Cybercriminals are coming to an e-commerce platform you probably use, as online retailers are now the industry most targeted for web attacks.
Cloud security firm Akamai Technologies on Tuesday released its latest State of the Internet series report spotlighting the increasing number and variety of attacks on the e-commerce sector.
The report titled “Entering through the Gift Shop: Attacks on Commerce” finds that retail cyberattacks remain the most targeted vertical, accounting for over 14 billion (34%) of observed incursions.
Commerce organizations increasingly rely on web applications to drive customer experience and online conversions. Adversaries target vulnerabilities, design flaws, or security gaps to abuse web-facing servers and applications.
Retail remains the most targeted sub-vertical within commerce, accounting for 62% of attacks on the sector, impacting both organizations and consumers.
According to Steve Winterfeld, advisory CISO at Akamai, the main takeaways are around attack trends.
Tactical Shift Exploits LFI Vulnerabilities
The new Akamai research also finds that local file inclusion (LFI) attacks increased by more than 300% between Q3 2021 and Q3 2022. LFI is where attackers exploit vulnerabilities in how a web server stores or controls access to its files.
These attacks are now the most common vector against the commerce sector. They replace SQL injection (SQLi), indicating an attack trend toward remote code execution.
The research also revealed that hackers are leveraging LFI vulnerabilities to gain a foothold for data exfiltration.
“The commerce sector is characterized by a complex ecosystem that leverages web applications and APIs to drive business,” said Rupesh Chokshi, SVP and GM for application security at Akamai.
Key Findings Anchor Attack Severity
The Akamai report details various attack types that commerce organizations and their customers face. According to Chokshi, researchers examined elements such as web applications, bots, phishing, and third-party scripts to gauge what is happening in this sector.
The results will help cybersecurity leaders and security practitioners understand the critical threat trends impacting this industry.
“With the need to quickly adapt to changing customer trends, commerce is rapidly adopting apps and APIs. This transformation increases the scope or attack surface that criminals can profit from and can be a challenge to secure as it is newer technology/methodology [that] may not follow traditional security processes,” said Winterfeld.
Threat Report Highlights
No new bad actors surfaced in the research. According to Winterfeld, the report mentioned some known threat actors, but no new ones were noted.
- Server-side request forgery (SSRF), server-side template injection (SSTI), and server-side code injection (SSCI) have emerged as critical attack techniques to defend against. As such, they pose significant threats to commerce organizations.
- Attackers could also abuse security gaps in scripts, enabling a pathway for criminals to infiltrate bigger, lucrative targets in supply chains.
- Akamai observed malicious bot requests surpassing five trillion events in 15 months. It detailed assaults against commerce customers proliferating via credential stuffing attacks that can lead to fraud.
- Over 30% of phishing campaigns targeted commerce brands in Q1 2023.
- Attacks in Europe, the Middle East, Asia, and Africa (EMEA) are heavily skewed toward the retail sub-vertical — accounting for 96.5% of attacks versus 3.3% for hotel and travel.
- Commerce is the second most frequently targeted web attack vertical in Asia-Pacific and Japan (APJ) at over 20%.
Security Practices To Deter Cyberattacks
Winterfeld noted that researchers continually observe increases in threat activity. However, when organizations focus on security, they are successfully stopping these assaults
Successful security defenses include practicing secure coding and applying well-managed and monitored edge defenses. Other useful approaches include leveraging the Open Web Application Security Project (OWASP) top ten API recommendations and following frameworks like zero trust network access and segmentation.