Credential stuffing

When credentials are leaked due to a data breach, hackers use bots to throw combinations of these credentials at the log-in pages of e-commerce sites.
The aim is often to gain access to user accounts, but a significant proportion of these attacks are a way for criminals to ‘clean’ compromised data.

Password and username combinations that don’t work on the e-commerce site will be dumped. But if they do work, the hacker will add the clean data or credentials to a different product set to sell to other criminals.

Credential stuffing can be a nightmare for e-commerce companies. The practice drains their online resources and slows down the performance of sites. The effect is similar to a distributed denial of service (DDoS) attack, meaning e-commerce sites can look like they are compromised.

Camelot, the company that runs the UK National Lottery, experienced this when its site was compromised by a credential stuffing incident in 2018. Other companies to have fallen victim to credential stuffing include Nest and Dunkin’ Donuts.

Layer 7 DDoS attacks

Until recently, brute-force attacks on Layer 3 and 4, the network and transport layers of the internet, were commonplace. These attacks were deployed against a large number of target systems, hoping to hit a vulnerability.

However, Layer 3 and 4 attacks are not as effective as they once were, as content delivery networks (CDNs) are now better able to absorb sudden spikes in network traffic.

Attackers have therefore shifted their attention to the application layer, or Layer 7. These attacks can resemble legitimate HTTP requests and only require a small number of resources, including automated scripts and a knowledge of bottlenecks in the target web application.

While requiring more expertise than for Layer 3 and 4, Layer 7 DDoS attacks can be highly effective when executed well, meaning they will become increasingly common.

Denial of Inventory

In this type of attack, bots are used to place items into e-commerce shopping baskets and then leave them there. The reason for doing this is to reduce the availability of products, to either drive the price up or force consumers to go to a competitor website to purchase the same item.

As well as this gaming of product availability, the other issue is that retailers think these items have been added to shopping baskets by human shoppers, who have then abandoned the purchase.

Retailers then waste resources trying to find out why shopping baskets have been abandoned, only to find the issue is bot-related.

CAPTCHA evasion

The shift to more sophisticated advanced persistent bots that resemble humans and are able to recycle different IP addresses, has seen the CAPTCHA method of detecting bots become increasingly redundant.

Bot tools that solve CAPTCHAs are easily available at a low cost for criminals. While 38 percent of humans that face CAPTCHA will end up leaving a website and go to a competitor, a bot will persist until it has gained access.

Once bots have evaded a CAPTCHA, they have a period of time when they have a token to avoid going through another one. In fact, bots now ‘want’ to face CAPTCHAs, as they can get past them easily.

Countering bot-based threats

At Variti, we specialise in tackling bot-based cyber threats. Our user-centric solution interrogates every single request that comes through our system, and determines whether it's human or a bot – or a good or bad bot.

And because we can quickly detect if a request is genuine, we can do away with the need for CAPTCHA, and mitigate the other major bot-based threats that could spoil your e-commerce business in 2021.