A global survey shows online shopping activity fell off on Christmas, though hackers did not take the day off. On Boxing Day, a holiday celebrated in the UK and elsewhere on Dec. 26, traffic generally increased.

Chris Wraight, director of industry marketing, Akamai.

Chris Wraight, director of industry marketing, Akamai.

In early October, eMarketer forecast that the 2018 U.S. online retail holiday sales would be $106 billion, a healthy increase of 16.6% over 2017. Mobile sales were forecast to increase 32.6% from 2017 to 2018.

The Black Friday & Cyber Monday sales results confirmed that optimistic forecast with a combined total of nearly $14b in the U.S., and the final results for the entire Christmas holiday season were actually higher, according to Internet Retailer. The total amount spent online this holiday season was $122b, with Internet Retailer estimating a 17.4% increase over the 2017 holiday season amount of $103.88b.

Global Traffic

We measured global traffic on the Akamai Intelligent Edge Platform against a baseline to see how traffic compared on Christmas Day and Boxing Day.

Baseline (Dec. 18 to Dec. 24)

advertisement

To establish a baseline, we evaluated online retail traffic from around the world that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points that we assess in aggregate. We took the average of the seven-day period from Tue Dec. 18 to Mon Dec. 24 for the daily baseline.

global online retail site traffic

The chart above shows the daily total retail global session traffic decreasing as the Christmas holiday approached. This is not surprising, as even with omnichannel purchasing increasing (ordering online and picking up in-store) most shoppers would have ordered by Dec. 20 for one-to-two day shipping (generally free) to ensure delivery by Dec. 24 (especially in the U.S.).

Christmas Day (Dec. 25)

On Christmas Day, global traffic decreased 11% against the baseline daily average; in the U.S., traffic decreased 52% against the baseline daily average. Again, this is a pretty predictable result as most consumers were enjoying Christmas morning opening presents and spending time with family and friends throughout the day. In addition, because most retail stores were closed, shoppers would not have been at the stores with their mobile device either.

advertisement
E-commerce traffic Christmas Day and Boxing Day

The top 10 countries where global traffic originated on Christmas Day are below. The western countries aren’t a surprise, as is the fact that traffic decreased in many, reflecting the overall traffic decrease (here the U.S. decreased 18% against its own 7-day baseline average, compared to the 52% decrease against the overall baseline average) as Christmas Day approached

The U.K. and Canada increase is consistent with those countries ramping up for Boxing Day (Dec. 26), but it is interesting to note Poland’s increase of 28%. Despite its low ranking relative to other countries, perhaps there is a large part of the population that observes Boxing Day; see the next table for more information.

Country Christmas Day
versus
Baseline
Difference
United States -18.04%
United Kingdom 15.41%
Netherlands -32.81%
Spain -1.86%
Canada 31.99%
France -2.51%
Russia 10.95%
China 10.35%
Germany -2.76%
Poland 27.69%

Boxing Day (Dec. 26)

Boxing Day is a holiday that originated in the U.K. with first mentions being in the 1830s, but is recognized as having started much earlier, and its intent is not universally agreed upon. Some define it as a day that started for tradesmen to receive ‘Christmas boxes’ of money or presents the first weekday after Christmas to thank them for their good service throughout the year.

advertisement

In the U.K., many consider it larger than Black Friday, which has been increasingly celebrated in European countries. This year, Boxing Day drew fewer ‘footfall’ shoppers (i.e. shoppers physically visiting retailers, or ‘foot traffic’ in the U.S.) but online sales increased.

Overall, the U.K. was forecast to see an increase of 16%, close to what eMarketer predicted and Mastercard reported for the U.S.

In the U.S., the day after Christmas marks a new surge in retail promotions and sales to flush out Christmas inventory—who can resist wrapping paper at a 75% discount? As a result, on Boxing Day all global traffic increased 32% against the baseline and 47% compared to Christmas Day. For just the U.S., traffic on Dec. 26 was up 52% vs Dec. 25.

