Home » Security Bloggers Network » Amazon Prime Day is Now a Major Holiday, Driving up Traffic by More Than 14% in the U.S.

Amazon Prime Day is Now a Major Holiday, Driving up Traffic by More Than 14% in the U.S.

by Chris Wraight on July 25, 2019

For the just-completed Amazon Prime Day (a full 48 hours this year), published reports indicate that it was the largest shopping event in Amazon’s history, exceeding their own 2018 sales for both Black Friday and Cyber Monday combined.

And this year, there were more than 250 other retailers that leveraged Prime Day with incentives and promotions of their own (up from 194 in 2018 and 119 in 2017). In fact, some major retailers began their promotion the week before Prime Day to try and get a jump on Amazon. These large retailers (defined as those with $1 billion-plus in annual revenue) experienced a 72% increase in online sales the second day of Prime Day compared to an average Tuesday and a 64% increase on the first day.

This increase in participation and strong revenue figures mean that traffic was up as shoppers researched and purchased items. We tabulated and analyzed aggregate statistics from global online retail traffic that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points. For our baseline, we used the month of June 2018 and did not adjust for the fact that 2018 Prime Day was 36 hours vs. 48 hours for Prime Day 2019.

GLOBAL TRAFFIC

Because this is such a U.S.-centric holiday, global traffic actually decreased in other regions, with the exception of LATAM, where baseline traffic increased nearly three times as much as the U.S. For the actual holidays, while LATAM traffic increased, it was less than the U.S. on Day 1 and decreased on Day 2 when compared to the baseline, which means LATAM traffic is up overall, which may be totally unrelated to Prime Day.

Sponsorships Available

In the U.S., session traffic was up over 14% on Day 1, compared to the baseline month of June; on Day 2, traffic was up by much less, 5%, which is probably reflective of interest tailing off, as seen in all the other regions.

If we examine Prime Day 1 and Prime Day 2 year-over-year, then LATAM has some dramatic increases. Last Fall, we saw LATAM retailers aggressively promoting Black Friday sales; perhaps they were also heavily leveraging Prime Day as well.

DEVICES

Mobile was again the dominant device in use, which is probably due to its increased use as a research tool while in stores, as well as an increase in specific retailer mobile app usage.

Looking at just Prime Day 1, the year-over-year change shows a healthy increase (12.94%) for mobile, with a decrease for desktop and a very large drop (-21.42%) for tablets.

Conversion rates remained consistent with what we observed during the baseline – mobile conversion is roughly half of desktop and a little under that for tablets. Consumer behavior remains researching on mobile devices but completing the transaction(s) on either a desktop or tablet. Clearly, retailers have work to do towards improving mobile CX for the entire cycle.

MOBILE OS & CONVERSION RATES

Android continued its lead over iOS, pretty consistently across the baseline and both Prime Days. Android outnumbers iOS by a 4-1 margin globally so this is consistent.

What’s also consistent is that iOS users have a higher conversion rate than Android users. We saw this through last year’s peak holiday traffic events and have no reason to believe it will change this year.

The increase in traffic (especially mobile) reinforces how important it is for retailers to be prepared for traffic spikes, at any time. The U.S. traffic increased over 14%, what if it increased 25%? Are your systems prepared to handle an unforeseen jump of this magnitude?

Also, the growing number of shoppers who use their mobile device to research means that it is vital to present images and videos quickly, regardless of device, browser or connection speed. As this eMarketer data shows, a large number of images, and increasingly videos, are expected by shoppers.

SECURITY

According to Akamai’s ‘2019 State of the Internet / Security: Retail Attacks and API Traffic‘ (SOTI), between May 1 and December 31, 2018, there were 10 billion credential stuffing attempts in the retail industry detected on Akamai’s network, approximately 30% of the 28 billion credential abuse attempts in all of our customers’ industries over the same period; retail was the top industry targeted (see the chart below). Clearly, retail is the most attractive target to threat actors on the hunt for customer data, credit cards, etc.

Web Application Attacks

During Cyber Monday 2018, Akamai detected 3.3 million SQL Injection attacks. In comparison, for Prime Day (note, two days, 48 hours), the number of SQL Injection attacks Akamai saw jumped to nearly 20 million, a 506% increase! The higher visibility not only of Amazon’s Prime Day promotions but also the 250+ other major retailers leveraging Prime Day brought out the threat actors and contributed to the dramatic increases in all of the attack types.

Bot Attacks

The Akamai report ‘State of the Internet / Security: DDoS and Application Attacks‘ highlights bot-generated automated credential stuffing attempts that we track. According to our research, bots can represent up to 60% of overall web traffic, but less than half of them are actually declared as bots – making tracking and blocking difficult. Compounding this is the fact that not all bots are malicious, which the SOTI report elaborates on. It is difficult for many retailers to make this determination, however, due to a combination of the sheer bot numbers as well as limited staffing and expertise.

Nearly 10 billion total bot attacks during the 48 hours of Prime Day is equal to the number of retail-specific bot attacks we detected from May to December 2018. Prime Day was very attractive to threat actors due to the high visibility of Prime Day and the larger number of retailers offering their own promotions.

The 367% increase in credential abuse/stuffing bots as compared to 2018 Cyber Monday (note, Prime Day period was 48 hours) appears logical due to the high attractiveness of consumer data, and the knowledge that a lot more users would be active during Prime Day. Detecting, correctly interpreting and remediating credential stuffing attacks needs to be a top priority of retailers, especially going into the Q4 holiday peak traffic season.

Consistent with the peak holiday traffic events we monitored and reported on in 2018, the U.S. was the top country targeted for attacks; which makes sense as it’s primarily a U.S. event.

For Prime Day, the U.S. was the highest source country, also consistent with other 2018 holidays like Black Friday. As always, it’s very easy for threat actors to obfuscate their true origin so it’s challenging to ensure 100% accuracy.

SUMMARY

Amazon Prime Day has evolved to become an extremely important and high peak traffic event on its own, as evidenced by the 14% increase in U.S. internet traffic that Akamai tracks. That, plus the fact that more than 250 other large retailers sought to leverage Prime Day consumer interest by running their own major promotions underscores how important of an event it was not only for thwarting threat actors but also planning for traffic peaks.

Optimizing CX for the large number of mobile users accessing retailers’ web sites either by a device browser or native mobile app remains a critical priority. These mobile users will continue to outnumber desktops and managing and delivering high quality images and videos is a key to success. However, desktop optimization should not be ignored either since there are still a high number of desktop users, and consumers preferred to use their desktop to complete the sale.

With recent record-setting fines (two for GDPR violations) and remediation costs (one for consumer data theft) of nearly $1 billion, retailers must devote significant time, resources and budget to locking down their sites and preventing the theft of their customer’s personal data. The pending California Consumer Privacy Act will add significant data protection requirements; while it is limited to California at its January 2020 start date, most observers expect other states to implement their own legislation in the near future. It’s also important that any security measures that are implemented do not negatively impact site performance; it’s a balancing act that retailers should enlist a partner to address.

Prepare for peak traffic by testing your website and mobile application performance at any load and request your CloudTest demo.