust monitoring system for API endpoints, enabling real-time detection and analysis of suspicious behaviors and access patterns, often precursors to more significant attacks.
To proactively mitigate automated application and API abuse before the holiday shopping season, online retailers should establish a baseline for expected API behavior, including typical traffic rates and user geographies. This helps detect anomalies, such as unusual spikes in traffic on rarely used APIs like “write” APIs, which could signal abnormal activity. Next, retailers should understand how users access their APIs and apply rate limits by session and IP to prevent abuse, particularly when tokens or API keys are involved. Lastly, maintaining an audit trail of user activity enables developers and security teams to monitor traffic logs, making identifying and investigating potential malicious bot activity easier.
For optimal protection, consider an API security solution that integrates with your existing bot management to provide maximum security for your APIs against automated business logic abuse. The solution should offer continuous deep discovery and classification of all your APIs based on their sensitivity, the nature of transacting data, associated risks, and functionality. Based on that, it should provide actionable insights about high-risk APIs you want to protect with your bot management solution and enable easy onboarding.
DDoS Attacks Aren’t Going Anywhere
Distributed Denial-of-Service (DDoS) attacks remain a persistent threat. Attackers flood retailers’ networks or servers to overwhelm their capacity. These attacks can cause severe service disruptions and significant revenue loss when successful. According to Pingdom, downtime costs for smaller businesses range from $137 to $427 per minute. For larger enterprises, even a brief outage can exceed $16,000 per minute—amounting to a staggering $1 million per hour.
Retail sites safeguarded by Imperva during the 2023 holiday season prevented an average of 30 hours of downtime per site. During Cyber Week alone, Imperva mitigated 10 hours of potential downtime per retail site, ensuring smooth operations during peak shopping.
On May 3rd, 2024, a staggering 48 Gbps network DDoS attack targeted a Korean retail site, exemplifying the scale of threats that could disrupt business. Retailers experience an average of 24.48 network DDoS attacks daily, with hotspots in the U.S., South Korea, Mexico, Israel, and Colombia. Application-layer DDoS attacks are even more frequent, averaging 51.87 per day, and already spiking as we get closer to this year’s holiday shopping season.
According to the Imperva 2024 DDoS Threat Landscape report, Application-Layer DDoS attacks on retail websites have increased 61% since last year. Application-layer DDoS attacks pose a significant threat to online retailers, particularly as they prepare for the heightened traffic of the holiday shopping season. These attacks, which target the application layer of a retailer’s website, are designed to overwhelm the server with many requests, rendering the site unusable for legitimate customers. The most severe incident year-to-date was recorded on March 13th, 2024, when a Romanian site was hit with an attack peaking at 4 million requests per second, originating from around 2,000 IP addresses and lasting 10 minutes. Such attacks can be devastating, especially during peak shopping, when downtime can lead to significant revenue losses and damage customer trust. Retailers in the U.S., U.K., Australia, Brazil, and Japan are particularly vulnerable, underscoring the need for robust DDoS mitigation strategies to ensure continuous operation during critical shopping periods.
Watch Out For AI-Driven Attacks
Artificial intelligence (AI) has become a double-edged sword in cybersecurity. While it offers powerful tools for defending against threats, cybercriminals also use it to carry out sophisticated attacks. AI-driven attacks can automate phishing campaigns, generate convincing fake identities, and even adapt in real-time to bypass security measures. For eCommerce businesses, this means facing more advanced and persistent threats that can target vulnerabilities and even perpetrate fraud with greater precision while evading detection.
As AI advances, cybercriminals increasingly leverage it to enhance the scale and sophistication of their attacks on eCommerce platforms. Retailers must be especially vigilant during this year’s holiday shopping season, as integrating AI into malicious activities poses significant threats to online businesses. In a recent 6-month analysis (April 2024 – September 2024), data from Imperva Threat Research reveals that retail sites experience 569,884 AI-driven attacks daily on average.
These attacks originate from AI tools like ChatGPT, Claude, and Gemini, alongside specialized bots designed to scrape websites for LLM training data. An analysis of these attacks shows that cybercriminals primarily use AI tools to carry out Business Logic Abuse (30.7% of attacks), DDoS attacks (30.6% of attacks), bad bot attacks (20.8% of attacks), and API violations (16.1% of attacks).
By understanding the nature of AI-driven attacks and proactively strengthening security measures, retailers can better protect their eCommerce websites from these sophisticated threats. Staying ahead of attackers requires continuous vigilance and the adoption of advanced security technologies that can match the evolving tactics of cybercriminals. Implementing these strategies will help ensure a secure and successful holiday shopping season for retailers and their customers.
Conclusion
To strengthen security measures, retailers should adopt an integrated approach that includes a Web Application Firewall (WAF), API Protection, Distributed Denial of Service (DDoS) Protection, Client-Side Protection, and Bot Protection. This layered defense strategy offers comprehensive protection against sophisticated threats, ensuring retailers can safeguard their applications and data at scale while minimizing risks like account takeovers and client-side vulnerabilities. By leveraging these combined solutions, retailers can operate securely and efficiently during peak shopping seasons, reducing false positives and maintaining business continuity despite evolving cyberattacks.
About Imperva Application Security
Imperva, a Thales company, is the cybersecurity leader that helps organizations protect critical applications, APIs, and data anywhere, at scale, and with the highest ROI. The Imperva Application Security Platform stops the most advanced attacks with the highest efficacy while minimizing false positives. Its high efficiency enables organizations to quickly onboard, protecting their assets at scale. With the help of the Imperva Threat Research Team and our global intelligence community, we stay ahead of the evolving threat landscape, seamlessly integrating the latest security, privacy, and compliance expertise into our solutions.
The Imperva Application Security Platform combines best-of-breed solutions that bring defense-in-depth to protect your applications wherever they live — in the cloud, on-premises, or in a hybrid configuration:
- On-Prem and Cloud Web Application Firewall (WAF) solutions for blocking the most critical web application security risks.
- API Security for continuous protection of all APIs using deep discovery and classification.
- Advanced Bot Protection safeguards websites, mobile applications, and APIs against today’s most sophisticated automated threats.
- Account Takeover Protection to safeguard login endpoints against malicious activity, including takeover attempts and new account fraud.
- Client-Side Protection secures websites against client-side attacks and streamlines regulatory compliance with PCI DSS 4.0.
- DDoS protection for websites, networks, and DNS to ensure business continuity with guaranteed uptime.
- Runtime Application Self-Protection (RASP) for security by default against known and zero-day vulnerabilities.
- Content Delivery Network for securely delivering applications worldwide with superior speed and performance.
Start your Application Security Free Trial today to protect your applications from bad bots.
Try Imperva for Free
Protect your business for 30 days on Imperva.