Retailers brace for looming bot attacks
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Tiffany Herring/Axios
As retailers prepare to kick off the busiest shopping season of the year, they'll also have to keep an eye out for a wave of AI-enabled bots flooding their websites, making fraudulent purchases and trying to steal consumer information.
Why it matters: Detecting bot attacks in the moment is difficult because their activity often looks exactly like a typical consumer's.
- But if successful, these bots can make off with thousands of dollars in merchandise — and make it even harder for consumers to check everyone off their gift lists.
The big picture: AI-enabled tools have made it possible for scammers to automate their attacks and target even more retailers and consumers.
- For years, resellers have been using AI-enabled bots to snatch up high-value, hard-to-get merchandise, such as sneakers or air fryers, in minutes online.
- Now there are bots that help attackers automatically suss out any exploitable security vulnerabilities in a retailers' networks, which can be a launching pad for ransomware or other destructive attacks.
- And lastly, automated account takeovers — where a hacker uses a bot to gain entry into someone's online account using stolen credentials — are now faster because of AI tools.
What they're saying: "It's not that we don't see this activity for the rest of the year," Lee Clark, manager of cyber threat intelligence production at the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), told Axios.
- "It's that it intensifies during the holiday season."
Threat level: Even before the holiday shopping season started, retailers were facing an influx of AI-driven attacks, according to research from Imperva released last month.
- Between April and September, retail websites experienced more than 560,000 AI-driven attacks each day, per the report.
- A third of the attacks were so-called business logic abuses, where attackers use AI to automate attacks that manipulate merchandise prices, abuse discount codes and bypass authentication protocols.
- Another third were classic distributed denial-of-service (DDoS) attacks, which aim to overwhelm a website and cause service outages.
Catch up quick: Retailers have long faced a deluge of scammers and malicious hackers during the holiday shopping season.
- This year, 52% of retailers say they're more at risk to cyberattacks during the holiday shopping season than any other time of year, according to a survey released this month by VikingCloud.
- "At this time, e-commerce transactions are just huge," Kevin Pierce, chief product officer at VikingCloud, told Axios, noting that this makes retail an attractive target during the holidays.
The intrigue: Increased shopping traffic to online retailers is perfect for attackers.
- If retailers are already expecting a large uptick in visitors, it's easier to hide a high-traffic scam.
Between the lines: Defending against bot attacks requires a nuanced approach and a lot of information sharing across the retail industry, Clark said.
- Retail customers are sensitive to the friction that security protocols call for, such as requiring multifactor authentication for online accounts or limits on the number of products they can buy.
- Good information sharing can help retailers figure out what website domains or IP addresses to block, since threat actors are often reusing these across attacks, Clark added.
What we're watching: Cyberattacks on retailers' third-party vendors promise to be just as detrimental as attacks on the retailers themselves, Pierce said.
- "If [retailers'] key suppliers are actually vulnerable and they have issues, then the fulfillment of orders that occur this week may be more challenging," he said. "That's the one you don't hear about."
