CA-IMPERVA
3.11.2022 13:02:06 CET | Business Wire | Press release
Imperva, Inc., (@Imperva) the cybersecurity leader whose mission is to help organizations protect their data and all paths to it, releases The State of Security Within eCommerce 2022 report, a 12-month analysis by Imperva Threat Research of cybersecurity threats targeting the retail industry. A range of automated threats -- from account takeover, credit card fraud, web scraping, API abuses, Grinch bots, and distributed denial of service (DDoS) attacks -- were a persistent challenge for the eCommerce industry, threatening online sales and customer satisfaction. The continued barrage of attacks on retailers’ websites, applications, and APIs throughout the calendar year, and during the peak holiday shopping season, is a continued business risk for the retail industry.
“The holiday shopping season is a critical period for the retail industry, and security threats could undermine retailers’ bottom line again in 2022,” says Lynn Marks, Senior Product Manager, Imperva. “This industry faces a variety of security risks, the majority of which are automated and operate around the clock. Retailers need a unified approach to stop these persistent attacks, one that focuses on the protection of data and is equipped to mitigate attacks quickly without disrupting shoppers.”
An Automated Adversary: Bad Bots & Online Fraud Plague Retail Sites
In the past 12 months, nearly 40% of traffic on retailers’ websites didn’t come from a human. Instead, it came from a bot, software applications controlled by operators that run automated tasks, often with malicious intent. In the retail industry, the infamous Grinch bot is notorious for inventory hoarding during the holiday shopping season, scooping up high-demand items and making it challenging for consumers to purchase gifts online.
Some of the key trends monitored by Imperva include:
- Of all the traffic on retailers’ websites, nearly one-quarter (23.7%) was attributed specifically to bad bots, malicious automation that contributes to online fraud. The proportion of advanced bots -- scripts that use the latest evasion techniques to mimic human behavior and avoid detection -- on retail sites grew over the prior year (from 23.4% to 31.1%). Advanced bots are a considerable challenge for organizations to stop without the right defenses in place.
- In 2021, bot-related attacks on retail sites grew 10% in October and grew another 34% in November, suggesting that bot operators increase their nefarious efforts around peak holiday shopping periods.
- Account takeover (ATO) is another form of online fraud in which cybercriminals attempt to compromise online accounts by using stolen passwords and usernames. In 2021, 64.1% of ATO attacks used an advanced bad bot. Of all login attempts on retail websites, 22.6% were malicious, nearly twice the volume that was recorded on sites across other industries. Attackers used leaked credentials 94.7% of the time in credential stuffing attacks targeting retailers, compared to 69.6% of the time in other industries.
API Abuses and Attacks Multiply, Creating New Challenges for Retailers
APIs are the invisible connective tissue that enable applications to share data and invoke digital services. Analysis by Imperva Threat Research finds that traffic from an API accounts for 41.6% of all traffic to online retailers’ sites and applications. Of that, 12% of traffic directs to endpoints, like a database, where personal data is stored (e.g. credentials, identification numbers, etc.). More concerning, 3 - 5% of API traffic is directed to undocumented or Shadow APIs, endpoints that security teams don’t know exist or no longer protect.
Exposed or vulnerable APIs are a considerable threat for retailers because attackers can use the API as a pathway for exfiltrating customer data and payment information. API abuses are often carried out through automated attacks where a botnet floods the API with unwanted traffic, seeking vulnerable applications and unprotected data. In 2021, API attacks increased by 35% between September and October, and then spiked another 22% in November on top of the previous months’ elevated attack levels. This finding suggests that bad actors scale their efforts around the holiday shopping season as more data is exchanged between the APIs and applications that power eCommerce services.
Beware of Downtime: DDoS Attacks Continue to Threaten Retailers
A distributed denial of service (DDoS) attack is an automated threat that attempts to disrupt critical business operations by flooding the network or application infrastructure with malicious traffic. The attacks are often launched by a botnet, a group of compromised connected devices that are distributed across the Internet and operated by a single party.
Imperva Threat Research finds that DDoS attacks in 2022 are larger and stronger across all industries. The number of incidents recorded that were greater than 100 Gbps doubled, and attacks larger than 500 Gbps/0.5 Tbps increased 287%. What’s more, those targeted by an attack are often attacked again within 24 hours. In fact, 55% of websites hit by an application layer DDoS and 80% hit by a network layer DDoS were attacked multiple times.
A DDoS attack is a nonstop threat for retailers. The downtime caused by a DDoS attack can lead to site disruption, reputational damage, and revenue loss. A DDoS is a critical threat to online retailers that rely on application performance and availability to enable digital storefronts.
Additional Information:
- Download the The State of Security Within e-Commerce 2022 report
- Learn how Imperva products and solutions help retailers protect their applications, APIs, and data from security risks.
- See how bad bots create business disruption across different industries.
- Check out the Imperva Blog for the latest product and solution news, and threat intelligence from Imperva Threat Research.
About Imperva:
Imperva is the comprehensive digital security leader on a mission to help organizations protect their data and all paths to it. Only Imperva protects all digital experiences, from business logic to APIs, microservices, and the data layer, and from vulnerable, legacy environments to cloud-first organizations. Customers around the world trust Imperva to protect their applications, data, and websites from cyber attacks. With an integrated approach combining edge, application security, and data security, Imperva protects companies ranging from cloud-native start-ups to global multi-nationals with hybrid infrastructure. Imperva Threat Research and our global intelligence community keep Imperva ahead of the threat landscape and seamlessly integrate the latest security, privacy, and compliance expertise into our solutions.
© 2022 Imperva, Inc. All rights reserved. Imperva is a registered trademark of Imperva, Inc.
To view this piece of content from cts.businesswire.com, please give your consent at the top of this page.
View source version on businesswire.com: https://www.businesswire.com/news/home/20221103005435/en/
About Business Wire
Subscribe to releases from Business Wire
Subscribe to all the latest releases from Business Wire by registering your e-mail address below. You can unsubscribe at any time.
Latest releases from Business Wire
Forrester’s 2027 Budget Planning Guides: After A Year Of Caution, Business And Tech Leaders Are Ready To Invest Again15.7.2026 11:00:00 CEST | Press release
While leaders are betting on growth, in the age of AI, spending more is no longer enough According to Forrester’s (Nasdaq: FORR) 2027 Budget Planning Guides, business and technology leaders are approaching 2027 with renewed confidence as they increasingly accept volatility as a permanent feature of the business environment. After a year of more cautious spending, more than 80% of leaders expect their budgets to increase over the next 12 months, with as many as one-quarter anticipating growth of 10% or more. But planning in the age of AI demands more than bigger budgets: Increasing investment without modernizing operating models, strengthening data foundations, and improving AI readiness will only accelerate fragmented data, duplicated work, and technical debt. To realize AI’s full potential, leaders must rethink their strategies and prioritize investments in operational foundations, governance, and experimentation that drive tangible outcomes. This year, optimism is widespread across f
Post-Quantum’s Algorithm - Classic McEliece - Achieves Global ISO Standardization to Protect the World From Quantum Cyber Attack15.7.2026 10:00:00 CEST | Press release
Ultra-secure encryption algorithm added to ISO standard for Asymmetric Ciphers Classic McEliece is first PQC algorithm to achieve global standardization Organisations in 177 ISO member states can now adopt Classic McEliece to remain secure from attack by both classical and quantum computers Governments including Germany and the Netherlands already recommend the highly secure Classic McEliece algorithm due to its unmatched security credentials It’s proven that today’s encryption is vulnerable to attack by a sufficiently mature quantum computer running Shor’s algorithm - a catastrophic event commonly known as Q-Day. Even before such a cryptographically relevant quantum computer emerges it is known that adversaries are stealing encrypted data now, which can be decrypted later - also known as Harvest Now, Decrypt Later (HNDL). Google’s recent use of Artificial Intelligence (AI) to optimise Shor’s algorithm reduces the number of physical qubits required to break today’s encryption, therefor
Thredd Joins The Visa Agentic Ready Programme, Bringing Agent Network Readiness To Issuers Across Europe, Starting With Zilch15.7.2026 09:00:00 CEST | Press release
Thredd, the AI-first issuer processing platform, today announced it has joined the Visa Agentic Ready programme, enabling issuers across Europe to participate in agent-initiated payments without rebuilding their payments infrastructure. Consumer payments platform Zilch will be among the first issuers on the platform to enable agent-initiated payments for its cardholders. As a processor and enabler, Thredd sits at the trust layer of the payments ecosystem. By joining the programme, Thredd is ready to support Visa and its clients as the market moves into agentic commerce. Agentic commerce introduces a new type of payment initiator: An AI agent acting on a cardholder's behalf. The core payments principles do not change. Cardholder permission, issuer approval, authentication and fraud monitoring all still apply. What changes is how trust is established and enforced at the point an agent transacts. Taking a Zilch customer as an example, a cardholder might ask an AI agent to find a product w
Surgerii Robotics Announces First European Installation of the SHURUI® Single-Port Surgical System at Vall d'Hebron University Hospital15.7.2026 09:00:00 CEST | Press release
Surgerii Robotics today announced the first European installation of its SHURUI Single-Port (SP) Surgical System at Vall d'Hebron University Hospital in Barcelona, Spain, one of Europe's leading academic medical centers. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260713209503/en/ The first pediatric procedure performed with the SHURUI SP system was a nephroureterectomy on a twelve-year-old boy whose kidney and ureter had become infected and non-functional due to multiple stones. The SHURUI SP system is CE-marked for adult and pediatric use, making it the only CE-marked single-port robotic surgical system currently indicated for pediatric procedures in Europe. The installation marks an important milestone in the international expansion of Surgerii Robotics and the introduction of the technology into a major European reference center. As part of this collaboration, Vall d'Hebron University Hospital has become the first hos
SES, Airbus and Dutch Municipality of Noordwijk to Build Satellite Optical Ground Station for EAGLE-115.7.2026 08:50:00 CEST | Press release
The parties signed a ground lease agreement allowing installation of the optical ground station (OGS) at the NL Space Campus SES, a space solutions company, jointly with Airbus Netherlands B.V. signed a ground lease agreement with the Dutch municipality of Noordwijk for a plot at the NL Space Campus, next to the European Space Agency’s (ESA) technical center ESTeC. The facility will host a dedicated optical ground station (OGS) to communicate with the EAGLE-1 satellite and receive quantum safe keys via laser technology. This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20260714786947/en/ Breaking the ground of the EAGLE-1 Optical Ground Station, Municipality of Noordwijk, the Netherlands. Pictured left to right: Pim van Strien, Alderman for the Municipality of Noordwijk; Rob Postma, President and Managing Director, Airbus Netherlands; Alan Kuresevic, Managing Director, SES Techcom, SES. The station, to be built by Airbus for SES,
In our pressroom you can read all our latest releases, find our press contacts, images, documents and other relevant information about us.
Visit our pressroom
