By Pavan Thatha, Radware
E-commerce industry is growing fast. In a matter of seconds, lucrative shopping deals are being availed and transactions are done. If an organization’s IT infrastructure is not up to the task of protecting applications that enable easy shopping, sophisticated automated attacks can happen in the blink of an eye.
The sophistication level of bad bots is increasing across the industries. Their ability to mimic human behavior and be distributed over thousands of IPs is a major cause of concern to e-commerce firms and their applications. For example, 56 percent of bad bots on e-commerce firms were of fourth generation during Q1 – Q3, 2019. The fourth-generation bad bots are not only capable of mimicking human behavior, they also can be distributed over thousands of IPs and can be daisy chained to perform sophisticated automated attacks.
To better understand the threats that e-commerce firms are facing from bad bots, Radware commissioned research to study the traffic of e-commerce firms monitored by it from across the globe. The goal of this research was to understand different types of attacks that e-commerce firms are facing and bad bots’ behavior during big shopping days such as Black Friday and Cyber Monday. The article answers the following questions in detail:
- How bad bots targeted e-commerce firms during Black Friday and Cyber Monday
- What are the most targeted industries by bad bots
- What types of bots target e-commerce businesses
- What are four major threats to e-commerce firms from bad bots
Black Friday And Cyber Monday 2019
- On Black Friday, 38.6 percent of traffic was bad bots on e-commerce firms.
- On Cyber Monday, 42.5 percent of traffic was bad bots on e-commerce firms.
- These bots were observed performing account takeover, denial of inventory, and content scraping attacks among others.
Figure 1: Traffic Distribution During Black Friday and Cyber Monday 2019
Account Takeover Attacks
- Nearly two-third of the traffic on the login pages was bots during Black Friday and Cyber Monday. These bots were observed performing account takeover attacks during the shopping days.
- Only one-third of the traffic was human on e-commerce sites during Black Friday and Cyber Monday this year
- Most of these bots were AuthBots and were distributed over thousands of IPs.
Figure 2: Black Friday and Cyber Monday 2019 – Account Takeover Attacks
Denial Of Inventory Attacks
- Nearly 90 percent of the traffic on cart page of e-commerce sites during Cyber Monday was bots on a significant number of e-commerce sites monitored by us.
- On Black Friday, nearly two-third of the traffic was bots.
- This was the reason behind higher cart abandonment rate on this year’s Black Friday and Cyber Monday.
Figure 3: Black Friday and Cyber Monday 2019 – Denial of Inventory Attacks
Content Scraping Attacks
- 40.1 percent of the traffic of category pages and 45.3 percent of the traffic on product pages was bots during Black Friday.
- 41.8 percent of the traffic of category pages and 40.2 percent of the traffic on product pages was bots during Cyber Monday 2019.
- These bad bots attempted to perform scraping of product listing and details from category and product pages of e-commerce firms.
Figure 4: Black Friday and Cyber Monday 2019 – Content Scraping Attacks
Most Targeted Industries By Bad Bots
- With 26.4 percent of the traffic as bad bots, e-commerce industry was the most targeted industry in first three quarters of 2019, followed by real estate, online marketplaces and classifieds, and digital publishers.
Figure 5: Most Targeted Industries by Bad Bots
Types Of Bots On E-Commerce Businesses
- 56 percent of bots on e-commerce firms were of fourth generation.
- Fourth generation bots can be distributed over thousands of IPs based in different geographical locations and can masquerade as human users.
- Detecting fourth generation bad bots requires advanced technologies including intent analysis so that you can analyze a visitor’s intent and don’t end up blocking genuine users
Figure 6: Types of Bots on E-commerce Businesses
Top 4 Attacks On E-Commerce Firms From Bad Bots
- Account takeover, denial of inventory, content scraping, and carding are top four attacks on e-commerce firms
- Login pages are the most targeted pages of e-commerce firms to takeover user accounts or create fake accounts.
- Cart abandonment by bots is another threat that e-commerce businesses are facing from bots.
Figure 7: Four Major Threats to E-commerce Firms from Bots
All large e-commerce platforms have sophisticated bot activity on their website, mobile apps, and APIs that can expose them to account takeover, scraping, denial of inventory, and loss of Gross Merchandise Value (GMV). E-tailers must be diligent in their approach to deal with sophisticated bad bots as attacks such as one on Black Friday and Cyber Monday can happen during Christmas holidays as well.