Globally, the top 10 originating countries for traffic on Boxing Day were as follows; with their traffic on Dec. 26 compared to the baseline. Poland continued to show a large increase, along with the U.K. and Canada.

advertisement
Country Boxing Day versus Baseline Difference
United States 24.83%
United Kingdom 106.77%
Spain 33.00%
Netherlands -15.55%
Canada 136.79%
France 23.49%
Poland 95.99%
Germany 34.77%
China 32.18%
Russia 13.73%

Because Boxing Day is primarily a U.K. holiday, we have highlighted countries that would culturally be expected to observe Boxing Day with sales:

Country Country
vs Baseline
Difference
United Kingdom 106.77%
Canada 136.79%
Australia 70.78%
Bermuda 53.72%
Ireland 97.58%
Isle of Man 98.45%
British Virgin Islands 38.13%

By drilling down into these countries, we see a dramatic increase in traffic due to Boxing Day observances, especially in Canada and the U.K. due to retail promotions.

Devices

Akamai predicted in September 2018 that mobile shopping would continue its growth this holiday shopping season. That prediction held true through the recent major holidays around the world (Diwali, Singles’ Day 1, Black Friday and Cyber Monday). For Christmas Day and Boxing Day, there has not been any deviation from that trend. It also underscores why online retailers need to increase the mobile CX budget and attention but can’t reduce their focus and investment on optimizing desktop visitors’ experience.

Christmas Day

advertisement
Date Desktop Mobile
Dec. 25 30.59% 61.99%
Against

Baseline Average

-16.91% 9.71% 

Boxing Day

Date Desktop Mobile
Dec. 26 34.48% 57.71%
Against

Baseline Average

-6.33% 2.14%

 On both days, mobile devices were used the clear majority of time versus desktop (the remainder is tablet use). We see no change to this trend going into 2019, as this article points out.

advertisement

Mobile OS

Android’s portion of online shopping was a healthy 24% on Christmas Day, while iOS was nearly double at 45%. This continues to surprise us since, globally, Android market share is approximately four times that of iOS. Both operating systems increased their usage on Christmas Day (iOS more than Android), perhaps as consumers used their mobile devices to research sales and compare prices while relaxing after dinner (see conversion rates in next section).

Christmas Day

Date Android iOS
Dec. 25 24.39% 44.99%
Baseline
Average
22.68% 40.47%
Against

Baseline Average

7.53% 11.15%

Boxing Day

advertisement

On Boxing Day, the distribution was nearly identical but the increases against the baseline were smaller, significantly for Android at only 0.11%.

Date Android iOS
Dec. 26 22.70% 42.78%
Baseline Average 22.68% 40.47%
Against

Baseline Average

0.11% 5.69%

Conversion Rates

Mobile OS

Examining mobile OS first, we see that iOS had a very slim lead in conversion rates over Android on Christmas Day, but both operating systems had higher conversion rates during the baseline as more shopping was being executed before the holidays. Both OS conversion rates were down significantly on Christmas Day, which may be a factor of more research and less actual purchasing being conducted.

advertisement

Christmas Day

Date Android iOS
Dec. 25 1.22% 1.48%
Baseline
Average
1.51% 1.78%
Against

Baseline Average

-19.28% -16.56%

Boxing Day

On Boxing Day, the conversion rates were down again compared to the baseline, but a lot less of a decrease than on Christmas Day. The iOS conversion rate was higher than Christmas Day, but still down against the baseline. This may be due to desktop conversion staying flat on Boxing Day vs. the baseline (see next section).

advertisement
Date Android iOS
Dec. 26 1.43% 1.69%
Baseline
Average
1.51% 1.78%
Against

Baseline Average

-5.39% -5.19%

Devices

Looking at conversion rate by device type, on Christmas Day, desktop had a significant advantage over mobile. However, desktop was down compared to the baseline average, and mobile was down even more. This is consistent with the other data, showing Christmas Day activity was lower than the baseline.

Christmas Day

advertisement
Date Desktop Mobile
Dec. 25 2.24% 1.10%
Baseline
Average
2.65% 1.45%
Against

Baseline Average

-15.69% -24.63%

Boxing Day

On Boxing Day, desktop conversion was flat, while mobile increased by a small amount, perhaps more users were starting to purchase due to deals, etc.

Date Desktop Mobile
Dec. 26 2.65% 1.57%
Baseline
Average
2.65% 1.45%
Against

advertisement

Baseline Average

0.08% 8.31%

Security

Web Application Attack Detail

Despite the decrease in global traffic leading up to and including the holidays (Christmas Day and Boxing Day), threat actors didn’t take the holidays off, with web application attacks very active. The number of attacks on Christmas Day were comparable to Cyber Monday, with the exception of cross-site scripting, which was five times more than Cyber Monday and two times more than Black Friday. (In a cross-site scripting attack the criminal injects malicious code into a vulnerable web application.)

