Imperva, a leading cybersecurity firm dedicated to safeguarding data, has released a new report on e-commerce security and provided recommendations for secure online shopping in light of the upcoming global shopping event on November 11th.

The company highlighted that Chinese e-commerce giants Alibaba and JD.com achieved a record-breaking US$115 billion in sales during Singles Day 2020, emphasizing that the rise in online shoppers is accompanied by a parallel increase in scams. Imperva’s latest report, “The State of Security Within eCommerce 2021,” predicts that the number of victims will exceed last year’s figures.

Citing a 31% surge in retail security incidents in Singapore between April and September 2021 compared to the previous six months, Imperva identified the following key trends:

Malicious Bots

In 2021, online retail continues to be a primary target for automated bot activity, which can carry out disruptive actions on retail websites, including price and content scraping, scalping, denial of inventory, and various forms of online fraud.

Imperva reported a 13% increase in the volume of monthly bot attacks on retail websites in 2021 compared to the same period last year. Their research revealed that bots were responsible for 57% of attacks on e-commerce websites this year, significantly higher than the 33% observed across all other industries.

Notably, bad bot traffic accounted for 44% of security incidents in Singapore’s retail sector over the past year (October 2020 - September 2021). During last year’s December holiday shopping season, Singapore witnessed a significant 60% surge in simple bot traffic compared to the monthly average.

Sophisticated bad bots, designed to mimic human behavior, posed a considerable challenge, comprising 23.4% of bots targeting retail websites in 2021. These advanced bots bypass basic security measures and engage in account takeovers, fraud, and denial of inventory, making it difficult for legitimate shoppers to purchase desired products.

Distributed Denial of Service (DDoS) Attacks

Imperva Research Labs has observed a notable 200% spike in DDoS attacks in September 2021 compared to the previous month, partly attributed to the Meris botnet’s global impact.

Over the past 12 months, the retail industry has experienced the highest volume of application layer (layer 7) DDoS attacks per month, surpassing all other industries. These attacks are particularly effective as they consume both network and server resources, making them difficult to defend against due to the challenge of differentiating between legitimate and malicious traffic.

Website Attacks

From the fourth quarter of 2020 through the first half of 2021, attacks on retail websites were significantly higher than in other industries, characterized by more irregular attack peaks.

E-commerce sites, often targeted for their storage of customer payment information and loyalty rewards, experienced a slightly higher volume of data leakage attacks (31.3%) in 2021 compared to the overall average (26.9%). Data leakage occurs when data is transferred from an organization’s internal network to an external destination, either accidentally or intentionally, without authorization. In January 2021, coinciding with the Chinese New Year shopping period, Singapore’s retail industry witnessed a 59% surge in data leakage attacks.

To enhance online shopping safety, Imperva advises consumers to:

• Ensure software and apps are updated with the latest security patches.
• Avoid using public Wi-Fi networks for shopping; utilize a VPN or a phone as a hotspot.
• Shop only on reputable websites with a padlock symbol and “https” in the address bar.
• Exercise caution when downloading apps and extensions, sticking to well-known brands and being wary of free apps.
• Create strong, unique passwords for each shopping account and enable multi-factor authentication whenever possible.
• Opt for secure payment methods such as PayPal or credit cards.
• Refrain from sharing bank or credit card details via email or SMS.
• Disable the storage of payment information in online shopping accounts or browsers.

Imperva’s recommendations for retailers encompass:

• Ensure compliance with all data privacy regulations applicable to their jurisdiction.
• Prepare for high traffic volumes and potential DDoS attacks.
• Implement a comprehensive bot management strategy to allow only legitimate customers access to the website.
• Encourage customers to adopt strong password practices and offer multi-factor authentication.
• Secure existing website functionalities and ensure the safety of newly added features.
• Conduct a thorough inventory of all JavaScript-based services.

“The 2021 holiday shopping season is poised to be challenging for retailers and consumers alike,” cautioned Peter Klimek, Director of Technology, Office of the CTO, Imperva.

“As global supply chain issues persist, retailers will grapple not only with product availability in Q4 but also with increased attacks from cybercriminals seeking to exploit the situation. It is crucial for both retailers and consumers to take proactive measures to protect themselves.”

Explore

Download the State of Security within e-Commerce Report