Business Wire Announcement: Imperva, Inc.

Imperva, Inc. (@Imperva), the cybersecurity leader whose mission is to help organizations protect their data and all paths to it, announces The State of E-Commerce Security 2022, a 12-month analysis of cyber threats by Imperva Threat Research. cyber security targeting the retail sector. A host of automated threats, from account takeovers, credit card fraud, ‘web scraping’, API abuse, Grinch bots and distributed denial of service (DDoS) attacks, are a persistent challenge to the e-commerce industry, threatening online sales and customer satisfaction. The constant stream of attacks on retailers’ websites, apps and APIs throughout the year and during the holiday shopping season is a constant business risk for the retail industry.

“The holiday shopping season is a critical time for the retail industry, and security threats could hurt retailers’ revenues again in 2022,” said Lynn Marks, senior product manager at Imperva. “This industry faces a number of security risks, most of which are automated and run 24/7. Retailers need a unique approach to stopping these constant attacks, with a focus on data protection and the tools to mitigate attacks with fast and uninterrupted customer service.”

Automated Adversary: ​​Evil bots and retail sites plagued by online fraud

Subscribe to THE POVO+

Get access to all exclusive content, columnists, unlimited access and discounts in stores, pharmacies and more.

Sign it

In the last 12 months, nearly 40% of traffic to merchant websites did not come from humans. Instead, it came from robots, operator-controlled software applications that perform automated tasks, often with malicious intent. In the retail industry, the infamous Grinch bot is known for hoarding inventory during the holiday shopping season, crowding out high-demand items and making it difficult for consumers to buy gifts online.

Some of the key trends monitored by Imperva include:

— Of all merchant website traffic, nearly a quarter (23.7%) was attributed specifically to malicious bots and malicious automation that contribute to online fraud. The share of advanced bots – scripts that use the latest evasion techniques to mimic human behavior and avoid detection – at retail locations increased year-on-year (from 23.4% to 31.1%). Advanced bots are a big challenge for organizations to stop without the right defenses in place.

— In 2021, bot attacks on retail locations increased 10% in October and another 34% in November, suggesting that bot operators are ramping up their vicious efforts during the peak holiday shopping period.

— Account Takeover (ATO) is another form of online fraud where cybercriminals attempt to compromise online accounts using stolen passwords and usernames. In 2021, 64.1% of ATO attacks used an advanced malicious bot. Of all login attempts on retail sites, 22.6% were malicious, nearly double the amount seen on sites in other industries. Attackers used leaked credentials 94.7% of the time in credential injection attacks targeting merchants, compared to 69.6% of the time in other industries.

API abuses and attacks are multiplying, creating new challenges for marketers

APIs are the invisible connective tissue that allows applications to share data and call digital services. Analysis by Imperva Threat Research found that API traffic represented 41.6% of all traffic to online retailers’ websites and apps. Of this total, 12% of the traffic is directed to the end stages, such as the database, where personal data (eg credentials, identification numbers, etc.) are stored. Even more concerning is that 3-5% of API traffic is directed to undocumented or Shadow APIs, late-stage APIs that security teams either don’t know exist or no longer protect.

Exposed or vulnerable APIs pose a significant threat to merchants because attackers can use the API as a way to exfiltrate customer and payment data. In general, API abuse is carried out through automated attacks where a botnet floods the API with spam traffic, looking for vulnerable applications and unprotected data. In 2021, API attacks increased by 35% between September and October, and then increased by another 22% in November, on top of the high levels of attacks in previous months. The finding suggests that bad actors increase their efforts during the holiday shopping season, as more data is exchanged between APIs and applications that power e-commerce services.

Beware of downtime: DDoS attacks continue to threaten retailers

A distributed denial of service (DDoS) attack is an automated threat that attempts to disrupt essential business operations by flooding a network or application infrastructure with malicious traffic. Attacks are often launched by a botnet, a group of compromised connected devices distributed across the Internet and controlled by a single party.

Imperva Threat Research found that DDoS attacks will be bigger and more intense in 2022 across all industries. The number of recorded incidents greater than 100 Gbps doubled, and attacks greater than 500 Gbps / 0.5 Tbps increased by 287%. Additionally, attack targets are usually attacked again within 24 hours. In fact, 55% of sites hit by application layer DDoS and 80% hit by network layer DDoS were attacked multiple times.

A DDoS attack is a constant threat to retailers. Outages caused by a DDoS attack can lead to website downtime, reputational damage and loss of revenue. DDoS is a critical threat to online retailers that rely on the performance and availability of applications to enable digital storefronts.

Additional information:

— Download the State of E-Commerce Security 2022 report.

— Learn how Imperva’s products and solutions help merchants protect their applications, APIs and data from security risks.

— See how evil bots are disrupting business across industries.

— Check out the Imperva Blog for the latest product and solution news as well as threat data from Imperva Threat Research.

About Imperva:

Imperva is a leader in comprehensive digital security with a mission to help organizations protect their data and all paths to it. Only Imperva protects every digital experience, from business logic to APIs, microservices and the data layer, and from vulnerable legacy environments to cloud-first organizations. Customers around the world trust Imperva to protect their applications, data and websites from cyberattacks. With an integrated approach that combines edge, application and data security, Imperva protects companies ranging from cloud startups to multinationals with hybrid infrastructures around the world. Imperva Threat Research and our international intelligence community keep Imperva ahead of the threat landscape and seamlessly integrate the latest security, privacy and compliance expertise into our solutions.

© 2022 Imperva, Inc. All rights reserved. Imperva is a registered trademark of Imperva, Inc.

The original language text of this publication is the official authorized version. Translations are provided only as a convenience and must refer to the original language text, which is the only version of the text that has legal effect.

See the original version on


Jonathan Gregalis

© 2022 BusinessWire, Inc. Disclaimer: This press release is not a document produced by AFP. AFP will not be responsible for this content. For more information, contact the persons or entities listed in the press release.

Questions, criticisms and suggestions? Talk to us


Leave a Reply

Your email address will not be published. Required fields are marked *