Request a Quote

Akamai’s new study: Bots, phishing and server attacks making commerce a cybersecurity hotspot

We Keep you Connected

Akamai’s new study: Bots, phishing and server attacks making commerce a cybersecurity hotspot

Akamai’s new study: Bots, phishing and server attacks making commerce a cybersecurity hotspot
Your email has been sent
The study shows attackers are using more bots and doing more sophisticated phishing exploits and server attacks, especially targeting retail.
Attacks on commerce are booming, according to a new study by security firm Akamai. The company’s 15-month review beginning in January 2022 found that commerce was the most targeted web vertical, with retail being the leading subvertical within it.
Jump to:
In its new report, Entering through the Gift Shop: Attacks on Commerce, Akamai determined that 14 billion or 34% of all incursions were against commerce sites, driven by bots, API attacks, remote code execution through local file inclusion attacks and server-side exploits. The migration to cloud, availability of dark net apps and the proliferation of IoT devices have also driven a big increase in attacks.
The study reported that:
Trailing the commerce sector in volume of attacks were high technology at 21.66% of all attacks, financial services at 15.4%, followed by video media, manufacturing, the public sector and gaming (Figure A).
Figure A
The study, based on petabytes per month of data drawn from Akamai Connected Cloud, a network of approximately 340,000 servers on 1,300 networks in more than 130 countries, found that attacks in Europe, Middle East, Asia and Africa are heavily skewed toward the retail subvertical, which accounts for 96.5% of attacks versus 3.3% for hotel and travel, according to the firm.
The report honed in on local file inclusion: A web server attack that hits weak spots in how a server stores files. The study found that LFI has replaced SQL Injection as the most common attack vector used against the commerce sector. There were more than twice the number of LFI attacks than the next most prevalent attack, which are those aiming for cross-site scripting, or XSS vulnerabilities. Such weaknesses allow attackers to inject scripts into web pages and can be used to bypass access controls.
SEE: Verizon study warns of more DDoS, email exploits (TechRepublic)
Only 12.24% of attacks that Akamai tracked involved SQL Injections in which attackers can steal access to databases (Figure B).
Figure B
Akamai said the growth of LFI exploits shows that attackers are favoring quiet insurgency aimed at enabling remote code execution to extract data. Doing so allows lateral movement into company networks, a style of incursion that could, according to the report, enable a pathway for criminals to infiltrate bigger, lucrative targets in supply chains.
Data from the study showed that 50% of the scripts used in the commerce vertical come from third-party resources, higher than in all other verticals. The report noted that “Although using third-party scripts does not necessarily mean that they are less trusted or malicious in nature, it puts organizations at risk of security flaws within these third-party scripts.”
Akamai reported threat actors using a record number of bots for fraud and other exploits, noting that even benign bots can damage the experience by jamming web performance. The study looked at scalpers who are beginning to build their own botnets, or they’re buying bots on the market for scalpers.
The study reports that scalpers seeking discounted products use botnets to scrape websites for inventory or good deals. Akamai’s report noted that several so-called “scraper as a service” offerings that can be bought are capable of analyzing data and generating a shopping list that fits certain criteria that meets a predefined profit margin.
SEE: Half of companies were hit with targeted spearphishing attacks last year (TechRepublic)
Phishing is also up, as the firm reported that in the first quarter this year 30% of phishing campaigns were activated against commerce customers. “Although we saw more campaigns than actual victims, it is also worth noting that attackers are targeting this industry.”
In the first quarter this year, Akamai saw commerce trailing only financial services in phishing attacks (Figure C).
Figure C
Last year, Akamai found a phishing exploit emblematic of how practitioners of the social engineering attack are becoming better at subterfuge: A for-sale phishing kit that mimics brands that include well-designed dummy sites and strong infrastructure using cloud services. The tactics use redirects that include URL shorteners to hide visually identifiable malicious links. “Our analysis shows that 89% of affected victims are from the United States and Canada, as cybercriminals created campaigns that target specific geographic locations,” said the firm.
Steve Winterfeld, advisory chief information security officer at Akamai, said secure coding as a key approach to hardening APIs and other surfaces is important to reducing threats. “If I were to invest, the first thing would be shifting left to catch errors in the beginning. Pen testing is important, but companies should ask themselves if their return on investment is better with secure coding,” he said.
Every organization is different when it comes to security needs, and the threats are becoming more diverse and arriving from new directions. There are security fundamentals, however, that should be applied as standard methods.
When these fundamentals are pared down to a checklist, security is easier to execute and less stressful to organize. This free to download Network and Systems Security checklist from TechRepublic Premium offers a good template for building a strong cybersecurity posture.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Akamai’s new study: Bots, phishing and server attacks making commerce a cybersecurity hotspot
Your email has been sent
Your message has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively.
Get the most out of your payroll budget with these free, open source payroll software options. We’ve evaluated the top eight options, giving you the information you need to make the right choice.
We highlight some of the best certifications for DevOps engineers. Learn more about DevOps certifications.
With so many project management software options to choose from, it can seem daunting to find the right one for your projects or company. We’ve narrowed them down to these ten.
This Microsoft PowerToys app simplifies the process of visualizing and modifying the contents of the standard Windows Registry file.
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Finding and recruiting qualified candidates for a director of business development position will take time and concerted effort, backed by a solid plan of action. A well-documented process will also help provide confidence in your ultimate hiring decision. This hiring kit from TechRepublic Premium provides a workable framework you can use to find the best …
Marketing products and services is an essential part of business success, but the process can be difficult and frustrating. In fact, for many SMBs, marketing strategy is an afterthought, considered only after they’ve perfected their products or services. This guide from TechRepublic Premium includes information on why email marketing works and an analysis of the …
Finding and recruiting qualified candidates for a computer vision engineer position will take time and concerted effort, backed by a solid plan of action. This hiring kit from TechRepublic Premium provides a workable framework you can use to find the best candidate for your organization. From the hiring kit: INTRODUCTION Regardless of industry, geographical location …
If you’re in business to make money online, how can you make sure your ecommerce system is the best it can be? A qualified ecommerce tech analyst can help. This hiring kit from TechRepublic Premium provides an adjustable framework your business can use to find the right person for the job. From the hiring kit: …

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE