Akamai Technologies has released a new State of the Internet report that spotlights the increasing number and variety of attacks on the commerce sector. Entering through the Gift Shop: Attacks on Commerce finds that in Asia Pacific and Japan (APJ), more than 1.15 billion web attacks were recorded in the commerce sector, across retail and hotel and travel verticals.
Globally, commerce remains the most targeted web attack vertical, accounting for over 14 billion (34%) of observed incursions, largely due to the industrys continued digitalisation and the attackers available selection of web application vulnerabilities to breach their intended targets.
The new Akamai research also finds that Local File Inclusion (LFI) attacks increased 300% between Q3 2021 and Q3 2022 and are now the most common attack vector used against the commerce sector. Just a few years ago, SQL injection (SQLi) was the most common incursion. This indicates an attack trend toward remote code execution and hackers leveraging LFI vulnerabilities to gain a foothold for data exfiltration.
Attack vectors such as Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Code Injection have also been gaining popularity. They pose a significant threat to commerce organisations and other verticals, preventing online sales and damaging a companys reputation, the survey finds.
Uncovering threats against the retail sector
As commerce organisations increasingly rely on web applications to drive customer experience and online conversions, adversaries target vulnerabilities, design flaws or security gaps to abuse web-facing servers and applications, the survey finds. Globally, retail remains the most targeted subvertical within commerce, accounting for 62% of attacks on the sector.
The top web attack target areas in APJ for retail are India and China. Loyalty and rewards programs, in combination with a proliferation of shopping days across these areas, present attractive opportunities for cybercriminals to ply their trade.
Hotel and travel emerges as attractive target
The hotel and travel subvertical also emerged as a particularly attractive target to attackers, with the bulk of all transactions conducted online, driven by Australia (63.72%), followed by India (22.44%).
APJ is the fastest-growing market for online travel bookings, expected to expand at a compound annual growth rate of 9.8% from 2022 to 2030. In addition to vulnerabilities in existing workflows and supply chains, these factors could be contributing to the jump in cybercrime in the region, and more specifically, attacks on this sub-vertical.
Malicious bot activity surpasses 765 billion
Akamai observed malicious bots targeting the APJ commerce vertical surpassing 765 billion in 15 months, contributed by the number and frequency of holiday shopping events throughout APJ and the growth in online travel booking.
Notably, after quarter-on-quarter growth throughout 2022, malicious bot activity decreased substantially in Q1 2023.
Reuben Koh, Security Technology and Strategy Director (APJ), Akamai, says, "As we approach the mid-year shopping and travel season, these insights around the commerce sector present a timely reminder that commerce organisations need to be on high alert to adapt to a myriad of methods used by attackers from web applications and bots to phishing and the use of malicious third-party scripts.
"To stay ahead of attack attempts, commerce organisations should stay updated on the latest attack trends and constantly re-evaluate their security posture and controls. When considering specific cyber defence solutions, organisations need to make sure that the chosen solutions are adaptive enough to counter against the ever-changing threat landscape and minimise the risks posed by adversaries who are getting more sophisticated every day."