SBN

Targeted Security Attacks Impact Holiday Shopping

blogp21.jpg

Part 2 – Security

In the first post, web performance was discussed, especially for the mobile visitor. While web performance is critically important, security is also a vital area of focus and investment because, threat actors don’t take holidays. They’re always out on the internet probing sites, looking for vulnerabilities and ways to steal data or take over sites. They are however, keenly aware of holidays and what that means for increased online activity so they have extra focus on these days.

The chart below shows the total retail-specific bots on the seven key holidays we tracked. The lower number for Cyber Monday is intriguing; another vendor reported a 47% drop in malware attacks on Cyber Monday as well. A possible explanation is that threat actors are becoming smarter and more focused in their attacks, only using the more profitable types.

blogp22.png

Credential abuse/stuffing attacks closely echo retail-specific bots, with the exception being Singles’ Day 2. Singles’ Day 2 is a much smaller event than Singles’ Day 1, but the fact that it is firmly in the prime Christmas and Boxing Day shopping timeframe (12 Dec) is the most likely explanation for its high number.

blogp23.png

Looking at the assorted web application attacks, the number of attacks on Christmas Day were comparable to Cyber Monday, with the exception of cross-site scripting, which was five times more than Cyber Monday and two times more than Black Friday. This is likely due to the fact retailers want to track their Christmas sales more than any other day of the year, and web application developers end up including a lot more third party scripts/content on their sites, and attackers take advantage of that. Also, perhaps someone found a vulnerable version of a particular ecommerce software and was testing that against a lot of domains in an automated fashion.

Regarding the higher Diwali number, as with the session traffic, this represents a period of time over multiple days, versus a single shopping day. Singles’ Day 1, while essentially only in China is the biggest single holiday sale day in the world (US$31B compared to $US14B for Black Friday and Cyber Monday combined). There are over 666 million registered users on Tmall (Alibaba’s online shopping site) alone; the magnitude of this holiday attracted the higher amount of malware attacks.

blogp24.png

Seven Key Recommendations for 2019

As we, along with others, have seen throughout 2018, online retailers need to be ‘mobile first’ in their approach, with the objective of providing the most optimal CX for mobile users that they can. Currently, only 24% of retailers cited improving the mobile shopping experience as a top digital priority.  The top answer was creating a consistent brand experience across channels, at 57%. Tied at 38 %were increasing customer loyalty, improving personalization and improving user experience (navigation, speed, responsiveness). Clearly, improving the mobile CX must be moved up the digital priority list; if retailers don’t do this they risk being at a competitive disadvantage.

And looking into the future, according to this article Forrester “expects digital to influence 58% of retail sales by 2023 thanks in large part to the growing role that smartphones are playing in shoppers’ lives.”:

  • “Although online retail via smartphones accounts for only one-third of online retail sales, smartphones’ impact on retail sales is massive.”
  • “That’s because roughly 88% of U.S. online adults use a smartphone, 45% use a smartphone at least once a month to research products before making a purchase and 28% use a smartphone at least once a month to purchase physical products.”
  • “By 2023, Forrester expects smartphones to influence $1.4 trillion in sales.”

But mobile means two things: 1) a native mobile app OR  2) a mobile user accessing a web application via the device’s browser. In North America, 67% of all digital transactions now take place on mobile, with native mobile apps representing 47% according to eMarketer.

blogp25.png

This means that application developers need to consider both environments when designing new applications, but native mobile apps are certainly the future, as this article about Nike demonstrates. However, while native mobile apps are a big portion of online sales, less than half (45%) of online retailers have a native app.

Visual content is a critical factor towards providing a great mobile CX and retailers need to examine what they currently provide. A BigCommerce research study found that 78% of online shoppers want more images and 30% want more video from e-commerce sites. However, meeting this content demand can create slowdowns, such as improperly formatted images for mobile screens versus desktop, for example.

Optimizing your site for a superior customer experience (CX) to attract and convert visitors into paying customers doesn’t just mean fixing the slowest pages. It’s critical for online retailers to monitor, capture and analyze behavioral data from their real users and the devices they use. Having this visibility will allow you to pinpoint the trends and glean actionable insights required to deliver your customers a smooth shopping and purchase experience. Note the data presented about the conversion differences between Android users and iOS users; having this detailed information and adjusting your web application for it could help to boost Android conversion rates. 

All this focus on mobile CX can’t come at the expense of still providing an optimal desktop CX. Online retailers have spent years and substantial budget money enhancing their desktop environment and that should not diminish as desktop users are still a significant part of their visitors.

Operationally, online retailers need to plan far in advance. Notably, peak traffic events can occur at any time of the year. While major holidays are known, what about unforeseen events that can place a huge strain on your infrastructure? These might include a high profile event, like the Royal Wedding, that will increase global traffic demands, or a hurricane that will lead to increased activity at sites such as large box stores for goods to fortify homes and/or repair them.

Make sure your ability to scale is guaranteed, beyond what Marketing and Sales project for peak traffic. This entails testing from highly distributed locations to simulate global spikes as well as pushing applications to the limit, all well in advance. Other advice, especially having a contingency plan, can be found here.

It’s one thing to plan for peak traffic that could occur at any time, versus being prepared for security attacks that do occur at all times. Threat actors don’t take holidays and even though we saw spikes of increased attacks during the known holidays, in reality they are out there every day probing your site for weaknesses and openings.

As the Akamai SOTI Q4 2017 State of the Internet Report / Security details, in November 2017, the retail sector saw the largest amount of bot traffic, with 2.4 trillion requests. For perspective, the next highest vertical for bot traffic was high tech, with 1.28 trillion requests (see page. 24).

Everyone recognizes it’s important to protect customer personal data such as credit cards as well as transaction information; not everyone equates degraded site performance with a high volume of bot attacks that prevent legitimate customers from visiting and transacting on a site. DDoS attacks targeting retail sites are increasing, along with complexity of the attacks.

The wide variety of threat vectors makes it vital to have a broad range of security protection in place. Credential stuffing attacks were high over the seven holidays we are reporting on, but in truth they too are always present as this major online retailer recently discovered they were infiltrated from late September to November.

To reinforce how important is to plan for peak traffic events at all times, not just holidays, on Tuesday, December 11, 2018 the Akamai intelligent edge platform for securing and delivering digital experiences set a new record for peak traffic on its global content delivery network (CDN). On that day, the volume of data being delivered across the Akamai network exceeded 72 Tbps, surpassing the 70 Tbps threshold for the first time in the Company’s 20-year history. 

The record-setting volume of traffic, which is comparable to delivering more than 10 million DVDs per hour, was driven primarily by live sports events, gaming releases and major software updates along with elevated traffic levels from many of the world’s largest ecommerce sites. Of note, this record was set on a weekday, and it was NOT during a global event such as Black Friday, the World Cup or Olympics.

During the same day, Akamai processed hundreds of billions of API requests, hundreds of millions of dollars in e-commerce transactions, and trillions of internet interactions overall. We evaluated online retail traffic from around the world that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points that we assessed in aggregate. Akamai is prepared to assist online retailers seeking to prepare for peak traffic demands as well as protect against threat actors. Visit akamai.com/peak for more information.

Resource List

Blogs/Articles

Infographics


*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Chris Wraight. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/L2kITVk1mZY/2018-peak-holiday-web-traffic-analysis-advice-for-2019---part-two.html