The study shows attackers are using more bots and doing more sophisticated phishing exploits and server attacks, especially targeting retail.
Attacks on commerce are booming, according to a new study by security firm Akamai. The company’s 15-month review beginning in January 2022 found that commerce was the most targeted web vertical, with retail being the leading subvertical within it.
Jump to:
Bots raining on retail drive flood in commerce attacks
In its new report, Entering through the Gift Shop: Attacks on Commerce, Akamai determined that 14 billion or 34% of all incursions were against commerce sites, driven by bots, API attacks, remote code execution through local file inclusion attacks and server-side exploits. The migration to cloud, availability of dark net apps and the proliferation of IoT devices have also driven a big increase in attacks.
The study reported that:
- The number of total malicious bot attacks in all categories zoomed past 5 trillion between the beginning of 2022 and March 2023 and continues to grow.
- Local file inclusion attacks for gaining access and data exfiltration increased 314% between the third quarter of 2021 — during the prior year’s study period — and the same quarter last year.
- Half of the JavaScript for commerce comes from third-party vendors, increasing the client-side attack threat surface.
Trailing the commerce sector in volume of attacks were high technology at 21.66% of all attacks, financial services at 15.4%, followed by video media, manufacturing, the public sector and gaming (Figure A).
Figure A
The study, based on petabytes per month of data drawn from Akamai Connected Cloud, a network of approximately 340,000 servers on 1,300 networks in more than 130 countries, found that attacks in Europe, Middle East, Asia and Africa are heavily skewed toward the retail subvertical, which accounts for 96.5% of attacks versus 3.3% for hotel and travel, according to the firm.
Led by LFI attacks, web server exploits are on the rise
The report honed in on local file inclusion: A web server attack that hits weak spots in how a server stores files. The study found that LFI has replaced SQL Injection as the most common attack vector used against the commerce sector. There were more than twice the number of LFI attacks than the next most prevalent attack, which are those aiming for cross-site scripting, or XSS vulnerabilities. Such weaknesses allow attackers to inject scripts into web pages and can be used to bypass access controls.
SEE: Verizon study warns of more DDoS, email exploits (TechRepublic)
Only 12.24% of attacks that Akamai tracked involved SQL Injections in which attackers can steal access to databases (Figure B).
Figure B
Akamai said the growth of LFI exploits shows that attackers are favoring quiet insurgency aimed at enabling remote code execution to extract data. Doing so allows lateral movement into company networks, a style of incursion that could, according to the report, enable a pathway for criminals to infiltrate bigger, lucrative targets in supply chains.
Third-party scripts weaken security perimeters
Data from the study showed that 50% of the scripts used in the commerce vertical come from third-party resources, higher than in all other verticals. The report noted that “Although using third-party scripts does not necessarily mean that they are less trusted or malicious in nature, it puts organizations at risk of security flaws within these third-party scripts.”
Bot attacks and phishing campaigns are booming
Akamai reported threat actors using a record number of bots for fraud and other exploits, noting that even benign bots can damage the experience by jamming web performance. The study looked at scalpers who are beginning to build their own botnets, or they’re buying bots on the market for scalpers.
The study reports that scalpers seeking discounted products use botnets to scrape websites for inventory or good deals. Akamai’s report noted that several so-called “scraper as a service” offerings that can be bought are capable of analyzing data and generating a shopping list that fits certain criteria that meets a predefined profit margin.
SEE: Half of companies were hit with targeted spearphishing attacks last year (TechRepublic)
Phishing is also up, as the firm reported that in the first quarter this year 30% of phishing campaigns were activated against commerce customers. “Although we saw more campaigns than actual victims, it is also worth noting that attackers are targeting this industry.”
In the first quarter this year, Akamai saw commerce trailing only financial services in phishing attacks (Figure C).
Figure C
Last year, Akamai found a phishing exploit emblematic of how practitioners of the social engineering attack are becoming better at subterfuge: A for-sale phishing kit that mimics brands that include well-designed dummy sites and strong infrastructure using cloud services. The tactics use redirects that include URL shorteners to hide visually identifiable malicious links. “Our analysis shows that 89% of affected victims are from the United States and Canada, as cybercriminals created campaigns that target specific geographic locations,” said the firm.
Steve Winterfeld, advisory chief information security officer at Akamai, said secure coding as a key approach to hardening APIs and other surfaces is important to reducing threats. “If I were to invest, the first thing would be shifting left to catch errors in the beginning. Pen testing is important, but companies should ask themselves if their return on investment is better with secure coding,” he said.
Network security checklist: A must-have for juggling cyberthreats
Every organization is different when it comes to security needs, and the threats are becoming more diverse and arriving from new directions. There are security fundamentals, however, that should be applied as standard methods.
When these fundamentals are pared down to a checklist, security is easier to execute and less stressful to organize. This free to download Network and Systems Security checklist from TechRepublic Premium offers a good template for building a strong cybersecurity posture.