The Massive Spike In Bot Attacks Targeting Ecommerce - How To Protect Yourself
Most ecommerce websites are under continuous threats from brute-force bot attacks. These DDoS (Distributed Denial of Service) attacks ultimately lead to a poor buying experience for your consumers.
So, what are brute-force attacks on ecommerce sites and why do they matter?
This is a type of attack where cybercriminals target the authentication mechanisms of online retail websites, with the sole aim of uncovering hidden content within them.
When a hacker successfully installs bots within an ecommerce website, it leads to fraudulent activities such as scalping, multiple fake account creation, data scraping, and account takeover.
What Is A Bot Attack?
A Bot attack relies on a number of devices being interconnected, and each of these devices may run one or more bots. Most botnet attacks are used to run DDos and brute-force attacks, send spam mails and notifications, or steal and scrape a website’s data.
The person who implements a bot attack usually controls the program remotely using a C&C (command and control) software formed by standard network protocols such as HTTP and IRC. Essentially, the word botnet is a combination of two words - “robot” and “network”, and this depicts how it works.
Many ecommerce websites globally are the primary targets of brute-force attacks because they engage in online payment processing and customer data collection. A typical example of such an attack is where cybercriminals try to guess admin and user passwords by running numerous combinations of symbols, letters, and numbers until they achieve the correct combination.
In general, any website that has a login or user registration page can be open to bot attacks, but ecommerce sites are a primary target. In addition to accessing payment data, hackers can also use the bots to spam buyers, scrape data from a site to sell on the dark web, commit fraud using gift coupons and more.
Denial Of Inventory
In a Denial Of Inventory attack, malicious bots tend to add items to a shopping cart but never process the purchase order. As a result, all of the inventory available on the online store gets blocked, and interested buyers keep receiving an “out of stock” notification.
These bots will keep adding available items into the shopping cart after specific intervals. Thus, even if the system clears the cart, the bots will keep returning and adding the items over and again. In certain cases, these attacks are initiated by unscrupulous competitors trying to gain a business advantage.
Although website owners can restrict the time of how long items can remain in a cart, advanced bots can override the settings using multiple IP addresses.
Scalper bots are used to procure limited-inventory items from multiple IP addresses so that hackers can resell them later at inflated prices. These bots override maximum quantity settings set by the site owner by mimicking different users and hoarding the items.
For instance, a much-hyped game is released at a specific quantity, and the sale is limited to one unit per customer. Now, hackers or competitors employing this technique use computers with extremely high-processing speed to buy as much inventory as possible by creating multiple accounts on the spot.
As a result, when actual customers try buying the item, they receive an “out of stock” message. Surprisingly to many, the entire stock runs out within seconds of release. These items are then sold for inflated prices on different websites.
Credential Stuffing And Cracking
In this type of attack, bots use previously stolen usernames and passwords from different sites to try to gain access to other sites. Most of these credentials are usually gathered from a serious data breach which is either published online or sold on the deep web.
Advanced credential stuffing attacks employ a huge number of bots simultaneously; hence it looks like the authentication requests are coming from numerous devices. It’s also termed as brute force attacks wherein hackers process multiple hit-and-try requests to guess the correct match of credentials at the same time.
Both these attacks have the same goal: taking over user accounts. One such large-scale attack was on the world's biggest carpooling community called BlaBlaCar, where cybercriminals were attempting to retrieve coupons and steal credit card information.
There are multiple ways to minimize bot attacks on your website. It isn’t possible to completely eradicate them, but you can ensure security measures. It’s important to note that malicious bots pose a difficulty to antivirus software as they mimic real users. Therefore, choosing a powerful antibot software such as Norton AntiBot alongside your overall security system will keep your ecommerce site safe.
In addition, other than updating the core codes of your website regularly, here are few other things you can do:
- Restrict access of browsers using outdated CAPTCHA verification methods.
- Maintain a blocklist of proxy service providers.
- Secure open access points.
- Measure traffic and look out for sudden spikes.