Akamai Technologies, Inc. (NASDAQ: AKAM), the cloud company that powers and protects life online, released a new State of the Internet report today that spotlights the increasing number and variety of attacks on the commerce sector. Entering through the Gift Shop: Attacks on Commerce finds that commerce remains the most targeted web attack vertical, accounting for over 14 billion (34 percent) of observed incursions.
As commerce organizations increasingly rely on web applications to drive customer experience and online conversions, adversaries target vulnerabilities, design flaws or security gaps to abuse web-facing servers and applications. Retail remains the most targeted subvertical within commerce, accounting for 62 percent of attacks on the sector. This impacts both organizations and consumers.
The new Akamai research also finds that Local File Inclusion (LFI) attacks – that involve attackers exploiting vulnerabilities in how a web server stores or controls access to its files – increased by more than 300 percent between Q3 2021 and Q3 2022 and are now the most common attack vector used against the commerce sector. Just a few years ago, SQL injection (SQLi) was the most common incursion. This indicates an attack trend toward remote code execution and hackers leveraging LFI vulnerabilities to gain a foothold for data exfiltration.
Other key findings of Entering through the Gift Shop: Attacks on Commerce include:
- Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Code Injection (SSCI) have emerged as critical attack techniques to defend against and pose great threats to commerce organizations.
- Half of the JavaScript that the commerce vertical uses comes from third-party vendors, and this introduces the increased threat of client-side attacks like web skimming and Magecart attacks. It is critical to put mechanisms in place that detect these attacks to remain compliant with new PCI DSS 4.0 requirements.
- Attackers could also abuse security gaps in scripts, enabling a pathway for criminals to infiltrate bigger, lucrative targets in supply chains.
- Akamai observed malicious bot requests surpassing 5 trillion events in 15 months, with assaults against commerce customers proliferating via credential stuffing attacks that can lead to fraud.
- Over 30 percent of phishing campaigns targeted commerce brands in Q1 2023.
- Attacks in Europe, Middle East, Asia and Africa (EMEA) are heavily skewed toward the retail subvertical, which accounts for 96.5 percent of attacks vs 3.3 percent for hotel and travel.
- Commerce is the second most frequently targeted web attack vertical in Asia-Pacific and Japan (APJ) at over 20 percent.
“The commerce sector is characterized by a complex ecosystem that leverages web applications and APIs to drive business,” said Rupesh Chokshi, Senior Vice President and General Manager, Application Security at Akamai. “Entering through the Gift Shop: Attacks on Commerce examines various attack types that commerce organizations and their customers face. We highlight elements such as web applications, bots, phishing and the use of third-party scripts to gauge what is happening in this sector and to help both cybersecurity leaders and practitioners understand the critical threat trends impacting this industry.”
For additional information, the security community can access, engage with, and learn from Akamai’s threat researchers by visiting the Akamai Security Hub and following the team on Twitter at @Akamai_Research.