Skip to main content

Retailers hit with 10 billion bot attacks last year

(Image credit: Image Credit: WNDJ / Pixabay)

Hackers have tried to force their way into people’s accounts on retail sites more than 100 billion times from May to December last year.

A new report by Akamai found retail is the most targeted industry in such forced attacks. It also says that there are two other ‘pressing security concerns’ – the preponderance of API-call traffic on the web, and the apparent misrepresentation of IPv6-based traffic.

When they try to log into people’s accounts on retail sites, hackers usually employ a strategy called ‘credential stuffing’, where they would try login combinations that are already compromised from one service, on a bunch of other services.

They’re hoping people would reuse the same login combination on multiple services so – compromise one, and you’ve compromised many.

Their goal is, as the report claims, to basically buy merchandise and then resell it later.

To achieve this goal, hackers mostly use AIO bots – they can allegedly target more than 120 retailers at once.

“The techniques change, but the motivation remains the same: greed,” said Martin McKeay, Security Researcher and Editorial Director of the State of the Internet / Security report. “Retailers remain on the front lines, because stolen merchandise sells quickly and at a premium. And for that reason, the data shows which merchandise is of the highest value: Apparel sites are targeted the most.”

The report also mentions that media and entertainment properties are also ‘notable credential abuse victims’.

When it comes to API calls, they represent 83 per cent of web traffic, and as such represent a growing risk.

“The state of web applications is fluid, and many API calls are application or company-specific and require a different security approach than HTML traffic, which is seemingly static,” McKeay explained.

Image Credit: WNDJ / Pixabay

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.