Cyber Week, the five biggest shopping days of the year from Thanksgiving to Cyber Monday, was a blockbuster in 2020. The ongoing Covid-19 pandemic, combined with most consumers sheltering at home resulted in 52% lower in-store traffic compared to the same period in 2019, but online spending surged by 21.6% to $9 billion, making Black Friday of 2020 the second-biggest day ever in terms of online spending (just behind Cyber Monday 2019). E-commerce records were broken as shoppers spent $34.4 billion over the period, a dramatic 20.7% jump over the previous year.
As we anticipated in our pre-Black Friday article, there was a thousand-fold increase in bad bot traffic to our e-commerce customers, especially on log-in pages which are the starting point for execution of Account Takeover (ATO) attacks. Cyber Week is especially lucrative for cybercriminals making purchases using gift vouchers, wallet balances, store credits and other forms of stored value. It’s also peak season for scalpers and resellers using bots to snap up popular products for resale at inflated prices. Bots are now commonly being deployed by competitors, price-monitoring services, data aggregators, and even equity and market analysis firms to regularly scrape pricing, inventory, and many other types of information from e-commerce websites and mobile applications. It’s a technological arms race that is increasingly leveraging bot technology to try to gain every small advantage that can be used for profit or crime.
E-Commerce traffic data indicates that attacks started earlier this year
Apart from eager shoppers anticipating big discounts, the days before Black Friday also drew in cybercriminals and fraudsters who started their attacks on e-commerce websites and user accounts, as seen in Figure 1. Year after year, we have observed spikes in bot traffic resulting from cyber criminals trying to execute attacks such as account takeover, web scraping, application DDoS, carding, as well as draining virtual wallets, store credits and so on. These kinds of attacks lead to loss of trust in e-commerce sites and tend to attract a great deal of negative publicity, or even litigation.
Blocking bots shuts the door to Account Takeover, Carding, and other attacks
Bad bot traffic on e-commerce website’s log-in pages started surging from November 17th and reached a peak on the 21st, representing a 1000X increase over pre-Cyber Week traffic, as shown in Figure 2 below.
Interestingly, bot traffic multiplied to make up 85.3% of total traffic on Nov. 21, and 78% on Nov. 22. In other words, on these two consecutive days, human traffic was vastly outnumbered by bots and made up just about 15% and 22% of total traffic respectively, as shown in Figure 3 below. However, since all these bot requests were blocked by Radware Bot Manager, shoppers would have experienced quicker page loads and a much smoother experience when browsing and buying from their preferred online stores. Our customers, in turn, were able to realize higher conversions using our solution, which blocked these huge volumes of bot traffic and prevented their servers and networks from being overwhelmed.
Well over half of all bots were sophisticated and human-like
During these peak shopping days, 55.2% of bots on our e-commerce customers’ websites were advanced fourth-generation bots. Sophisticated bots such as these typically operate using several thousand IP addresses spread over several countries and are designed to emulate the behavior of humans as they traverse across websites and mobile applications. Blocking these humanlike bots is only possible with a dedicated solution such as Radware Bot Manager, which leverages an array of technologies including machine learning and intent analysis to differentiate between advanced bots and genuine shoppers. Moreover, when cybercriminals find out that their bots are being blocked by a bot mitigation solution such as ours, they usually move on to softer targets that are not as well protected and hence easier to attack. Clearly, a win-win for our customers and their customers as well.
The bulk of the remainder of bot traffic consisted mainly of first-generation bots (which are simple task automation scripts) that made up 30.2% of bot traffic on the e-commerce portals that we protect. Second-generation bots, which are essentially ‘headless’ browsers, accounted for 12.1%, and third-generation bots (which are relatively crude in mimicking human behavior compared to fourth-generation bots) made up just 1.7% of bot traffic this year.
With the escalating intensity of bot attacks on e-commerce sites that attempt to carry out ATO, Carding, Distributed Denial of Service (DDoS), Denial of Inventory attacks (also known as Cart Abandonment), as well as Form Spam and Price Scraping, online retailers are increasingly bearing the brunt of sophisticated bad bot attacks. Detecting and blocking bad bots becomes especially crucial for retailers between Thanksgiving and Christmas since retailers generally rely on year-end holiday sales to make a profit for the year.
For more information on the threats that bots pose to e-commerce portals not just during the holiday sales season but throughout the year, read our research report on the E-commerce Industry’s Automated Threat Landscape. For a comprehensive look at bot threats to other industries also impacted by malicious bots, we encourage you to read our Big Bad Bot Problem 2020 report.