Cyberattacks and retail threats your organization should be prepared for and what actions you can take. 

It’s almost that time of year again, holiday season, where retailers stand to make up to 30% of their annual sales in just a few weeks. Significant pressure rides on these retailers to deliver the perfect customer experience, drive demand from various digital channels, and ensure orders are fulfilled and delivered in a timely manner, amongst other initiatives. But what we’ve found is retailers are still woefully unprepared for their biggest adversary – bots (cue dramatic music). Bots pose a serious threat to customer satisfaction, data privacy, web performance, and revenue. 

Not all bots are bad, but the ones we’re warning you about are operated by fraudsters and cybercriminals who are looking to make money any way they can, and ‘tis the season where they can make their biggest scores. While eCommerce businesses are planning their customer journey, bot operators are plotting how to maximize their profits – by scoring the most in-demand items of the season for resale, stealing loyalty points or store cards, creating fake accounts, or conducting other attacks at scale. Each of these tactics are enabled through automation, since using bots is one of the easiest ways to attack online retailers. 

Cybersecurity is important throughout the year, but it’s especially critical during the holidays. Last year’s holiday sales grew 14% and reached $886.7 Billion while e-commerce fraud attempt rates rose by 19%. With 46% of people saying they would shop online more if fraud wasn’t an issue, it demonstrates just how important it is to prevent cyber attacks. 

According to our data, large eCommerce retailers deal with an average of 63.8 million bad bots per week in the U.S. alone. Below are the most prevalent automated threats and bot attacks targeting eCommerce organizations so far this year. 

2022 Top Automated Attacks Targeting eCommerce Businesses:

  1. Web Scraping (38%)
  2. Carding (25%)
  3. Credential Stuffing (25%)
  4. Fake Account Creation (18.8%)
  5. Denial of Inventory & Hype Release (12.6%)

Retail Top 5 automated attacks
Figure 1: Kasada data shows the five most prevalent automated attacks retail businesses face in 2022.

2021 Holiday Retail Threats

Last holiday season, Kasada’s threat research team observed surges in bot activity. Traffic grew as much as 27% ahead of the Black Friday holiday weekend compared to earlier in the month. 

2021 Key Observations 

  • 4x increase in automated gift card cracking attempts
  • 10x increase in malicious login attempts 
  • Bot requests exceeded humans by more than 13x during holiday drops
  • Grinch bots were used to buy in-demand toys and resell them for more money during the holidays  
  • Request bots using All-in-one services (AIOs) surged from 0% to 90% during premium hype sales

Year after year cyberattacks grow in size and sophistication, delivering devastating blows to businesses around the globe despite their expensive investments in the latest cybersecurity technology. 

What’s Different This Year 

We anticipate that 2022 will be a pivotal year in the battle against bots. Bot operators have devised devilishly clever ways to commit fraud or “cheat the system, ” giving them an advantage over regular customers. For instance, fraudsters used bots to reserve COVID vaccine appointments, buy out baby formula, and steal pharmacy prescriptions

Based on our threat intelligence and research, we predict retailers will have to contend with a record number of bots this year due to the surge in popularity of various botting methods amongst opportunistic fraudsters. Of such methods are solver services, eCommerce bots like “freebie” bots, and carding/cracking. 

#1: Popularity and availability of Solver Services will lead to an influx of Grinch bots

In May 2022, Kasada detected the emergence of bots able to bypass many bot management technologies known as “Solver” bots. With more bypasses becoming readily available for cybercriminals to purchase, we anticipate grinch bots will pose a greater risk to retailers and garner a bigger profit for bot operators. 

A Solver Service is a highly sophisticated attacker who creates a bypass to bot management technologies, then resells those bypasses as a service. This makes bypasses easier to obtain for less experienced attackers, leading to an increase in the frequency and volume of automated attacks. 

Solver Bots vs Other Bad Bots - Bot Management

Figure 2: Example of a global retailer’s bad bot traffic over the course of several hours. Throughout the entire period, 95 – 99% of the total bad bot requests were from Solver APIs, whereas the requests from other types of bad bots such as those from headless browsers made up the remainder.

Bot Management Bypass listed for sale

Figure 3: Example of a bot management bypass listed for sale online.

#2: eCommerce bots lurk in the shadows

Our threat intelligence team noted that eCommerce bots or “Freebie” bots were becoming more popular in botting communities to monitor and purchase goods on eCommerce sites at extreme discounts. Freebie bots use scraping techniques to continuously scan products to see if any have been mistakenly published for $0 or discounted by 50-90%. Allowing users to then buy them automatically, depleting inventory. 

#3: Rising cases of carding + loyalty fraud 

In analyzing this year’s Black Friday in July, we discovered that nearly all of these top retail brands had accounts, store cards, loyalty points, or bypasses up for sale on 3rd party sites, which were likely obtained through automation and the use of bots. The potential of these stolen gift cards and store cards totaled nearly $46.6 Million with approximately 330,000 accounts up for sale with accompanying credit card information.

It’s important to note that while these accounts, store cards, and gift cards could be real, they could also potentially be fake or redeemed. For these types of items to be listed for sale, bot operators must have been able to perform credential stuffing and carding attacks.

Kasada threat intel retail accounts for sale

Figure 4: Example of retailer’s customer accounts for sale with credit card information and gift card balances.

Check your security defenses – and check them twice

To get an idea of how prepared retailers were for the coming holiday season, we analyzed the National Retail Federation’s (NRF) Top 100 Retailers list to see how many had already invested in bot detection, were able to stop browser-based bots, and uncover any stolen data or accounts for sale on third-party sites. 

Our data shows that a majority of retailers had already invested in some form of bot detection (82%), but 77% of them were unable to detect browser-based bots. Browser-based bots use various tools and frameworks such as Puppeteer Stealth to mask signs of automation and make it look as if requests are coming from real users, real browsers, or even Google crawler bots. Without advanced detection methods, an organization wouldn’t even know it’s under attack. 

Most shocking though is that approximately 52% of these retailers had sizable volumes of stolen accounts, gift cards, bypasses, or loyalty points for sale on 3rd party sites used by cybercriminals. As we near the holidays, we anticipate this number to jump, and if left unresolved, could mean a profitable season for fraudsters. 

NRF Top Retailers List-80

Figure 5: Kasada’s research shows a majority of retailers on the NRF Top 100 list aren’t prepared to face automated threats.

What you can do:

To protect profits and prevent fraud, we urge retailers to take the below actions as soon as possible. 

  1. Understand the unique bot threats and risks to your business by testing your defenses against various bot attacks. We have a free and secure test you can use. 
  2. Remove points of friction in the login and checkout process by removing CAPTCHAs. According to Baynard, 26% of U.S. adults abandon checkout when the process is too long or complicated. 
  3. Invest in a bot mitigation solution that stays a step ahead of adversaries by continuously making updates to their invisible defenses.

When looking at bot mitigation providers, we also recommend looking at solutions that use:

  • A client-side approach that proactively identifies the presence of automation, coupled with server-side data analytics
  • Strong obfuscation to prevent reverse engineering, and
  • Randomized defenses to protect against adversarial retooling 

For retailers to be truly prepared for this holiday season, they must protect themselves against all forms of malicious automation, and currently many are not. With better bot mitigation, a retailer can expect to see better site performance, more conversions, more accurate metrics, happier customers, and higher profit margins.

Want to know if your business is being bombarded with bots? 

Request a personalized threat assessment – Our team collects our own proprietary threat intelligence and runs various tests to identify if bots are currently bypassing your defenses and which bots and tools your business may be vulnerable to.