Imperva: Bad bots are the leading threat to online retailers

Source: Imperva landing page. Illustration accompanying Imperva Bad Bot report for 2023.

Imperva, the cybersecurity provider that protects critical applications, APIs and data anywhere at scale, has released a 12-month analysis of cybersecurity threats targeting e-commerce websites and applications that emphasises the significance of bad bots.

Automated attacks on application business logic, carried out by sophisticated bots, are the leading threat to online retailers, Imperva said. Today's bad bots can evade detection while wreaking havoc and enabling online fraud. They can mimic human behaviour and abuse business logic, allowing threat operators and fraudsters to perform a wide array of malicious activities. Other significant risks include account takeovers, distributed denial-of-service (DDoS) attacks, API abuse, and client-side attacks*.

In the past year, business logic attacks accounted for 25% of all attacks on Singaporean retail sites, up from 10% for the same period a year ago. While still below the global average of 37%, the volume of business logic attacks on Singaporean retail sites actually increased 62% year-on-year.

According to the 2023 Imperva Bad Bot report, 17% of all attacks on APIs came from bad bots abusing business logic. Attack patterns that monitor these exploits do not exist, and it's impossible to apply a generic rule to ensure that all application and API deployments are secure, Imperva explained.

"The pandemic accelerated the digital transformation of Asia's retail sector, as companies swiftly adapted to changing consumer needs. However, the region's diverse markets, complex supply chains, and varying cybersecurity readiness levels have left Asian retailers vulnerable to increasingly complex security threats," said George Lee, Senior VP, Asia Pacific and Japan, Imperva.

"The surge in bot sophistication over the past year is especially concerning as this breed of automation can exploit business logic, compromise APIs, and take over user accounts, posing a tangible threat to retailers' year end sales and impacting their bottom line."

Other highlights of the report included:

- Bad bots are 30% of automated traffic

- Automated attacks targeting APIs are on the rise

- Evasive bad bots accounted for 66.6% of all bad bot traffic

- Nearly half (47.4%) of all Internet traffic globally came from bots in 2022, a 5.1% increase over the previous year. The remainder, human traffic (52.6%), was at its lowest level in eight years.

- Bad bots made up close to half (43.1%) of all Internet traffic in Singapore. This proportion of bad bot traffic was high compared to other countries around the world, trailing only Germany and Ireland. Among the other Asia-Pacific countries studied, 36.8% of traffic in China comprised of bad bots. Next was Australia (24.5%), followed by Japan (16.3%).

- Singapore retailers saw a significantly higher proportion of simple bot traffic (87%); nearly 3x more than the global average (32%). This breed of bots is typically designed to perform specific, predefined tasks without complex decision-making or artificial intelligence. While they help automate mundane and repetitive tasks, they can also be abused for malicious purposes such as spamming, data scraping for unauthorised purposes, or engaging in cyberattacks towards retailers.

There has also been a noticeable shift in bot technology, with roughly 11% of bad bots making the jump from 'simple' to the next level of sophistication. In Singapore, 41% of all bad bots were advanced bad bots in 2022, up from 8.8% in 2021.

- The proportion of bad bots on Singapore retail sites is higher (24.1%) than the global average (22.7%). The high volume of bad bots on local retail sites can lead to implications such as higher security risks, greater damage, poorer user experience, greater resource consumption, and heightened data privacy concerns for retailers.

“The pandemic accelerated the digital transformation of Asia’s retail sector, as companies swiftly adapted to changing consumer needs. However, the region's diverse markets, complex supply chains, and varying cybersecurity readiness levels have left Asian retailers vulnerable to increasingly complex security threats,” said George Lee, Senior VP, Asia Pacific and Japan, Imperva.

“The surge in bot sophistication over the past year is especially concerning, as this breed of automation can exploit business logic, compromise APIs, and take over user accounts, posing a tangible threat to retailers’ year-end sales and impacting their bottom line.”

*According to Imperva, a business logic attack is one which exploits an application or API's intended functionality and processes rather than its vulnerabilities. Most attacks on business logic are automated, and oten focus on abusing API connections. In retail, attackers abuse business logic to manipulate pricing or access restricted products. A client-side attack, on the other hand, is one where the user is duped into downloading malware.