An analysis of ecommerce traffic data during seven major global holidays in 2018 shows that retailers must constantly be on the alert, as hackers don’t take time off. Retailers must also be prepared for unexpected peaks resulting from big events other than holidays, such as a celebrity wedding or natural disaster.

Chris Wraight, director of industry marketing, Akamai.

Chris Wraight, director of industry marketing, Akamai.

In the previous post in this series, we reviewed web performance for the mobile visitor during peak online shopping periods in 2018. While web performance is critically important, security is also a vital area of focus and investment because threat actors don’t take holidays. They’re always out on the internet probing sites, looking for vulnerabilities and ways to steal data or take over sites. They are however, keenly aware of holidays and what that means for increased online activity so they have extra focus on these days.

The chart below shows the total retail-specific bots on the seven key holidays we tracked. The lower number for Cyber Monday is intriguing; a possible explanation is that threat actors are becoming smarter and more focused in their attacks, only using the more profitable types.

retail specific bots

Credential abuse/stuffing attacks (in which criminals use stolen personal data of consumers to try to commit fraud) closely echo retail-specific bots, with the exception being Singles’ Day 2. Singles’ Day 2 is a much smaller event than Singles’ Day 1, but the fact that it is firmly in the prime Christmas and Boxing Day shopping timeframe (Dec. 12) is the most likely explanation for its high number.

credential abuse and stuffing attacks

Looking at the assorted web application attacks, the number of attacks on Christmas Day were comparable to Cyber Monday, with the exception of cross-site scripting, which was five times more than Cyber Monday and two times more than Black Friday. (In a cross-site scripting attack the criminal injects malicious code into a vulnerable web application.)This is likely due to the fact that retailers want to track their Christmas sales more than any other day of the year, and web application developers end up including a lot more third-party scripts/content on their sites, and attackers take advantage of that. Also, perhaps someone found a vulnerable version of a particular ecommerce software and was testing that against a lot of domains in an automated fashion.

It’s one thing to plan for peak traffic that could occur at any time, versus being prepared for security attacks that do occur at all times.

Regarding the higher Diwali number, as with the session traffic, this represents a period of time over multiple days, versus a single shopping day. Singles’ Day 1, while essentially only in China is the biggest single holiday sale day in the world (US$31B compared to $US14B for Black Friday and Cyber Monday combined). There are over 666 millionregistered users on Tmall (Alibaba’s online shopping site) alone; the magnitude of this holiday attracted the higher amount of malware attacks.

types of attacks on ecommerce sites

Seven Key Recommendations for 2019

As we, along with others, have seen throughout 2018, online retailers need to be “mobile first” in their approach, with the objective of providing the most optimal CX for mobile users that they can. However, only 24 percentof retailers cited improving the mobile shopping experience as a top digital priority.  The top answer was creating a consistent brand experience across channels, at 57 percent. Tied at 38 percent were increasing customer loyalty, improving personalization and improving user experience (e.g., navigation, speed and responsiveness). Clearly, improving the mobile CX mustbe moved up the digital priority list; if retailers don’t do this they risk being at a competitive disadvantage.

And looking into the future, Forrester“expects digital to influence 58 percent of retail sales by 2023 thanks in large part to the growing role that smartphones are playing in shoppers’ lives:

  • Although online retail via smartphones accounts for only one-third of online retail sales, smartphones’ impact on retail sales is massive.
  • That’s because roughly 88 percent of U.S. online adults use a smartphone, 45 percent use a smartphone at least once a month to research products before making a purchase and 28 percent use a smartphone at least once a month to purchase physical products.
  • By 2023, Forrester expects smartphones to influence $1.4 trillion in sales.”

But mobile means two things: 1) a native mobile app OR  2) a mobile user accessing a web application via the device’s browser. In North America, 67 percent of all digital transactions now take place on mobile, with native mobile apps representing 47 percent, according to eMarketer.


This means that application developers need to consider both environments when designing new applications, but native mobile apps are certainly the future. However, while native mobile apps are a big portion of online sales, less than half (45 percent) of online retailers have a native app.

Optimizing mobile CX

Visual content is a critical factor when it comes to providing a great mobile CX, and retailers need to examine what they currently provide. A BigCommerce research study found that 78 percent of online shoppers want more images and 30 percent want more video from ecommerce sites. However, meeting this content demand can create slowdowns, such as improperly formatted images for mobile screens versus desktop, for example.

Optimizing your site for a superior CX to attract and convert visitors into paying customers doesn’t just mean fixing the slowest pages. It’s critical for online retailers to monitor, capture and analyze behavioral data from their real users and the devices they use. Having this visibility will allow you to pinpoint the trends and glean actionable insights required to deliver your customers a smooth shopping and purchasing experience. Note the data presented about the conversion differences between Android users and iOS users; having this detailed information and adjusting your web application for it could help to boost Android conversion rates.

All this focus on mobile CX can’t come at the expense of still providing an optimal desktop CX. Online retailers have spent years and substantial budget money enhancing their desktop environment and that should not diminish as desktop users are still a significant part of their visitors.


Operationally, online retailers need to plan far in advance. Notably, peak traffic events can occur at any time of the year. While major holidays are known, what about unforeseen events that can place a huge strain on your infrastructure? These might include a high-profile event, like the Royal Wedding, that will increase global traffic demands, or a hurricane that will lead to increased activity at sites such as large box stores for goods to fortify homes and/or repair them.

Make sure your ability to scale is guaranteed, beyond what Marketing and Sales project for peak traffic. This entails testing from highly distributed locations to simulate global spikes as well as pushing applications to the limit, all well in advance. Having a contingency plan is also advisable.

Threat vectors

It’s one thing to plan for peak traffic that could occur at any time, versus being prepared for security attacks that do occur at all times. Threat actors don’t take holidays. And even though we saw spikes of increased attacks during the known holidays, in reality they are out there every day probing your site for weaknesses and openings.

Everyone recognizes it’s important to protect customer personal data such as credit cards as well as transaction information; not everyone equates degraded site performance with a high-volume of bot attacks that prevent legitimate customers from visiting and transacting on a site. What’s more, DDoS [distributed denial of service] attacks targeting retail sites are increasing, along with complexity of the attacks.


The wide variety of threat vectors makes it vital to have a broad range of security protection in place. Credential stuffing attacks were high over the seven holidays we are reporting on. But in truth they too are always present as this major online retailer recently discoveredthey were infiltrated from late September to November.

To reinforce how important is to plan for peak traffic events at all times, not just holidays, on Tuesday, December 11, 2018, the Akamai Intelligent Edge Platform for securing and delivering digital experiences set a new record for peak traffic on its global content delivery network (CDN). On that day, the volume of data being delivered across the Akamai network exceeded 72 terabits per second, surpassing the 70 Tbps threshold for the first time in the company’s 20-year history.

The record-setting volume of traffic, which is comparable to delivering more than 10 million DVDs per hour, was driven primarily by live sports events, gaming releases and major software updates, along with elevated traffic levels from many of the world’s largest ecommerce sites. Of note, this record was set on a weekday, and it was NOT during a global event such as Black Friday, the World Cup or Olympics.

During the same day, Akamai processed hundreds of billions of API requests, hundreds of millions of dollars in ecommerce transactions, and trillions of internet interactions overall. We evaluated online retail traffic from around the world that touched nearly 100 retail websites and mobile retail apps, providing Akamai with more than 5 billion daily data points that we assessed in aggregate. This information is critical to online retailers seeking to prepare for peak traffic demands as well as protect against threat actors.


Akamai provides content delivery network services to 354 of the Top 1000 online retailers in North America.