Application programming interfaces (APIs) have long served as the invisible backbone of online retail. They allow retailers to seamlessly integrate the intricate web of e-commerce systems, orchestrating everything from payment processing to shipping logistics to inventory management. However, this interconnectedness has also made the retail sector a lucrative target for threat actors. Faced with a barrage of 19 billion malicious API requests in 2023 alone, retailers suffered from relentless attempts to exploit vulnerabilities at any link in the API chain, potentially leading to data theft, operational disruption, or financial damage.
Back-to-school season is prime time for threat actors. Retailers have recognized this for years and typically ramp up security during peak shopping periods. However, this approach is no longer foolproof. Sophisticated attackers launch “attacks” early in the year to set the stage for seasonal sales, effectively bypassing retailers’ security lockdowns.
Director of the CQ Prime threat research team at Cequence Security.
Playing the long game
In the past, threat actors preferred “exploit and steal” cybercrime – simple, opportunistic schemes that targeted easily accessible vulnerabilities. Today, however, they are evolving. By investing more time and resources in stealth, they spread out attacks over longer periods, aiming to remain undetected and cause greater damage during peak times.
Threat actors are circumventing security lockdowns by creating large volumes of valid accounts via standard APIs early in the year. This calculated move aims to establish trust and credibility within the marketplace, encouraging increased social sharing and expanded reach well ahead of peak shopping seasons. Threat actors employ sophisticated tools and automation to reinforce the legitimacy of accounts to mimic normal user activity, including communicating with other accounts, accepting content, and subscribing to services.
However, the scale of these operations often exceeds human capabilities, raising red flags. The resulting flood of activity excludes legitimate users and jeopardizes the integrity of the company and its marketplace. This type of attack exemplifies the meticulous planning and persistence of modern retail attacks.
Beyond the long game, threat actors frequently deploy a real-time tactic: account takeover (ATO). Rather than spending time creating thousands of “legitimate” accounts, ATOs involve attacking and taking control of existing customer accounts, offering a much quicker path to success. This threat is constant, but it’s no surprise that activity increases during peak shopping periods, with a staggering 410x increase in ATOs during the second half of the year.
Bot attacks remain a threat
Another tried-and-true tactic on retailers’ digital battlefield is the ever-evolving bot attack. Remember the concert ticket frenzy or fleeting TikTok trends hijacked by automated scripts? These are just the tip of the iceberg. The ease with which bots manipulate systems is alarming: detailed Reddit threads, how-to guides, and even “best bots” rankings easily proliferate online. The numbers paint a bleak picture: Out of 154 billion API requests, a staggering 22 billion originated from bots.
Here’s how these bot attacks play out: Threat actors leverage tools and automation to flood the system with a high volume of stock. They add large quantities of in-demand items to their carts to corner the market and prevent legitimate customers from purchasing them. Successful attacks result in attackers reselling these items elsewhere at exorbitant markups, further increasing customer and seller frustration.
What can retailers do to prepare?
The old model of scrambling to beef up cybersecurity before big sales is no longer enough. Threat actors prepare well in advance, and retailers must do the same. Establishing a comprehensive, year-round security strategy is essential to effectively combat the rise of fake accounts and other threats during peak seasons.
Given the critical role APIs play in the retail industry, businesses must fully understand their usage and implement comprehensive defense strategies. Exposed and unmanaged APIs, or stealth APIs, are considered easy targets for threat actors employing “leverage and steal” tactics. Visibility is paramount in the realm of API security. By diligently cataloging internal and external APIs, retailers can gain a comprehensive view of the entire attack surface, allowing them to enforce security standards across all APIs. This comprehensive visibility is crucial to effectively defending against both rapid attacks and more insidious maneuvers in the long run, safeguarding retail operations and strengthening customer trust.
We list the best payment gateways.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here: