Threats from bad bots rise amid holiday e-shopping season

Automated attacks on application business logic, carried out by sophisticated bad bots, are rising amid the early onset of the holiday shopping season in Singapore, according to Imperva.

In addition, account takeover, distributed denial-of-service (DDoS), API abuse, and client-side attacks were significant risks.

In the past year, business logic attacks made up 25% of all attacks on Singaporean retail sites — up from 10% during the same period in the prior year. 

While this is below the global average (37%), the volume of business logic attacks on Singaporean retail sites increased 62% year-on-year.

A business logic attack exploits an application or API’s intended functionality and processes rather than its technical vulnerabilities. 

Most attacks on business logic are automated and often focused on abusing API connections. In retail, attackers abuse business logic to manipulate pricing or access restricted products.

As reported in the 2023 Imperva Bad Bot Report, 17% of all attacks on APIs came from bad bots abusing business logic. 

Attack patterns don’t exist to monitor for these exploitations, and it’s impossible to apply a generic rule and assume all application and API deployments are secure.

“The surge in bot sophistication over the past year is especially concerning, as this breed of automation can exploit business logic, compromise APIs, and take over user accounts, posing a tangible threat to retailers’ year-end  sales and impacting their bottom line,” said George Lee, Imperva’s SVP in the Asia-Pacific and Japan.

Findings also show that the proportion of bad bots on Singapore retail sites is higher (24.1%) than the global average (22.7%). 

Singapore retailers saw a significantly higher proportion of simple bot traffic (87%), nearly thrice the global average (32%). 

Meanwhile, web traffic rose steadily throughout October and November as Cyber Monday dethroned Black Friday as the online holiday shopping event of the season.

This year, the peak in online traffic was recorded on November 19 with a second notable peak occurring on Cyber Monday (November 27). There was 42% more web traffic on retail sites on Cyber Monday than on Black Friday.

Bad bots account for 26.3% of all web traffic to online retail websites, higher than the annual average of 22.7%. 

Human traffic on retail sites dropped by nearly 3% while the proportion of good bot traffic remained similar to the annual average.

Further, the number of ATO (account takeover) attacks have risen since September, with a spike in attack activity recorded on November 8, 14, and 24 (Black Friday). 

The number of attacks spiked by an astonishing 85% on Black Friday. For comparison, ATO attacks on Black Friday 2022 increased by 66%.

The intensity of these attacks is also increasing. The number of malicious login requests soared 82% between October and November.

In addition, API traffic accounts for 45.8% of all traffic to online retailers, up from 41.6% last year. 

Considering this, the rise in attacks targeting online retailers’ APIs becomes quite notable. Attacks increased by 6% in October and another 9% in November.