New research has uncovered heightened cyber risks for retailers as attackers elevate techniques.
According to the ‘2023 holiday season API security report’ from Cequence Security, threat actors are “evolving tactics, opting for a more nuanced approach that spreads attacks across a broader timeframe to blend in with legitimate traffic and evade detection ahead of peak holiday shopping times”.
Developed by the CQ Prime Threat Research team, the report is based on real, anonymised traffic and attack data from Cequence’s customer base and sampled from billions of transactions. It focuses on Cequence’s retail customers in the months leading up to the 2023 holiday season.
“The 2023 holiday season exposed a chilling reality: cybercriminals are employing increasingly sophisticated attack methods and meticulously planning months in advance to exploit vulnerabilities,” says Cequence Director of Threat Research William Glazier.
“This long-term approach allows them to target unprepared retailers and unsuspecting customers, particularly during peak shopping periods. This shift underscores the urgent need for heightened vigilance and proactive security measures throughout the year.”
Key findings
- In the second half of 2023 alone, gift card fraud increased by 110%, while scraping, loyalty card fraud and payment card fraud increased by a collective average of over 700% as attackers lay the groundwork for holiday sale attacks ahead of retailer security crackdowns.
- Account takeovers (ATOs) increased a staggering 410 times for retailers in the second half of the period analysed (September – November 2023).
- The report shows that large numbers of products were added to carts via automated tooling to volumetrically flood systems, purchasing as many in-demand items as possible, effectively cornering the market and preventing sales to legitimate customers.
- Across its entire customer base, Cequence detected malicious traffic from 719 million unique IP addresses and 325 million malicious login attempts from June to November 2023.
“To combat sophisticated threats targeting APIs, today’s organisations must fortify their defences with a holistic security approach that safeguards their APIs throughout their entire lifecycle,” says Mr Glazier.
“This includes discovering and cataloguing all APIs, ensuring rigorous adherence to industry standards, and deploying advanced threat detection and mitigation tools to defend against attacks.”