If the 2020 Singles Day (US$115 billion), Black Friday (US$9 billion) and Cyber Monday (US$10.8 billion) are anything to come by, online shopping knows more pandemic. Some might even argue that the pandemic is driving people to shop even harder online.
What does Sutton’s Law state?
But that’s not the point of this.
Barracuda researchers issued a warning that as shoppers across Asia-Pacific ramp up their online shopping in preparation for the Christmas holidays, they could be an attractive target for cybercriminals using bots to run distributed denial of service (DDoS) attacks.
Testing, testing, 1-2-3
In mid-November, Barracuda researchers ran Barracuda Advanced Bot Protection in front of a test web application, which in just a few days, detected millions of attacks coming from thousands of distinct IP addresses. Attacks like these are often used to make fraudulent purchases, while helping cybercriminals to scan for any vulnerabilities they can exploit.
Known as ‘bad bot personas’ the bots are identified as malicious based on their pattern of behaviour and are grouped together by User-Agent.
The trouble is, that some User-Agents include ‘good bots’ like GoogleBot, which crawls sites and adds them to search rankings – and it can be difficult to tell them apart without deeper investigation, as bad bots will often spoof good User-Agents.
When viewing the attacks by time of day, Barracuda researchers saw that bots don’t just wait until the middle of the night to attack. In fact, bot activity peaks late morning and doesn’t fall off until closer to 5p.m., which may indicate the cybercriminals (aka “bot herders”) follow a regular working day.
“It’s clear that cybercriminals are powering up for the Christmas rush, so with holiday shopping season now in full swing across the region, it’s crucial that e-commerce teams take the appropriate steps to safeguard their applications against bad bots,” said Mark Lukie, engineer manager, Barracuda APAC.
How to protect against bad bots
To protect against these attacks, Barracuda recommends installing properly configured web application firewalls or WAF-as-a-Service solutions, whilst making sure application security solutions include anti-bot protection to effectively detect advanced automated attacks. The firm also recommends turning on credential stuffing protection to prevent account takeover attacks.
“As businesses of all sizes rush to wrap-up for the holidays, and people flood e-commerce sites looking for the perfect gift, taking these simple steps can stop cybercriminals from putting a damper on your festive celebrations,” he added.