The Impact and Tactics of Retail E-commerce Web Attacks

The online shopping season is upon us as consumers search the web for the best deals on gifts. The revenue opportunity for retailers with online storefronts is substantial-and not just during the holidays: the Nilson Report, which covers the payment card industry and mobile payments, forecasts online retail e-commerce sales to reach $630 billion by 2020. But the convenience of shopping from anywhere has a flipside: the consumer accounts and the websites they order from provide a wider attack surface that threat actors can leverage for their own fraudulent goals. In the U.S. alone, retail e-commerce fraud will cause more than $12 billion in losses by 2020.*

Signal Sciences Telemetry Reveals Top Retail Web Attacks

Based on web request telemetry inspected by Signal Sciences next-gen WAF and RASP agents installed across our e-commerce customers, the below infographic up-levels key findings drawn from the analysis of anonymized web traffic directed at production apps, APIs, and microservices in the e-commerce vertical. We used a sample of 4.9 million web attacks directed against retail e-commerce sites over a five-month period from June 1 to October 31, 2019. These web attacks are identified from events when web request volumes crossed a defined attack threshold.

The below infographic is a companion piece to a more in-depth retail e-commerce report with more details around the top five web attacks perpetrated against retail e-commerce sites. The report also shows when attackers strike and what’s necessary to detect and stop them.

(Clicking or pressing on the image below will open it in a new browser window for saving and sharing.)

Account Takeover Most Prevalent Retail E-commerce Attack

As shown above, Signal Sciences data reveals that account takeover (ATO) dominates retail e-commerce attacks-here’s a quick breakdown of this tactic:

1. After a third-party breach occurs, username and password pairs are exfiltrated and then posted to public paste sites, sold in bulk or traded on Dark Web marketplaces.
2. A threat actor acquires the leaked usernames and credentials
3. The attacker uses automated credential stuffing tools like Sentry MBA to test the stolen credentials against sites with user bases that store high-value data and personally identifiable information (PII).

This all occurs quickly because various attackers know they are not alone in their attempt to leverage the same dump of stolen credentials for illicit gain.

For an in-depth look at account takeovers and example scenarios for retail, check out this blog entry. We also have a solution brief that explains authentication best practices and how to detect ATO.

Web Layer Visibility That Prevents Retail E-Commerce Attacks

To detect and prevent the attacks that lead to retail e-commerce fraud, Signal Sciences provides customers real-time visibility not only into login and account creation activity, but also the web request header values and other context associated with those requests, all of which can reveal fraud with easy configuration and no app performance impact.

Other solutions in the market add significant latency and can adversely impact customer experience and require significant installation and staff ramp up time-and that’s time you could be using to defeat the adversary. With Signal Sciences award-winning web protection technology, you get proactive web layer visibility to prevent web attacks. See for yourself and request a demo now.

*The Nilson Report, Issue 1142, Nov. 2018

Originally published at https://www.signalsciences.com on November 20, 2019.