Automated Fraud — including Sneaker bots and Hype Sales Attacks, Credential Stuffing, and Account Takeover (ATO) Attacks — on the Rise
SAN MATEO, CA, March 8, 2022 – PerimeterX, the leading provider of solutions that detect and stop the abuse of identity and account information on the web, today released its annual Automated Fraud Benchmark Report: Ecommerce Edition.
The report provides detailed analysis of ecommerce cyberattack activity over the past year, generated by unique insights and research on the web app traffic and threat patterns experienced by some of the largest and most respected brands in retail ecommerce.
The report provides a deep dive into the ways that cybercriminals use bots to scrape, validate and fraudulently use consumers’ identity and account information. Findings were taken from anonymous data collected during 2021, captured from live online interactions by millions of consumers and hundreds of millions of bots across hundreds of the world’s largest websites, mobile apps and application programming interfaces (APIs).
Analyzing billions of user interactions, key findings included:
- Bot attacks increased 106% year over year (YoY)
- Carding attacks increased 111% YoY
- Scraping attacks rose 240% YoY
“Mobile apps and websites continue to be the primary way consumers discover, shop and interact with a brand, especially during popular hype sales events,” said Kim DeCarlis, CMO of PerimeterX. “Stored credit cards, gift card balances, loyalty points and personally identifiable information (PII) make e-commerce apps the ideal target of threat actors who are increasingly leveraging automated attacks.”
Individual attacks themselves are not the only threat. Online accounts now hold a piece of a user’s identity — which becomes more valuable than simply a stored credit card. If a cybercriminal can hide behind a legitimate user’s identity, the opportunities to commit fraud increase significantly, laying the foundation for the “web attack lifecycle” by digitally skimming PII to steal information, validating it with credential stuffing attacks, and fraudulently using it to commit ATO or create fake accounts.
The report also found:
- Sales of limited-edition sneakers experienced up to 71% of traffic from scalping bots during hype sales events in 2021, an increase from the 2020 peak of 46%
- Peak malicious login attempts increased from 84% in 2020 to 93% in 2021
- The three retail ecommerce segments that saw the most bad bot traffic were Health and Wellness (36%); Hardware, Software and Electronics (33%); and Sports and Recreation (27%)
- 74% of bot attacks came from desktop devices and the remainder from mobile devices
- The most malicious bot traffic globally came from the US and Canada
“Attackers are increasingly diverse in their sophistication and attack methods,” said Liel Strauch, PerimeterX Director of Cyber Security Research. “This includes technically adept youngsters, amateur botters, savvy professional cybercriminals and cybercrime communities, as well as a growing crime-as-a-service (CaaS) ecosystem that allows just about anyone to get in on the action.”
Automated Fraud Protection Best Practices
PerimeterX offers steps to help organizations reduce their risk and better defend against automated fraud, including:
- Assess your risks by conducting an audit of malicious activity
- Identify key web pages and make them harder to scrape
- Review your security infrastructure by identifying the strengths and weaknesses of your existing tools
- Analyze the impact of tools like CAPTCHAs and MFA on consumers
- Utilize machine learning and behavioral analysis to detect and mitigate malicious bots
“Ecommerce providers are often handicapped by limited visibility into only their own data,” DeCarlis said. “We’ve published this report as a service to the industry. Ecommerce providers can use the report to compare themselves against their peers, discover attack trends and learn ways to more efficiently safeguard their site and customers against fraud. We also provide guidance for protecting their revenue and reputation without adding friction to the buying journey.”
For a detailed breakdown of the types and frequency of attacks, and further recommendations, see the full Automated Fraud Benchmark Report and register for the webinar on April 13 at 10am PT.
About PerimeterX
PerimeterX is the leading provider of solutions that detect and stop the abuse of identity and account information on the web. Its cloud-native solutions detect risks to your web applications and proactively manage them, freeing you to focus on growth and innovation. The world’s largest and most reputable websites and mobile applications count on PerimeterX to safeguard their consumers’ digital experience while disrupting the lifecycle of web attacks. PerimeterX is headquartered in San Mateo, California, and at www.perimeterx.com.