Blog, Events & News
The top 10 bot threats in eCommerce
By Netacea / 08th Oct 2019
Bots account for up to 40% of all traffic to eCommerce websites. Some of these bots are good and some are extremely bad. Malicious bots are operated by a variety of threat actors, from individual hackers to competitors and large criminal organisations.
That means bot attacks can come in a range of shapes and sizes depending on the source and scale of the operation. It’s vital that eCommerce organisations can recognise the warning signs as they emerge and quickly mitigate the threat to their business and their customers.
In this blog, we explore the top 10 bots that all eCommerce businesses need on their radar.
1. Credential stuffing
Attackers take advantage of the billions of breached usernames and passwords (credentials) available on the Dark Web and use these to continually attempt to access customer accounts. Netacea has repeatedly identified between 100,000 and 1,000,000 malicious login attempts a week across individual eCommerce sites. Once the attacker has successfully gained entry to an account, the customer’s personally identifiable information (PII), loyalty points and anything else of value, is plundered for resale on the dark web or used to make fraudulent purchases.
Learn more about the credential stuffing threat
2. Loyalty points abuse
It’s important to remember that attackers are clever and often willing to play the long game. For instance, successfully accessing an account following a credential stuffing attack might lead the perpetrator to decide that it’s worth monitoring the points or reward balance until it’s of greater value before stealing, transferring or reselling.
Not only does loyalty points abuse cost the eCommerce business directly, but attackers are typically targeting the organisation’s most loyal customers who in turn, lose trust in the brand.
Learn more about loyalty points abuse
3. Card cracking
Card cracking attacks are carried out via the continual, automated injection of CV2 codes (the three-digit security code on the reverse of your bank card). There are enormous lists of stolen card details readily available for purchase on the Dark Web, so all an attacker needs to do is programme their software to test three-digit combinations until they hit the jackpot. The card is then validated for fraudulent use or resale.
These attacks can become costly very quickly for eCommerce organisations, who must carry out checks from their payment provider, while payment gateways start to limit real as well as malicious transactions during attacks.
Learn more about card cracking
4. Gift card cracking
An easy target for criminals, bots are used to brute force and “crack” gift card codes that are either sold in the booming online market place for a fraction of their value or used to fraudulently obtain items.
5. Fake account creation
Fake account creation attacks are often overlooked but they are in fact, an early indicator of malicious behaviour. Attackers typically use fake accounts to mask card cracking, loyalty points abuse or credential stuffing activity.
6. Product scalping
For any eCommerce site selling limited edition items, product scalping attacks represent a serious threat. There is a wealth of tools at the disposal of attackers, enabling them to monitor and purchase entire releases of limited stock.
Due to their aggressive nature, these attacks pose a serious threat to a site's availability while leaving loyal customers frustrated when stock goes up for sale elsewhere, for a much larger price tag.
7. Inventory abuse
Any retailer offering real-time stock availability is an attractive target for inventory abuse. Automated bots can hold large quantities of stock in a basket leaving items unavailable to real customers.
Learn more about inventory abuse attacks
8. Price scraping
eCommerce sites are constantly crawled by price scraping bots that are run by internal teams, third-party providers and often, competitors.
Sensitive pricing data is used to gain a competitive advantage while the price scraping activity itself creates spikes in traffic that can threaten availability and skew analytics.
Learn more about price scraping
9. Skewed analytics
As noted above, scraping bots make up a significant portion of eCommerce website traffic. So, when analytics data is used to inform essential decisions that fundamentally impact a business’s bottom line, including inventory and marketing strategy, it’s vital that eCommerce organisations keep their analytics reports free of bot traffic that may skew decisions.
Learn more about skewed web analytics
10. Application DDoS
Distributed Denial of Service (DDoS) attacks utilise vast botnets to overwhelm a server and either severely slow it down or take a site down altogether. This can be very costly to eCommerce sites when a short delay of just three seconds can cause 57% of visitors to abandon their basket.
Application DDoS has a similar effect, but instead of exploiting weaknesses in network protocol it looks for areas of application functionality that will struggle when the application is under load; such as anything requiring high processor usage, third-party integration or complex data base activity.
Learn more about application DDoS attacks
Bot management for eCommerce
Netacea provides fast and accurate identification and categorisation of bot traffic for all web-facing applications, enabling eCommerce businesses to manage good bots and rapidly mitigate malicious threats without adding friction to the customer journey or affecting user privacy.