PerimeterX Annual E-Commerce Report Shows 106% Increase in Bot Attacks Plus Sharp Increases in Scraping and Carding, Fueling the Web Attack Lifecycle
Automated Fraud — including Sneaker bots and Hype Sales Attacks, Credential Stuffing, and Account Takeover (ATO) Attacks — on the Rise
PerimeterX, the leading provider of solutions that detect and stop the abuse of identity and account information on the web, today released its annual Automated Fraud Benchmark Report: E-commerce Edition. The report provides detailed analysis of e-commerce cyberattack activity over the past year, generated by unique insights and research on the web app traffic and threat patterns experienced by some of the largest and most respected brands in retail e-commerce.
The report provides a deep dive into the ways that cybercriminals use bots to scrape, validate and fraudulently use consumers’ identity and account information. Findings were taken from anonymous data collected during 2021, captured from live online interactions by millions of consumers and hundreds of millions of bots across hundreds of the world’s largest websites, mobile apps and application programming interfaces (APIs).
Marketing Technology News: NSAV Announces Launch of NFT Marketplace, Expands Presence in $25 Billion Global NFT Market
Analyzing billions of user interactions, key findings included:
- Bot attacks increased 106% year over year (YoY)
- Carding attacks increased 111% YoY
- Scraping attacks rose 240% YoY
“Mobile apps and websites continue to be the primary way consumers discover, shop and interact with a brand, especially during popular hype sales events. Stored credit cards, gift card balances, loyalty points and personally identifiable information (PII) make e-commerce apps the ideal target of threat actors who are increasingly leveraging automated attacks,” said Kim DeCarlis, CMO, PerimeterX.
Individual attacks themselves are not the only threat. Online accounts now hold a piece of a user’s identity — which becomes more valuable than simply a stored credit card. If a cybercriminal can hide behind a legitimate user’s identity, the opportunities to commit fraud increase significantly, laying the foundation for the “web attack lifecycle” by digitally skimming PII to steal information, validating it with credential stuffing attacks, and fraudulently using it to commit ATO or create fake accounts.
The report also found:
- Sales of limited-edition sneakers experienced up to 71% of traffic from scalping bots during hype sales events in 2021, an increase from the 2020 peak of 46%
- Peak malicious login attempts increased from 84% in 2020 to 93% in 2021
- The three retail e-commerce segments that saw the most bad bot traffic were Health and Wellness (36%); Hardware, Software and Electronics (33%); and Sports and Recreation (27%)
- 74% of bot attacks came from desktop devices and the remainder from mobile devices
- The most malicious bot traffic globally came from the US and Canada
“Attackers are increasingly diverse in their sophistication and attack methods. This includes technically adept youngsters, amateur botters, savvy professional cybercriminals and cybercrime communities, as well as a growing crime-as-a-service (CaaS) ecosystem that allows just about anyone to get in on the action,” explained Liel Strauch, PerimeterX Director of Cyber Security Research.
Automated Fraud Protection Best Practices
PerimeterX offers steps to help organizations reduce their risk and better defend against automated fraud, including:
- Assess your risks by conducting an audit of malicious activity
- Identify key web pages and make them harder to scrape
- Review your security infrastructure by identifying the strengths and weaknesses of your existing tools
- Analyze the impact of tools like CAPTCHAs and MFA on consumers
- Utilize machine learning and behavioral analysis to detect and mitigate malicious bots
“E-commerce providers are often handicapped by limited visibility into only their own data. We’ve published this report as a service to the industry. E-commerce providers can use the report to compare themselves against their peers, discover attack trends and learn ways to more efficiently safeguard their site and customers against fraud. We also provide guidance for protecting their revenue and reputation without adding friction to the buying journey,” noted DeCarlis.
Marketing Technology News: eyeson Releases ‘Stream-in-Stream’ Video Conferencing for Developers