The holiday season is almost upon us, marking one of the busiest times of the year for online sales. While businesses and consumers alike are preparing for the festivities, there’s another group making their own holiday preparations — cybercriminals.
‘Tis the season for automated fraud and web skimming attacks
And the payoffs during this time of year are high — according to Deloitte, nearly 60 percent of shoppers will spend their holiday budgets online rather than shopping in a store, and the average household is planning to spend almost $1,500 this season.
Over the past year, the Instart Threat Response and Intelligence team has identified two key attack vectors being used by bad actors: bot attacks and web skimming attacks.
Bad bots are poised to ruin holiday shopping for companies and customers
Automated traffic is now almost 40 percent of internet traffic, and bad bots account for over half of automated traffic.
There are several ways bad bots tend to try and steal from online businesses during the holiday season:
- Credential stuffing attacks are continuous automated efforts using bots to acquire access to accounts with stolen credentials until access is granted. Since 51 percent of people use the same password for multiple sites, this is an easy attack that enables attackers to take over accounts.
- Account takeover (ATO) fraud is the act of taking over an account (often through the use of credential stuffing) for malicious purposes. Around 40 percent of all account access attempts online are now high risk and losses from fraudulent online transactions are expected to reach $25.6 billion by 2020.
- Automated fraud like gift card fraud is another popular holiday bot attack avenue. Typically, bots are used to automated attempts to guess gift card numbers in order to steal legitimate gift card balances. Bots can perform over 100 attacks per second.
- Inventory holding attacks are particularly troublesome during the holidays, especially for companies that are offering promotions at limited availability. In these cases, bots normally buy or hold the entire available stock of “limited” items, such as a best-selling toy, and then resell at a higher price.
All of the above examples are not only damaging to the consumer experience, but failing to secure your web apps against bad bots can also negatively impact your overall brand reputation and result in loss of revenue.
A strong bot management solution, specifically those aimed at detecting sophisticated bots, is the best way to mitigate the threat of bad bots. Instart Bot Management offers industry-leading protection against bot activity with technology that collects signals across both the client and server to validate users and their browsers to ensure they are human.
By blocking sophisticated bots, you will mitigate the risk of credential stuffing, ATO fraud, gift card fraud, and inventory holding attacks having a negative impact on your apps, your customers, or your brand during the holidays — and throughout the rest of the year.
E-skimming is making headlines — stop Magecart from ruining the holiday spirit
Web skimming attacks Magecart attacks have been disclosed at Ticketmaster, British Airways, and Newegg — and earlier in the year, it was reported that Magecart has infected over 2 million websites. This type of attack is becoming so prevalent that the FBI has even issued a warning for both public and private enterprises in the United States, warning them about the dangers of e-skimming attacks.
And with the holiday shopping season ahead, this will be prime time for web skimming attacks — according to Adobe, online sales in the United States will reach a record-breaking high of $143 billion for the 2019 holiday season.
*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Elle Poole Sidell. Read the original post at: https://www.instart.com/blog/holiday-bots-and-web-skimming-protection