Tips for secure retailing this holiday season from Imperva

The e-commerce industry remains a lucrative target for cybercriminal activity, and attacks often peak during the holiday shopping season, says Imperva. Built on a vast network of API connections and third-party dependencies, online retailers are increasingly vulnerable to business logic abuse and client-side attacks*, the company noted. Motivated cybercriminals are also eager to compromise user accounts for personal data and payment information.

Source: Imperva popup. Cover for the 2023
Bad Bot Report.
Just as shoppers should be aware of the risks associated with online shopping, retailers must also remain vigilant. They must avoid cyber risks threatening the integrity and continuity of their business, the safety of their customers, and their sensitive personal information, Imperva advised.

A successful security incident can lead to higher infrastructure and support costs, degraded online services, and, ultimately, customer churn.

In research conducted by Imperva, business logic attacks accounted for 25% of all attacks on Singaporean retail sites, up from 10% for the same period a year ago. While still below the global average of 37%, the volume of business logic attacks on Singaporean retail sites actually increased 62% year-on-year. According to the 2023 Imperva Bad Bot report:

- Singapore retailers saw a significantly higher proportion of simple bot traffic (87%); nearly 3x more than the global average (32%). This breed of bots is typically designed to perform specific, predefined tasks without complex decision-making or artificial intelligence. While they help automate mundane and repetitive tasks, they can also be abused for malicious purposes such as spamming, data scraping for unauthorised purposes, or engaging in cyberattacks towards retailers.

There has also been a noticeable shift in bot technology, with roughly 11% of bad bots making the jump from 'simple' to the next level of sophistication. In Singapore, 41% of all bad bots were advanced bad bots in 2022, up from 8.8% in 2021.

- The proportion of bad bots on Singapore retail sites is higher (24.1%) than the global average (22.7%). The high volume of bad bots on local retail sites can lead to implications such as higher security risks, greater damage, poorer user experience, greater resource consumption, and heightened data privacy concerns for retailers, Imperva said.

Imperva's recommendations include:

- Prepare for a high volume of traffic, as well as distributed denial-of-service (DDoS) attacks. Retailers should consider implementing a waiting room queueing system that can ensure site performance and maintain a positive customer experience. They should also stress-test their infrastructure regularly, especially before high traffic is anticipated.

- Prioritise the security of the client side. Magecart-style attacks** are notorious for using compromised first or third-party JavaScript to exfiltrate sensitive information from website forms such as login and checkout. To mitigate this risk, perform continuous monitoring and inventorying of all services on the client side, review them, and ensure that only authorised ones can run.

- Marketing and e-commerce campaigns are likely to become targeted by bots. Bad actors will likely employ bots to buy up as much inventory from highly anticipated product drops as possible. Prepare to handle increases in traffic volume that are likely to include a high proportion of bots.

- Protect critical paths and website functionalities from bots seeking to abuse business logic. Some website functionalities are highly exploitable. For example, login functionality opens up the possibility of credential stuffing and credential cracking attacks. Adding a checkout form increases the chances of carding or card cracking. Employ a stricter ruleset, and ensure a bot mitigation solution properly protects your pages.

- Encourage good account credential hygiene and safety. Ensure that user passwords require a minimum number of characters and the use of capital letters, numbers, symbols, etc. Implementing multifactor authentication (MFA) and encouraging its use is highly recommended. Also, have a bot mitigation solution with dedicated account takeover prevention capabilities.

- Stay ahead of the scammers. Stay apprised of any phishing campaigns, and make sure to alert your customers of any suspicious campaigns making use of your brand.

“The pandemic accelerated the digital transformation of Asia’s retail sector, as companies swiftly adapted to changing consumer needs. However, the region's diverse markets, complex supply chains, and varying cybersecurity readiness levels have left Asian retailers vulnerable to increasingly complex security threats,” said George Lee, Senior VP, Asia Pacific and Japan, Imperva.

“The surge in bot sophistication over the past year is especially concerning, as this breed of automation can exploit business logic, compromise APIs, and take over user accounts, posing a tangible threat to retailers’ year-end sales and impacting their bottom line.”

*According to Imperva, a business logic attack is one which exploits an application or API's intended functionality and processes rather than its vulnerabilities. Most attacks on business logic are automated, and oten focus on abusing API connections. In retail, attackers abuse business logic to manipulate pricing or access restricted products. A client-side attack, on the other hand, is one where the user is duped into downloading malware.

**According to Imperva, “Magecart” refers to several hacker groups that employ online skimming techniques to steal personal data from websites that accept online payments, including customer details and credit card information.

Comments

Post a Comment

Popular posts from this blog

Fortinet enhances FortiRecon to align with CTEM framework

Fortinet, the global cybersecurity provider driving the convergence of networking and security, has turned the FortiRecon platform into a comprehensive solution aligned with the continuous threat exposure management (CTEM) framework. The latest release introduces expanded internal attack surface monitoring, adversary-centric dark web intelligence, and security orchestration, all in a unified platform. These enhancements help organisations proactively identify and prioritise real-world exposures, validate risks like an attacker would, and accelerate response. “CISOs and security teams are overwhelmed by growing attack surfaces and an endless stream of unprioritised alerts,” said Nirav Shah, Senior VP of Products and Solutions at Fortinet. “With the latest enhancements to FortiRecon , we’re giving organisations an attacker’s eye view of their internal and external exposures, backed by AI-powered threat intelligence from FortiGuard Labs, real-world validation, and automated response...
Read more

SentinelOne recognised as a 2025 Gartner Peer Insights Customers’ Choice for XDR

SentinelOne, a global provider of AI-powered security, has been named a Customers’ Choice in the 2025 Gartner Peer Insights ‘Voice of the Customer’ for Extended Detection and Response (XDR) report* – one of only two companies with this distinction. A hundred and forty-four users reviewed SentinelOne's Singularity Platform, and 97% said they would recommend the solution to respond to threats across endpoints with AI-powered security, while 97% rated the solution four stars or better.** “With the growing complexity of cyberthreats, organisations need more than siloed security—they need AI-powered, autonomous protection that delivers real-time detection and response across their entire attack surface. Customers have made it clear that SentinelOne’s XDR provides the intelligence, automation, and efficiency they need to stay ahead of threats and secure their environments with confidence,” said Ely Kahn, VP, Product Management, SentinelOne. Gartner defines extended detection and ...
Read more

AWS: AI adoption grows 20% in Singapore

Image
Amazon Web Services (AWS), an Amazon.com company, has found* that AI adoption continues to accelerate in Singapore. In the past year alone, 27,000 1 Singapore businesses adopted AI for the first time—equivalent to over three new adopters every hour. In sum, nearly 170,000 (48%) of businesses in Singapore have adopted AI 2 , up from approximately 143,000 (40%) a year ago. This represents a 20% year-over-year growth rate, AWS said. AI adoption is the strongest in the financial services industry (71%), followed by the technology sector ( software developers, data analytics firms, cloud service providers, and digital startups) at 70%, and healthcare at 63%. Among Singapore’s businesses that have adopted AI, 82% reported an increase in revenue, at an average increase of 19%, while 90% report significant productivity improvements. A large majority (85%) of those who have adopted AI say the technology is likely to increase their growth in the next year, and 89% expect an average of 17%...
Read more