The 3 days between “Black Friday” and “Cyber Monday” are when online retailers often enjoy their highest sales numbers for the year. Yes, it’s a very big deal. While consumers and retailers eagerly anticipate this 3-day shopping span, just as eager—unfortunately—are botmasters who are gearing up for their shopping season to take advantage of unsuspecting consumers. While holiday shoppers and retailers are getting ready, botmasters are laying the groundwork to prepare for bot attacks on e-commerce websites and mobile applications. And as is usually the case, these bot attacks are launched for financial gain, price gathering or obtaining valuable proprietary content through scraping attacks.
Online retailers need to ensure they’re well prepared for Black Friday and the upcoming onslaught of bot attacks. Even though many eCommerce companies have either an in-house solution or rely on their WAF to protect from bots, it doesn’t mean they can’t fall victim. And if they’re hoping their site won’t get infected, even if they have these solutions in place, they’re playing with fire. Hope is not a good security strategy.
Below are the six most common bot attacks that will invariably be at work on Black Friday and Cyber Monday.
1. Account Takeover (ATO)
Account Takeover will arguably be the biggest threat to online retailers this holiday season. ATO attacks not only directly impact customers who stand to lose available balances and discount vouchers on websites but can hurt retailers when their customers’ personally identifiable information (PII) is obtained to carry out fraud. Resolving ATO attacks involves considerable time, expense, and effort. Even worse, it often means retailers can incur legal penalties and financial problems in the form of lost sales and a damaged business reputation. And in business, of course, you’re only as good as your reputation.
2. Application Denial of Service (DoS)
DoS attacks are designed to dramatically slow down a retailer’s online traffic or entirely take its site or mobile app offline. When consumers can’t get to you, they can’t buy from you. Guess what? They’ll quickly head to your competitors to make their purchase(s). If an online retailer is looking forward to higher revenue on Black Friday or Cyber Monday, a DoS attack can quickly wipe out eagerly anticipated sales.
3. Cart Abandonment
If you’ve ever had to purchase an item at an exorbitant price due to a lack of supply, you, and the online retailer, may have fallen victim to a cart abandonment attack. Here’s how it works. A bot adds products to shopping carts on an online retail website, which wipes out inventory on those products. However, the carts are abandoned and are never checked out. But the inventory is listed as out of stock, which leaves products available only on secondary markets and with highly inflated prices. In short, cart abandonment makes high demand products unavailable to consumers. As a result, the afflicted retailer suffers from poor sales and customers head straight to competitors. Oh, and PR suffers. No retailer wants to be known as the one that can’t keep their online shelves stocked.
4. Content Scraping
Content Scraping occurs when bots are deployed—without authorization from content owners —to plagiarize proprietary and often expensive-to-develop marketing content. This can include professionally created product photos, videos, descriptions, even customer reviews that help consumers make shopping decisions. With the scraped information, competitors can quickly boost their sales and marketing efforts without investing the time and effort that the original content owner incurred. To add insult to injury, the plagiarized content can sometimes even outrank the original content in online searches.
5. Price Scraping
Price Scraping is the systematic use of bots to obtain pricing and discount data from an online retailer and without their permission. While it’s usually an activity carried out by competitors, price comparison services or market intelligence and analysis companies, price scraping exposes retailers to competitors matching or undercutting of prices to lure away customers, which impacts revenue.
6. Fake Account Registration
Fake Account Registration is typically carried out by botmasters in preparation to launch attacks like those listed above. These fake, automated accounts aren’t registered to a real person and only serve to help botmasters scout for website and application vulnerabilities to exploit. It also enables them to obtain introductory offers and freebies they can trade or sell on the dark web. And, of course, fake accounts never convert into actual sales.
How To Protect Against Malicious Bot Attacks
It’s never too early to address nefarious bots and develop a strategy to combat them. In short, the following Must’s need to be addressed to ensure online retailers are ready for the upcoming shopping season:
- Bad bot traffic must be blocked at its point of origination.
- Strict authentication mechanisms must be deployed on Application Programming Interfaces (APIs).
- Anomalous user behavior and KPIs must be monitored.
- A dedicated bot management solution must be deployed to provide more comprehensive protection over in-house bot management tools.
Here Are the Perfect Next Steps
Here’s how to help ensure you are protected against bad bots lying in wait to ruin the holiday shopping season, check out Radware’s extensive, in-depth research entitled Top Bot Attacks That E-Commerce Firms Should Prepare For Before the 2022 Holiday Shopping Season. Do it now; the holiday shopping season is just around the corner.
Also, take Radware’s Free Online Assessments to help ensure you’re holiday ready.