COVID-19 has quickly reshaped web traffic and application usage patterns. For example, traffic to food delivery has skyrocketed. The rapid shift in consumer behavior has morphed attack patterns, expanded the threat environment and added attack pressures against many site operators unaccustomed to so much attention from ecommerce fraud operators. They are largely mounting account takeover (ATO) attacks.
Logically, attackers are following the money. Greater traffic and transactions in new industries means more opportunities for fraud such as:
- Theft of credit card and financial information
- Placing unauthorized orders for goods or services using hijacked accounts
- Draining new pools of loyalty points to resell on the dark web
Ecommerce fraud attackers are taking advantage of rapid shifts. Security teams operating under shelter in place are less efficient. Those teams are shouldering new responsibilities for securing remote workers. Online merchants are pushing application changes more quickly; this results in more bugs and vulnerabilities going live.
The unprecedented level of attacks on these new targets share the following characteristics:
- Attack traffic levels are much higher than legitimate traffic levels
- Malicious traffic is coming in huge spikes concentrated over 24-48-hour periods
- Attacks are using more sophisticated bots that can navigate business logic and solve CAPTCHAs and utilize highly distributed botnets
- Attacks are not only focused on sites but also on APIs
Home Furnishings, Food Delivery, Online Fashion: Big Targets
Benchmarking against historical data, two of the largest percentage increases in ecommerce fraud attempts have targeted home goods, food delivery and online fashion.
We observed large spikes in ATO attempts, running 3X to 4X higher than previously measured average daily attack rates. In addition, we saw sophisticated attackers widening their radius, going after smaller home furnishings companies rather than confining attempts to large top 50 retailers. This increase in attacks is likely here to stay as more shopping moves online.
Traffic to food delivery sites increased by 41% during March after COVID-19 lockdowns started according to PerimeterX data, compared to two months prior. Shoppers are also behaving more decisively; conversion rates for food delivery are up by 80%.
This makes security and anti-fraud efforts more challenging because teams at these companies are dealing with new users and new behavior patterns without historical precedent. The number of ATO attempts we saw on food delivery apps during this time is 2.7X higher than it was prior to lockdowns, hitting all-time highs during the spring of 2020.
The lockdowns rapidly shifted purchasing patterns for these high-touch products from stores to ecommerce. Since early February, online fashion, including clothing, streetwear, sportswear and cosmetics, has seen a significant rise in web traffic. Some weeks the ratio of increase in malicious vs. legitimate traffic has been 7:1. On average, legitimate traffic increases are running around 25% while malicious traffic increases are closer to +180%.
Weekly ATO attempts are 100% to 500% higher than historical averages, depending on the size of the spike. As in the home furnishings category, we saw sophisticated attackers going after a wider array of fashion sites including smaller retailers that previously only had to deal with crude and easy-to-filter attacks. Fashion is particularly prone to loyalty card attacks, as most major fashion retailers have popular loyalty programs. Aside from ATOs, in fashion we saw increases in scraping attacks as competitors and resellers grabbed pricing and inventory information from major brands at higher volumes.
The New Normal Means New Demands for Security
Clearly COVID-19 lockdowns have caused huge and potentially permanent changes in online consumer behavior. Understandably, hackers and fraudsters quickly followed, broadly expanding the types and number of consumer-facing sites they target with sophisticated attacks.
The opportunistic rise in ecommerce fraud means security and web operations teams need to adapt to a new normal of higher attack volumes. They need to increase security efficiency by adopting new tools which leverage machine learning to identify and block malicious attempts at scale and in real time. The new normal will ultimately mean higher levels of security but in the near term it will be a steep learning curve.
Ido Safruti is co-founder and CTO of PerimeterX