The holidays are peak season in the consumer economy, and everyone is trying to make the most of it. Retailers are looking to capitalize on the heightened buying mood of consumers, while shoppers are out looking for a steal of a discount.
This window of opportunity is only extending. This year, Amazon and others held early holiday kickoff events in October. Meanwhile, the consumer willingness to hold out for deals amid inflation is leading many retailers to believe there will be a particularly strong finish.
But brands and retailers also have to be on guard. The longer season means there is more time and space for bots deployed to siphon money out of the offers that are flying to operate.
“With the holiday shopping season starting earlier and earlier each year, cybercriminals have more opportunities to steal, scam and cause havoc,” said Gavin Reid, CISO at cybersecurity company HUMAN Security. “As consumers move to a hybrid shopping model, and retailers make use of the high engagement online with early access deals, the attack surface for malicious bots have only grown, giving them more opportunities to check things off their list.”
While it’s easy to think of these bots as shadowy forces lurking in unexpected corners of commerce, there’s a pattern to how they work. Fraud follows the money, so if brands are investing more in an area like advertising, the opportunity for malicious activity associated with that investment becomes higher.
With this logic in mind, it makes sense that HUMAN research found evidence of increased bot activity during Cyber Week. “But here’s the catch – the data also shows that these attacks begin to pop up before the holiday season in September and October when attackers were likely trying to get a large number of stolen accounts in advance of the holiday shopping season, so they could sell them on the dark web right before Cyber Week,” Reid said.
There are a few primary tactics that attackers are using, HUMAN found:
Account takeover attacks started in September, with a peak in mid-October, according to the research. By October, more than 30% of login attempts were malicious, which was up markedly from 15% in September. In these attacks, cybercriminals compromise existing user accounts by using sophisticated bots that can be deployed at scale through devices like iPads, a cell phone or a computer.
“What makes them so dangerous is that they cost little to carry out, have a high success rate and have rippling advantages for cybercriminals, including selling them on the dark web or validating the stolen credentials to attempt thousands or millions of logins across websites,” Reid said. “If they succeed, they’ll make fraudulent purchases and credit transfers.”
In particular, ecommerce websites are vulnerable to these attacks because they are places where users store credit and debit card information, gift card balances, loyalty points, and more.
Carding attacks also showed an uptick ahead of Cyber Week. HUMAN found that these rose 350% in early November, and found a 900% increase following Cyber Monday. Carding attacks are a form of payment fraud that focus on the checkout page. Cybercriminals use sophisticated bots and stolen credit card details on ecommerce sites to buy goods, then sell them for a profit. Criminals buy lists of data on illicit marketplaces, then send bots to ecommerce stores that test the cards by attempting small purchases.
“When they’ve proven the card details are valid, the fraudsters will deploy sophisticated bots to use the verified card details to make ecommerce purchases, steal from accounts, and buy gift cards. It’s like when the Grinch enters Whoville to steal presents,” Reid said, adding that the gift cards are either sold at a discount, or used to buy items that can be resold.
Resale is not malicious as a whole, but it can also fall prey to criminal activity. One of the most popular strategies is to snatch up hot gift items and resell them at a mark-up. Yes, the $500 PlayStation5 sold for $1100 is a form of fraud.
It’s important for leaders to understand these threats not so that they live in fear of them, but to understand how to prepare. They can be prevented with proper awareness and strategies. The risk heightens during the holidays, but is not purely a phenomenon of peak season. HUMAN has found that up to 9% of annual purchases at businesses are the result of account takeover activities. Understanding the lifecycle of these attacks can help leaders understand how to detect them and defend against them.
“As online sales start earlier and retailers continually host large sales to attract customers all year round, sophisticated cybercriminals will continue to target ecommerce sites with attacks. And brands need to remain on alert,” Reid said. “By not implementing solutions such as having bot and fraud protection measures in place, retailers and brands could actually lose money, customers, and loyalty—over something that is actually preventable.”
On a tactical level, Reid offered the following tips that can help lower the risk of fraud during the holidays and beyond:
For businesses:
- Encrypt or hash stored credentials on your website to secure database
- Require good password practices and multi-factor authentication (MFA)
- Enable behavior-based bot management and flag potentially compromised credentials
- Continuously evaluate users’ behavior and go beyond just blocking bots to prevent future attacks
For shoppers:
- Check bank accounts during the holiday season to ensure cybercriminals and fraudsters have not compromised information.
- Update passwords to stay a step ahead of cybercriminals.
