Research shows online criminals attack online retailers with greater sophistication and frequency than before the COVID-19 crisis. The usual slowdown in fraud attacks during September and October didn't happen in 2020, as holiday buying kicked off early, drawing in the bad actors.

As online shopping soared during the pandemic, so did new opportunities for online criminals. And in 2020, they exploited those opportunities.

Findings from NuData Security and Webscale Networks Inc. show that criminals are attacking online retailers with greater sophistication and frequency than before the COVID-19 crisis.

During the second half of 2020, NuData, an online security firm owned by Mastercard, deemed 76% of attacks on retailers to be “sophisticated attacks.” That was up from 38% during the first half of 2020 and 35% in 2019. NuData’s bases its analysis on monitored activity across the global NuData network.

“Just as online security firms look for trends, so do fraudsters,” says Dave Senci, vice president of product development at NuData. Like the professionals tasked with fighting them, online criminals pay attention to what works, adapt to meet new circumstances and refine their tactics, he says.


NuData says a sophisticated automated attack might strike at a slower rate than what the firm refers to as a “basic attack.” NuData defines basic automated attacks as those focused on generating a high volume of strikes rather than fewer, higher-quality attacks.

The emphasis on speed means basic attacks don’t attempt to emulate human behavior or browser interaction. Such attacks also usually directly with the server, without executing JavaScript—a kind of code that makes websites interactive.

The sophisticated attacks, while slower, are harder to detect, Senci says, because they attempt to mimic human behavior. For example, the attacks might display expected browser or application behavior and run scripts in ways intended to create a human-like interaction. Scripts are lists of commands programmers can use to automate processes on a computer or generate webpages.

The sophisticated attacks sometimes use humans to do things like complete CAPTCHAs, Senci says. In such a scenario, the malicious software attempts to log into a website using a lengthy list of credentials bought on the dark web. If a CAPTCHA appears, the script then engages a “farm” service in which human users solve CAPTCHAs in seconds for a small fee.  CAPTCHAs are tools used to differentiate between real users and automated users, such as bots. To do that, CAPTCHAs provide challenges that are difficult for computers to perform but easy for humans.


The criminals are becoming savvier in other ways as well, Senci says. For example, 55% of attacks involved reused IP addresses—a hallmark of basic automated attacks—in the second half of 2020, down from 77% in the first half of the year. Attackers also have gained access to high-quality user credentials than in the past, the study finds. The result: The average percentage of successful credentials per attack nearly doubled to 2.6% in the second half of 2020, from 1.4% in the first half of the year. In the retail industry, the success rate in the second half of 2020 was 11.0%, up from 1.18% during the first half of the year. This means that 11.0% of the time, a criminal used correct user credentials, such as usernames and passwords, to access an ecommerce site.

It’s not clear how attackers are getting those better-quality credentials, Senci says. But one cause might be coronavirus-related phishing scams. Phishing refers to fraudulent attempts to secure sensitive information, such as usernames, passwords or credit card numbers, by impersonating oneself as a trustworthy entity via email or other kinds of digital communication such as instant messages.

Why retailers are attractive to criminals 

Before the pandemic, criminals commonly used sophisticated, human-mimicking attacks against financial services companies. But 2020 was different. First, he says, data from the Mastercard SpendingPulse shows 2020’s holiday shopping season started Oct. 11, or about three weeks earlier than 2019’s season, which kicked off Nov. 1.  SpendingPulse provides market intelligence based on national retail sales.


The state and local lockdowns related to COVID-19 also led to a massive surge in online shopping, as consumers searched for new ways to stock up on essential goods. The increase in ecommerce led malicious actors to pay more attention to online merchants, Senci says. As traffic to retail websites soared, so did attack traffic, he says.

Usually, NuData analysts see a slowdown in attack traffic during September and October as bad actors prepare their ploys for the holidays—for example, by opening new fake accounts in preparation to use them later to commit fraud. In 2020, attackers didn’t slow down to prepare their malicious software until November, the NuData report says. “This longer period of holiday attacks is an important reminder that cybercriminals don’t always follow expected seasonal trends, making it vital to have security that is scalable across the year,” the report says.

Electronic skimming attacks increase 

According to Webscale, an ecommerce cloud automation, management and hosting provider, attacks of all kinds rose significantly in 2020.

For example, retailers experienced a 50% spike in Magecart-type attacks in 2020, compared with 2019. During the holiday period, Magecart attacks grew 81% compared with the same period in 2019.


Magecart is a methodology used in online “skimming” attacks. Online skimming is the web version of the card-skimming devices criminals sometimes place on card readers on gas pumps and ATMs. Digital skimmers use malicious code to collect data entered by online shoppers and transfer it to a website controlled by hackers. The hackers often obscure those sites using geofencing—a virtual perimeter for a real-world geographic area—to keep them invisible in specific countries.

Most often, criminals use Magecart to attack web stores that use Magento software, hence the attack method’s name. But Magecart isn’t a problem only for Magento users.  Webscale says there were more than 2.5 million digital skimming incidents in 2020 compromising 25,000-plus websites.

Webscale derives its data from a survey of 1,572 ecommerce professionals in 21 countries, including those at retailers (83% of respondents) and digital agencies (18%). Among the businesses surveyed, nearly two-thirds reported security incidents grew 20% for surveyed companies. 78% reported having at least one cybersecurity incident in 2020. 62% of respondents said the financial impact of security incidents was significant, ranging on average from $100,000 to $250,000, Webscale says. Webscale conducted its survey from early December 2020 through mid-January 2021.


Andrew Humber, vice president of marketing at Webscale says the online attacks in 2020 revealed complacency about web security. But that’s beginning to change.

“When you see brands like Marriott, Macy’s and Delta experiencing attacks that could have been mitigated with security protocols around multi-factor authentication and intrusion detection, it raises a red flag around best practices across the industry as a whole,” Humber says.

Fortunately, he says, Webscale’s survey shows that retailers understand the seriousness of the threat posed by online criminals and are taking action.

“What was highly encouraging was the fact that merchants recognize security as their number one challenge … as a result, 67% committed to increasing their spending in the area this year,” he says. “This all points to an industry that is becoming more and more aware of the risk that cybercrime represents to not only their revenues but their corporate reputation, that can be impossible to recover.”