Patrick Sullivan, chief technology officer, security strategy at Akamai Technologies

The holiday season is always critical to retailers and that will be especially true in 2020. Ecommerce has been making up an increasing share of overall retail spend and that trend will certainly accelerate in 2020 with estimates of ecommerce growth rates of 18%. After so much disruption in 2020, having a strong ecommerce holiday season is particularly vital. 

It isn’t unusual to see distributed denial-of-service (DDoS) activity targeting ecommerce during the holiday season. DDoS extortion schemes are essentially about criminals exerting maximum leverage against their victims to maximize the probability of payment in exchange for calling off DDoS attacks.

It is well understood that most ecommerce retailers are extremely dependent on having a successful holiday season. DDoS extortion attacks have picked up in September 2020 with schemes targeting finance, retail and other industries. This raises the likelihood of DDoS extortion attacks targeting retailers during the critical 2020 holiday season. Now would be a good time to revisit DDoS runbooks and consider a DDoS tabletop drill as part of your holiday readiness regime.

Account takeover (ATO) attacks continue to be a constant threat to retailers. In 2019 retailers were on the receiving end of more than 10 billion credential validation attempts, the most of any industry, from bots looking to takeover accounts and commit fraud. The fact that retail is the most targeted industry suggests that fraudsters can easily monetize retail accounts once they take them over. In preparation for the holiday season 2020, plan to keep a close eye on authentication failures and consider BOT management solutions to disrupt the BOTs testing credentials on your authentication endpoints.

An evolving category of threats emerges from modern websites’ rich supply chains, complete with open source componentry, third-party tools, and Javascript. Attackers are growing increasingly effective at exploiting any foothold they can gain into this expansive supply chain for websites and apps and using it to conduct payment skimming or other attacks that allow them to make off with valuable payment data or additional personally identifiable information (PII). These threats can be challenging because, unlike other attacks, the interactions from the browser route directly to third-party data centers, bypassing security tools deployed at the retailers’ data centers. 

Security teams can disrupt these attacks using various measures. They include rigorous inspection of new and existing third-party partners, review of open source code for vulnerabilities, and new technologies that monitor the browser’s behavior from the client side to detect threats like payment skimming or related threats.    

The 2020 holiday season will be a make or break time for many retailers, with ecommerce expected to be the bright spot. Several web application attack trends are currently tracking at a greater-than-normal frequency, including DdoS, credential stuffing/ATO attacks, and payment skimming attacks. As retailers’ information security teams review their holiday readiness checklists, these three attacks would be good areas to focus on as a priority.

Akamai Technologies provides content delivery network services to 305 of the 1,000 leading online retailers in North America as ranked in the 2020 Digital Commerce 360 Top 1000.