While cybersecurity threats are a concern for the retail sector all year-round, they become even more pronounced during the busy holiday shopping season. During this time, cybercriminals focus on taking advantage of the increased volume of digital transactions, limited-time promotions, gift cards and loyalty points stored in customer accounts.

Half a million AI-driven retail attacks daily

The latest advancements in artificial intelligence (AI) and large language model technologies (LLMs) have made it even easier for malicious actors to carry out large scale attacks.

Recent data collected by Imperva Threat Research, a Thales company, between April 2024 and September 2024 reveals that on average, retail sites collectively experience over half a million AI-driven attacks every day.

Some 569,884 attacks originate from bots and tools generated and fine-tuned by cyber criminals using AI LLM.  

Cybercriminals target operations, data and reputations

This year, over half of Aussie shoppers plan to do their Christmas shopping during Click Frenzy, Black Friday, and Cyber Monday according to CouriersPlease. These back-to-back sales events, which take place over just three weeks, will be a hugely busy and highly lucrative period for retailers – and cyber criminals.  

Without robust defenses, retailers risk facing a perfect storm of AI-driven attacks, such as Grinch Bots and Distributed Denial-of-Service (DDoS) that could disrupt operations, compromise customer data, and tarnish reputations during the most critical time of the year.

To effectively mitigate these threats, retailers must adopt a comprehensive strategy that not only defends against attacks but also allows them to respond swiftly, without disrupting the shopping experience.

Big four AI attacks

  1. Business Logic Abuse is the most common AI-driven bot attack against retailers (30.7%). It involves exploiting the legitimate functionalities of an application or API to carry out malicious actions, such as manipulating prices, bypassing authentication, or abusing discount codes. Using AI to assist with bot creation and fine tuning enables attackers to swiftly automate business logic attacks at scale, making them more difficult to detect and mitigate.

How to protect: retailers should implement strict validation on all user inputs, employ anomaly detection systems to identify unusual activities, and regularly audit the way their business logic and processes are implemented to identify areas that could be abused.

2. DDoS attacks represent 30.6% of all AI-driven attacks to retailers. In particular, application-layer DDoS attacks aim to overwhelm a website’s resources. This results in downtime that can lead to lost sales and reputational damage, especially during peak shopping periods.

Retailers experience an average of 24 network DDoS attacks daily, and according to the Imperva 2024 DDoS Threat Landscape report application-layer DDoS attacks on retail websites have increased 61% since last year.

Cybercriminals are now leveraging AI to coordinate large botnets more efficiently, enhancing the effectiveness of these attacks.

How to protect: Retailers should invest in a DDoS protection solution that utilises a multi layered approach (including machine learning) to help detect and mitigate DDoS attack traffic in real time, ensuring that legitimate customer traffic is not impacted.

3. Bad Bot attacks account for 20.8% of AI-driven threats targeting retailers. These automated threats engage in disruptive activities such as scraping pricing data, credential stuffing, and inventory hoarding, also known as scalping). The infamous Grinch Bot is notorious for its inventory hoarding during the holiday shopping season, making it increasingly difficult for consumers to purchase high-demand items.

With advancements in AI, bot operators can now create bots that convincingly mimic human behavior by solving and bypassing traditional controls like CAPTCHA challenges.

How to protect: to combat this threat, retailers should implement bot management solutions that utilise behavioral analytics and layered fingerprinting techniques to differentiate between genuine users and sophisticated bots.

4. API Violations are on the rise, accounting for 16.1% of AI-driven attacks on retailers. A trend driven by eCommerce platforms increasingly exposing APIs for mobile applications and third-party integrations.

Cybercriminals exploit vulnerabilities in APIs to gain unauthorised access to sensitive data or functionality. With the assistance of AI, reconnaissance tools used by attackers can quickly identify weak points in API implementations, making these weaknesses easier and faster to catalogue and then exploit.

How to protect: To safeguard their APIs, retailers should leverage solutions that can continuously discover, catalogue and assess their API assets for weaknesses.  They should enforce strict authentication and authorisation for each API endpoint, implement intelligent rate limiting to prevent abuse, and regularly conduct comprehensive security assessments and penetration testing.

As generative AI tools and LLMs continue to proliferate and advance, cybercriminals are increasingly using these technologies to enhance the scale and sophistication of their attacks on eCommerce platforms.

By understanding the nature of AI-driven attacks and proactively strengthening security measures, retailers can better protect their operations, service, data and reputation. Staying ahead of attackers requires continuous vigilance and the adoption of advanced security technologies that can match the evolving tactics of cybercriminals. Implementing these strategies will help ensure a secure and successful holiday shopping season for retailers and their customers. 

Reinhart Hansen is director of technology for Asia Pacific & Japan at Imperva, a Thales company.