Application Programming Interfaces (APIs) have long formed the invisible backbone of online retail, allowing retailers to seamlessly integrate the intricate web of ecommerce systems and orchestrate everything from payment processing to shipping logistics and inventory management. However, this interconnectedness has also made the retail sector a lucrative target for threat actors. In 2023 alone, retailers faced a barrage of 19 billion malicious API requests and faced relentless attempts to exploit vulnerabilities along every link in the API chain, potentially leading to data theft, operational disruption, or financial loss.
Back-to-school season is prime time for threat actors. Retailers have recognized this for years and typically increase security during peak times. However, this approach is no longer foolproof. Sophisticated attackers are launching “attack runs” earlier in the year to lay the groundwork for seasonal sales, effectively bypassing retailers’ security restrictions.
Director of the CQ Prime Threat Research team at Cequence Security.
Playing the long game
In the past, threat actors favored “smash and grab” cybercrime: simple, opportunistic schemes that targeted easily accessible vulnerabilities. Today, however, they are evolving. They are investing more time and resources into stealth, spreading out attacks over longer periods of time, with the goal of staying under the radar and causing greater damage at peak times.
Threat actors circumvented security lockdowns by creating large volumes of valid accounts via standard APIs earlier this year. This calculated move was designed to establish trust and credibility within the marketplace, leading to increased social sharing and reach well ahead of peak shopping season. Threat actors used advanced tooling and automation to amplify the legitimacy of the accounts and mimic normal user activity, including communicating with other accounts, liking content, and subscribing to services.
However, the scale of these operations often exceeds human capabilities, which raises red flags. The resulting flood of activity displaces legitimate users and compromises the integrity of the business and its marketplace. This type of attack is an example of the meticulous planning and persistence of modern retail attacks.
In addition to the long-term, threat actors often employ a real-time tactic: account takeovers (ATOs). Instead of spending time creating thousands of “legitimate” accounts, ATOs target existing customer accounts and seize control, offering a much faster path to success. This threat is constant, but it’s no surprise that activity increases during peak shopping periods, with a staggering 410x increase in ATOs in the second half of the year.
Bot attacks remain a threat
Another tried-and-true tactic in the retailer’s digital battlefield is the ever-evolving bot attack. Remember the concert ticket craze or fleeting TikTok trends picked up by automated scripts? They’re just the tip of the iceberg. The ease with which bots manipulate systems is alarming: detailed Reddit threads, how-to guides, and even “top bot” rankings spread easily online. The numbers paint a grim picture: of the 154 billion API requests, a whopping 22 billion came from bots.
Here’s how these bot attacks work: Threat actors use tooling and automation to flood the system with a high volume of actions. They add large quantities of in-demand items to their shopping carts to corner the market and block legitimate customers from purchasing. Successful attacks result in attackers reselling these items elsewhere at exorbitant markups, further fueling customer and merchant frustration.
What can retailers do to prepare?
The old model of quickly tightening cybersecurity before big sales is no longer enough. While threat actors prepare well in advance, retailers must do the same. Creating a comprehensive, year-round security strategy is essential to effectively combat the surge in fake accounts and other threats during peak seasons.
Given the critical role of APIs in retail, businesses must fully understand their use and implement comprehensive defense strategies. Exposed and unmanaged APIs, or shadow APIs, are seen as low-hanging fruit for threat actors using “smash and grab” tactics. Visibility is paramount when it comes to API security. By carefully cataloging internal and external APIs, retailers can gain a comprehensive view of the entire attack surface, allowing them to enforce security compliance for each API. This comprehensive visibility is critical to effectively defending against quick attacks and more devious, long-term maneuvers, protecting the retail industry and building customer trust.
We provide an overview of the best payment gateways.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of Ny BreakingPro or Future plc. If you’re interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro