Singapore Faces 62% Annual Spike in E-Commerce Business Logic Attacks

Imperva, Inc., (@Imperva), the cybersecurity leader that protects critical applications, APIs, and data, anywhere at scale, just released a 12-month analysis of the cybersecurity threats targeting eCommerce websites and applications.

Automated attacks on application business logic, carried out by sophisticated bad bots, were the leading threat to online retailers. In addition, account takeover, distributed denial-of-service (DDoS), API abuse, and client-side attacks were significant risks.

Business Logic Attacks Accounted For 25% Of All Attacks on Singaporean Retail Sites
In the past year, business logic attacks made up 25% of all attacks on Singaporean retail sites – up from 10% during the same period in the prior year. While this is below the global average (37%), the volume of business logic attacks on Singaporean retail sites increased 62% year-on-year.

A business logic attack exploits an application or API’s intended functionality and processes rather than its technical vulnerabilities. Most attacks on business logic are automated and often focused on abusing API connections. In retail, attackers abuse business logic to manipulate pricing or access restricted products.

As reported in the 2023 Imperva Bad Bot Report, 17% of all attacks on APIs came from bad bots abusing business logic. Attack patterns don’t exist to monitor for these exploitations, and it’s impossible to apply a generic rule and assume all application and API deployments are secure.

“The pandemic accelerated the digital transformation of Asia’s retail sector, as companies swiftly adapted to changing consumer needs. However, the region’s diverse markets, complex supply chains, and varying cybersecurity readiness levels have left Asian retailers vulnerable to increasingly complex security threats,” says George Lee, Senior Vice President, Asia Pacific and Japan, Imperva. “The surge in bot sophistication over the past year is especially concerning, as this breed of automation can exploit business logic, compromise APIs, and take over user accounts, posing a tangible threat to retailers’ year-end sales and impacting their bottom line.”

Bad Bots and Simple Automation Plague Singapoíean Retail Sites, Outpacing Global Aveíages

• The proportion of bad bots on Singapore retail sites is higher (24.1%) than the global average (22.7%). The high volume of bad bots on local retail sites can lead to implications such as higher security risks, greater damage, poorer user experience, greater resource consumption, and heightened data privacy concerns for retailers.

• Singapore retailers saw a significantly higher proportion of simple bot traffic (87%); nearly 3X more than the global average (32%). This breed of bots is typically designed to perform specific, predefined tasks without complex decision-making or artificial intelligence. While they help automate mundane and repetitive tasks, they can also be abused for malicious purposes such as spamming, data scraping for unauthorized purposes, or engaging in cyberattacks towards retailers.

The eCommerce industry remains a lucrative target for cybercriminal activity. Built on a vast network of API connections and third-party dependencies, online retailers are increasingly vulnerable to business logic abuse and client-side attacks. Motivated cybercriminals are also eager to compromise user accounts for personal data and payment information. A successful security incident can lead to higher infrastructure and support costs, degraded online services, and, ultimately, customer churn. While these security risks persist throughout the calendar year, attacks often peak during the holiday shopping season.

Recommendations Ahead Of The Holiday Shopping Season
As in previous years, the number of attacks on online retailers will likely rise during the 2023 holiday shopping season.

Just as shoppers should be aware of the risks associated with online shopping, retailers must also remain vigilant. They must avoid cyber risks threatening the integrity and continuity of their business, the safety of their customers, and their sensitive personal information.

1. Prepare for a high volume of traffic, as well as distributed denial-of-service (DDoS) attacks. Retailers should consider implementing a waiting room queueing system that can ensure site performance and maintain a positive customer experience. They should also stress-test their infrastructure regularly, especially before high traffic is anticipated.

2. Prioritize the security of the client side. Magecart-style attacks are notorious for using compromised first or third-party JavaScript to exfiltrate sensitive information from website forms such as login and checkout. To mitigate this risk, perform continuous monitoring and inventorying of all services on the client side, review them, and ensure that only authorized ones can run.

3. Marketing and eCommerce campaigns are likely to become targeted by bots. Bad actors will likely employ bots to buy up as much inventory from highly anticipated product drops as possible. Prepare to handle increases in traffic volume that are likely to include a high proportion of bots.

4. Protect critical paths and website functionalities from bots seeking to abuse business logic. Some website functionalities are highly exploitable. For example, login functionality opens up the possibility of credential stuffing and credential cracking attacks. Adding a checkout form increases the chances of carding or card cracking. Employ a stricter ruleset and ensure a bot mitigation solution properly protects your pages.

5. Encourage good account credential hygiene and safety. Ensure that user passwords require a minimum number of characters and the use of capital letters, numbers, symbols, etc. Implementing multi-factor authentication (MFA) and encouraging its use is highly recommended. Also, have a bot mitigation solution with dedicated account takeover prevention capabilities.