This is likely due to the fact retailers want to track their Christmas sales more than any other day of the year, and web application developers end up including a lot more third party scripts/content on their sites, and attackers take advantage of that. Also, perhaps someone found a vulnerable version of a particular e-commerce software and was testing that against a lot of domains in an automated fashion.

 

advertisement
Attack Type Christmas
Day
Number
Black Friday Cyber
Monday
SQL Injection 3m 7m 3.3m
Command Injection 16k 59k 7.6k
Cross-site scripting 103k 49k 20k
PHP injection 65k 154k 28k
Remote file inclusion 27k 149k 6.7k

Boxing Day

On Boxing Day, the numbers were pretty consistent with Christmas Day, with the exception of cross-site scripting which saw a decrease of nearly 66%. This could possibly be due to the lower numbers of countries actively participating in Boxing Day (sales promotions attracting online shoppers). As with Christmas Day, Boxing Day was more comparable to Cyber Monday in terms of the majority of web application attacks.

Attack Type Boxing
Day
Number
Black
Friday
Cyber
Monday
SQL Injection 4m 7m 3.3m
Command Injection 12k 59k 7.6k
Cross-site scripting 36k 49k 20k
PHP injection 65k 154k 28k
Remote file inclusion 35k 149k 6.7k

Bot Attacks

While online shopping activity was down on Christmas Day, as we saw with web application attacks, threat actors were still out in droves as the high number of retail bots attests. Compared to Cyber Monday, the retail bot attacks were significantly higher, a 100% increase. On Dec. 26, credential abuse/stuffing attacks (in which criminals use stolen user names and passwords to access consumer accounts) dropped by approximately 50%. That is curious, due to the increase in traffic, especially for Boxing Day. Again, it may be due to a smaller number of countries participating and promoting Boxing Day sales (online activity).

advertisement
Attack Type Dec. 25 Dec. 26 Black Friday Cyber Monday
Retail Bots 4b 4b 3b 2b
Credential Abuse/Stuffing 41.6m 17.1m 38m 26m

Consistent with other holidays that we’ve monitored this season, the U.S. was the most targeted country for attacks, along with India and the U.K. The U.S. was also the leading source country for attacks, with India and China rounding out the top three. Keep in mind that the more advanced attackers hide their true country of origin.

Target Country Percentage of
Attacks
United States 69.3%
India 7.6%
United Kingdom 5%

 

Source Country Percentage of
Attacks
United States 64.6%
India 7.3%
China 6.7%

Boxing Day

Boxing Day (Dec. 26) was similar to Christmas Day, with small variances in the percentages, which is not surprising to us.

advertisement
Target Country Percentage of
Attacks
United States 71.2%
India 6.8%
United Kingdom 4.9%

 

Source Country Percentage of
Attacks
United States 66.3%
India 6.5%
China 6.1%

Summary

As we have seen throughout the recent global peak traffic holiday period, online retailers need to be prepared to offer optimal customer experiences to mobile visitors (including mobile app and web browser interaction) as their overall usage is greater than desktop users and their use has gone beyond research and includes purchasing.

Until now, significant time and budget have been invested optimizing web applications and content for desktop visitors. This focus should not diminish but, as we saw, the percentage of mobile visitors exceeded desktop visitors during ALL of the major holiday events, with no sign of reversing in 2019. This trend underscores the importance of prioritizing an optimal mobile customer experience, but not at the expense of desktop optimization.

The high volume of retail-specific attack bots and web application attacks clearly demonstrates the need to provide a secure environment for online shoppers for all aspects of the transaction: browsing, research, purchase and storage of personal data at ALL times. Existing and new (e.g. GDPR) regulations have raised the bar in terms of financial penalties for data breaches, along with reputation hits and possible loss of revenue should consumer information be stolen.

advertisement

Threat actors don’t take holidays. While they know to focus on holiday traffic due to the increased number of online users, they are attacking every day with all the attacks we’ve outlined—as this major online retailer can attest, after being  hit with a credential stuffing attack from late September to late November last year.

While this is only a highlight of holiday events, peak traffic spikes can occur at any time, whether it’s due to a highly visible event like a royal wedding or a natural disaster. Take the first step and prepare for peak traffic by testing your website and mobile application performance at any load. In the next article, we’ll explore what these findings will mean for retailers in 2019.

Akamai provides content delivery network services to 354 of the Top 1000 online retailers in North America.

 

advertisement
Favorite