Blog, Events & News

The top 10 bot threats in eCommerce

By Netacea / 08th Oct 2019

Bots account for up to 40% of all traffic to eCommerce websites. Some of these bots are good and some are extremely bad. Malicious bots are operated by a variety of threat actors, from individual hackers to competitors and large criminal organisations.

That means bot attacks can come in a range of shapes and sizes depending on the source and scale of the operation. It’s vital that eCommerce organisations can recognise the warning signs as they emerge and quickly mitigate the threat to their business and their customers.

In this blog, we explore the top 10 bots that all eCommerce businesses need on their radar.

1. Credential stuffing

Attackers take advantage of the billions of breached usernames and passwords (credentials) available on the Dark Web and use these to continually attempt to access customer accounts. Netacea has repeatedly identified between 100,000 and 1,000,000 malicious login attempts a week across individual eCommerce sites. Once the attacker has successfully gained entry to an account, the customer’s personally identifiable information (PII), loyalty points and anything else of value, is plundered for resale on the dark web or used to make fraudulent purchases.

Learn more about the credential stuffing threat

2. Loyalty points abuse

It’s important to remember that attackers are clever and often willing to play the long game. For instance, successfully accessing an account following a credential stuffing attack might lead the perpetrator to decide that it’s worth monitoring the points or reward balance until it’s of greater value before stealing, transferring or reselling.

Not only does loyalty points abuse cost the eCommerce business directly, but attackers are typically targeting the organisation’s most loyal customers who in turn, lose trust in the brand.

Learn more about loyalty points abuse

3. Card cracking

Card cracking attacks are carried out via the continual, automated injection of CV2 codes (the three-digit security code on the reverse of your bank card). There are enormous lists of stolen card details readily available for purchase on the Dark Web, so all an attacker needs to do is programme their software to test three-digit combinations until they hit the jackpot. The card is then validated for fraudulent use or resale.

These attacks can become costly very quickly for eCommerce organisations, who must carry out checks from their payment provider, while payment gateways start to limit real as well as malicious transactions during attacks.

Learn more about card cracking

4. Gift card cracking

An easy target for criminals, bots are used to brute force and “crack” gift card codes that are either sold in the booming online market place for a fraction of their value or used to fraudulently obtain items.

5. Fake account creation

Fake account creation attacks are often overlooked but they are in fact, an early indicator of malicious behaviour. Attackers typically use fake accounts to mask card cracking, loyalty points abuse or credential stuffing activity.

6. Product scalping

For any eCommerce site selling limited edition items, product scalping attacks represent a serious threat. There is a wealth of tools at the disposal of attackers, enabling them to monitor and purchase entire releases of limited stock.

Due to their aggressive nature, these attacks pose a serious threat to a site's availability while leaving loyal customers frustrated when stock goes up for sale elsewhere, for a much larger price tag.

7. Inventory abuse

Any retailer offering real-time stock availability is an attractive target for inventory abuse. Automated bots can hold large quantities of stock in a basket leaving items unavailable to real customers.

Learn more about inventory abuse attacks

8. Price scraping

eCommerce sites are constantly crawled by price scraping bots that are run by internal teams, third-party providers and often, competitors.

Sensitive pricing data is used to gain a competitive advantage while the price scraping activity itself creates spikes in traffic that can threaten availability and skew analytics.

Learn more about price scraping

9. Skewed analytics

As noted above, scraping bots make up a significant portion of eCommerce website traffic. So, when analytics data is used to inform essential decisions that fundamentally impact a business’s bottom line, including inventory and marketing strategy, it’s vital that eCommerce organisations keep their analytics reports free of bot traffic that may skew decisions.

Learn more about skewed web analytics

10. Application DDoS

Distributed Denial of Service (DDoS) attacks utilise vast botnets to overwhelm a server and either severely slow it down or take a site down altogether. This can be very costly to eCommerce sites when a short delay of just three seconds can cause 57% of visitors to abandon their basket.

Application DDoS has a similar effect, but instead of exploiting weaknesses in network protocol it looks for areas of application functionality that will struggle when the application is under load; such as anything requiring high processor usage, third-party integration or complex data base activity.

Learn more about application DDoS attacks

Bot management for eCommerce

Netacea provides fast and accurate identification and categorisation of bot traffic for all web-facing applications, enabling eCommerce businesses to manage good bots and rapidly mitigate malicious threats without adding friction to the customer journey or affecting user privacy.

To find out more about how we can help your eCommerce organisation tackle the growing bad bot threat, head to Bot Management for eCommerce or talk to a Netacea data scientist today.

Bot Management