November 20, 2019 — Signal Sciences, the fastest growing web application security company in the world, today published The Rising Tide of E-commerce Fraud: Methods, Patterns, and Defensive Measures retail and e-commerce report. Signal Sciences inspects over 70 billion web requests and blocks over two billion web attacks for customers operating e-commerce sites. For this report, the company analyzed 4.9 million web attacks over a five-month period from June 1 to October 31, 2019 to identify significant trends and patterns in e-commerce fraud.
With annual sales projected to reach over $630 billion by 2020, online retailers are a rich target for hackers, so much so that annual losses are estimated at $12 billion. And with holiday sales representing nearly 20 percent of the years’ sales for retailers, hacks and breaches can be especially painful during this time of year when businesses are most dependent to reach profitability and build a healthy balance sheet.
The report aims to help online retailers take more effective, proactive countermeasures to prevent web attacks and protect their business. Through in-depth research, the study found the following key insights:
- On average, a typical medium to large scale retailer serving web traffic of roughly 3 billion requests per month experiences 206,000 web attacks monthly.
- Attacks tend to spike on day 15 and day 30 of the month, as well as on weekends, following the tendency of consumers to shop on paydays and on their days off.
- The most common types of attacks include account takeovers (29.8 percent), bot impostors (24.1 percent), cross-site scripting (8.7 percent), SQL injection (SQLI) (8.2 percent) and backdoor file attempts (6.4 percent).
- The largest number of malicious web requests originate from the U.S., followed by Indonesia, Malaysia, India and Brazil. Malicious web requests stemming from the U.S. utilized advanced attack tooling and were more widely distributed.
For more details, please download the full report here.
The findings in this paper are drawn from analysis of anonymized web traffic directed at actual retail e-commerce apps, APIs, and microservices in the e-commerce vertical. This report summarizes a sample of 4.9 million indicated web attacks over a five-month period from June 1 to October 31, 2019. These web attacks are identified from events where the source IP address of a web request crossed a defined attack threshold volume.