Three Proactive Measures to Safeguard Your Retail Business
Discover how to safeguard your ecommerce business from bot attacks.
Bots can cost retailers financially in terms of frustrated customers and the monopolization of resources – so what can ecommerce merchants do to stop them? James Sherlow of Cequence Security outlines multiple instances when these attacks can be stopped during purchasing.
Bots are the scourge of retailers, disguising themselves as legitimate consumers to scalp high-value items, carry out Account Takeover attacks, or commit credit card fraud. As they hide in plain sight, this makes them very difficult to detect, and they’re a growing problem, with three billion shopping bots targeting Application Programming Interfaces (APIs) during the first half of last year.
The increase is largely due to bots-as-a-service emergence, eliminating much of the effort required to execute an automated attack. A malicious actor can now access these services to pick from a library of bots based on their target. Once their target is chosen, the actor can subscribe to the service to execute the attack. They do not need to create scripts or find the credentials, infrastructure, and tools to perform malicious automated actions, as they can now access a service that combines credentials, infrastructure, and tools for them.
Some retailers have tried putting in place compulsory user registration to try and prevent bots. However, this introduces more friction into the process for real consumers and could be more effective. Bots can easily create fake email addresses to fool the system, so what can ecommerce merchants do to prevent these bot attacks?
1. Stages In the Journey
The good news is that ecommerce retailers have multiple opportunities to kill an automated bot-driven attack at various points in the purchasing journey. From when the product/s are placed in the shopping cart to when the order is placed to the order confirmation, each step represents an opportunity to verify the authenticity of the purchaser and investigate or block their purchase using bot detection and API protection integrated with their backend ecommerce systems.
Bots attack ecommerce sites at speed and will rotate through different IP addresses using bulletproof proxies, i.e., legitimate residential proxies that are harvested and sold on the black market. This first phase of the attack is where many bots will go unnoticed because the retailer can’t identify the IP address suspect quickly enough to prevent the bot from moving on to the next stage. If no further defense mechanisms are in place, the chances are the bot will be successful.
As mentioned previously, user registration is only sometimes an effective defense mechanism because bots can farm email addresses to create accounts or create accounts through keyboard smashing, with the latter seeing fake email addresses created from a random selection of characters. However, monitoring these registrations allows suspicious-looking email addresses to be flagged for investigation.
See More: API Security: Why It’s Unique and Where We’re Going Wrong
2. Validating a Purchase
Should the bot avoid detection at the registration stage, the product will now have been added to the online shopping cart. If suspicions are raised, the merchant might lock the account to buy time to check the legitimacy of the purchase. However, this will likely frustrate genuine customers, so requesting the user to reauthenticate using two-authentication from the supplied email address makes more sense. If no authentication is made, they can delete the cart and even prevent the bot from adding the same item to a new cart.
If things have proceeded smoothly up to this point and the bot remains undetected, the order will be placed, and the merchant’s systems will issue an order confirmation. But there’s still the opportunity here to spot the bot. Interrogating the purchase orders using bot defense machine learning to look for anomalies can allow fake orders to be identified, triggering the system to issue an ‘order cannot be processed’ email from the merchant.
See More: The Authentication Problem: Rethinking Passwords
3. The Killchain in Action
Adopting a layered approach to bot defense can yield real benefits in various purchase scenarios. Gift cards, for example, are a prime target for bots, and in the case of one retailer, a major gift card fraud scheme was stopped using bot detection. Abnormally high traffic volumes were the first indication that something was wrong. Further investigation revealed that this came from multiple global locations despite the merchant operating in just one location. The bot attack used a bulletproof proxy, but when the requests were blocked, it quickly configured itself to submit requests only from local proxies.
Additional missing traffic elements further confirmed that these differed from normal Gift Card transactions. There was no ‘referrer.’ The requests came from very old user agents (browsers), and the traffic was “bursty,” meaning that the threat actor created a list of gift cards and checked them all quickly. However, bot detection enabled blocking these attempts even when the malicious actor repeatedly retooled, thwarting an attack that would have cost hundreds of thousands.
The direct impact, i.e., the financial loss of each card, is obvious, but indirect impacts are also associated with these attacks. High-volume attacks make websites and mobile apps non-responsive, resulting in user frustration and costing business customers. Attacks can also monopolize resource due to the inordinate amount of time spent investigating individual accounts, issuing account reset, or deleting recommendations during fake account or ATO attacks, all of which consumes time the fraud team could spend on broader team goals. And the attacks will skew results, leading to poor or misleading sales program decisions, missed revenue projections, and damaged vendor relationships.
Therefore, the key to mitigating ecommerce bot attacks is to minimize the drain on resources, create multiple points of capture, and, above all, protect the customer experience. Thankfully, bot detection can now integrate with ecommerce back-end systems to deliver on these fronts, but with the stakes this high, these threat actors will return.
Which steps have you taken to strengthen your defenses? Please share your thoughts with us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
MORE ON BOT ATTACKS
