Bot Abuse Analysis and Other Fraud Benchmarks - e-Commerce Industry

Q1 2024

The e-commerce industry faces numerous cyber scams, particularly during peak shopping times. To enhance the experience of genuine consumers, businesses may relax security measures, assuming the high volume of legitimate transactions will outweigh the fraudulent ones. This leniency can be exploited by bad actors who create fake accounts using stolen credit cards, causing financial losses for retailers and their customers. Fraud should no longer be accepted as a business cost.

This industry brief utilizes data from our comprehensive bot abuse analysis, focusing on the top attack vectors in online retail and e-commerce during Q1, Q2, and Q3 2023. It seeks to provide data-driven insights into attacks in this sector, offering effective detection and prevention strategies. Insights are drawn from the Arkose Labs Global Intelligence Network, which includes major corporations and category leaders. These entities, prime targets for cyber threats, provide a unique perspective for monitoring and analyzing cyber activities.

Attack type by industry in H1 2023:

We analyzed billions of sessions worldwide across industries, between January 2023 and September 2023, and assessed three primary attack vectors fraudsters use to launch various cyberattacks. In sum, these methods generated billions of attacks in the first half of 2023 and into Q3, comprising 73% of website and app traffic measured. That means almost ¾ of web traffic to digital properties is malicious.

In the e-commerce sector, criminals dedicate substantial time and resources to activities such as card testing, phishing, and a host of other fraudulent endeavors. But when faced with robust site protection, bad actors can no longer achieve the economic gains they seek and ultimately move on. This principle underlies the core philosophy of Arkose Labs—making attacks too costly for adversaries to persist.

The Bad Side of Bots

Efficiency is a top priority for cybercriminals, as it directly influences their monetary gains. Malicious bots are key to empowering fraudsters in carrying out targeted and well-crafted attacks on e-commerce enterprises. Notably, a staggering 65% of web traffic in e-commerce is attributed to bad bots.

The percentage of traffic by industry that comes from bad bots:

Between Q1 2023 and Q2 2023, intelligent bot traffic experienced a nearly fourfold increase. This growth surpassed basic bots and played a pivotal role in the overall surge of approximately 167% in bot attacks during the same period.

While the prevalence of automated threats is a significant concern, there has also been a marked 26% uptick in human-based attacks during Q3. When malicious bots fail to make it past security defenses, threat actors turn to human fraud farms to complete their mission. This move comes at a significant human cost, often involving forced labor.

Although the issue of bots is significant, accounting for 65% of online retail and e-commerce traffic, human-based attacks have also seen a notable increase of 26% in Q3 compared to the preceding quarter. Due to the financial incentives associated with these attacks, and the volume of sensitive data at risk, e-commerce businesses are now deemed high-value targets.

Beating these adversaries demands technology that dynamically targets human solvers and applies adaptive, time-consuming challenges. With this capability in place, e-commerce businesses can defeat the economics behind attacks that exploit human labor at scale.

Concerning Trends and Crimes in e-Commerce

One of the biggest threats to e-commerce is SMS toll fraud, where bad actors create fake accounts at scale that trigger SMS text messaging via premium-rate numbers. Any online businesses that enable the sending or receiving of SMS messages as part of their authentication process are susceptible to this insidious threat. It is estimated that the global A2P SMS market will likely be worth $65 billion by 2028. As a result, SMS toll fraud adds to the difficulties faced by e-commerce businesses already struggling with a high volume of fraud.

Top 4 Attack Types with the Biggest Increases from Q2 to Q3

By the time businesses get the bill and realize they’ve been scammed, it’s too late. Our data indicates a huge surge in this attack type for the second half of 2023.

During the 2023 holiday season, e-commerce businesses experienced a 9X increase in attacks, including payment fraud, with Christmas Day being the busiest of all. As people activated gift cards they received as presents, adversaries sought to steal revenue from the holding companies in several ways.

A type of payment fraud known as card testing remains a significant menace in the e-commerce sector. Card testing involves fraudsters exploiting the online shopping ecosystem by methodically testing stolen credit card information on merchant websites. Attackers use automated scripts or manual methods to input card numbers, all the time looking for vulnerabilities in payment systems.

This threat often goes undetected until a sudden surge of failed transactions and chargebacks start to wreak havoc on the business. From Q1 to Q2 2023, these types of payment attacks were up 30%.

Two Bot Threats in the e-Commerce Sector

The surge in bot and human fraud farm attacks is driven by two technology trends influenced by powerful economic forces:

1. Generative AI (GenAI):

Our threat research has documented a significant uptick in the last year, and especially in the past six months, of GenAI being used to craft attacks. At the close of 2023, we witnessed attackers using bots to scrape public and personal content from websites to then fine tune their GenAI models. Our threat researchers have observed three key landscape changes:

1. The evolution of simple scrapers to account takeover class infrastructure
2. An increasing number of commercial scraper services
3. Developer groups scraping data for GenAI apps

Analysis reveals scraping is now one of the top five most popular attacks—and fastest growing—for all industries, increasing 432% in Q2 over Q1 2023.

2. Cybercrime-as-a-Service (CaaS):

Bad actors are advancing their skills by embracing the CaaS model, deploying bots and unleashing attacks that cause trillions of dollars in damages. This shift lowers the barrier to entry and grants access to cybercrime for a broader range of actors, making it easier to launch attacks with limited technical skills.

The CaaS model directly impacts e-commerce by establishing a marketplace where fraudsters can easily procure tools and expertise. This convenience enables threat actors to acquire specialized services, such as phishing kits, contributing to the escalation of advanced attacks on e-commerce platforms. The availability of these services enhances the efficiency and reach of cyber threats, posing a tangible and immediate risk to the security of online transactions, customer data, and overall operations.

The affordability and popularity of CaaS are pressing security teams to bolster their efforts against these rising threats. Beyond the immediate need for protection, the prevalence of CaaS reveals a broader challenge in adapting bot prevention to counter evolving cyber threats. The anonymity CaaS gives providers introduces a layer of complexity for law enforcement, emphasizing the ongoing struggle to keep pace with evolving tactics.

This dynamic landscape calls for not only defense against known threats but a continuous and proactive effort to stay ahead of emerging risks, reflecting the ongoing cat-and-mouse game between security professionals and cybercriminals.

The Growing Scourge of Attacks

Arkose Labs Can Help

Arkose Labs safeguards businesses by disrupting the financial incentives driving bot attacks. Our long-term bot mitigation and account security solutions focus on protecting critical user touch-points: account login and registration. By identifying hidden attack signals and undermining attackers' return on investment, we enhance security without compromising user experience.

Our unique platform, Arkose Bot Manager, analyzes user session data to assess context, behavior, and reputation, classifying traffic based on risk profiles. Suspicious traffic faces enforcement challenges, distinguishing between legitimate users and fraudsters to block automated activities and ensure a secure consumer experience.