Solution Brief

Bot Abuse Analysis and Other Fraud Benchmarks - e-Commerce Industry

Q1 2024

The e-commerce industry faces numerous cyber scams, particularly during peak shopping times. To enhance the experience of genuine consumers, businesses may relax security measures, assuming the high volume of legitimate transactions will outweigh the fraudulent ones. This leniency can be exploited by bad actors who create fake accounts using stolen credit cards, causing financial losses for retailers and their customers. Fraud should no longer be accepted as a business cost.

This industry brief utilizes data from our comprehensive bot abuse analysis, focusing on the top attack vectors in online retail and e-commerce during Q1, Q2, and Q3 2023. It seeks to provide data-driven insights into attacks in this sector, offering effective detection and prevention strategies. Insights are drawn from the Arkose Labs Global Intelligence Network, which includes major corporations and category leaders. These entities, prime targets for cyber threats, provide a unique perspective for monitoring and analyzing cyber activities.

Attack type by industry in H1 2023:

Attack type by industry in H1 2023

We analyzed billions of sessions worldwide across industries, between January 2023 and September 2023, and assessed three primary attack vectors fraudsters use to launch various cyberattacks. In sum, these methods generated billions of attacks in the first half of 2023 and into Q3, comprising 73% of website and app traffic measured. That means almost ¾ of web traffic to digital properties is malicious.

Percentage of legitimate traffic vs. bots and malicious traffic

In the e-commerce sector, criminals dedicate substantial time and resources to activities such as card testing, phishing, and a host of other fraudulent endeavors. But when faced with robust site protection, bad actors can no longer achieve the economic gains they seek and ultimately move on. This principle underlies the core philosophy of Arkose Labs—making attacks too costly for adversaries to persist.

The Bad Side of Bots

Basic Bots, Intelligent Bots, and Human Fraud Farms

Efficiency is a top priority for cybercriminals, as it directly influences their monetary gains. Malicious bots are key to empowering fraudsters in carrying out targeted and well-crafted attacks on e-commerce enterprises. Notably, a staggering 65% of web traffic in e-commerce is attributed to bad bots.

The percentage of traffic by industry that comes from bad bots:

The percentage of traffic by industry that comes from bad bots

Between Q1 2023 and Q2 2023, intelligent bot traffic experienced a nearly fourfold increase. This growth surpassed basic bots and played a pivotal role in the overall surge of approximately 167% in bot attacks during the same period.

The Intelligent Bot Uprising

While the prevalence of automated threats is a significant concern, there has also been a marked 26% uptick in human-based attacks during Q3. When malicious bots fail to make it past security defenses, threat actors turn to human fraud farms to complete their mission. This move comes at a significant human cost, often involving forced labor.

Fraud farm attacks

Although the issue of bots is significant, accounting for 65% of online retail and e-commerce traffic, human-based attacks have also seen a notable increase of 26% in Q3 compared to the preceding quarter. Due to the financial incentives associated with these attacks, and the volume of sensitive data at risk, e-commerce businesses are now deemed high-value targets.

Beating these adversaries demands technology that dynamically targets human solvers and applies adaptive, time-consuming challenges. With this capability in place, e-commerce businesses can defeat the economics behind attacks that exploit human labor at scale.

Intelligent Bot Attacks Top 5 countries of apparent origination

Fraud Farm Attacks Top 5 countries of apparent origination

Two Bot Threats in the e-Commerce Sector

The surge in bot and human fraud farm attacks is driven by two technology trends influenced by powerful economic forces:

1. Generative AI (GenAI):

Our threat research has documented a significant uptick in the last year, and especially in the past six months, of GenAI being used to craft attacks. At the close of 2023, we witnessed attackers using bots to scrape public and personal content from websites to then fine tune their GenAI models. Our threat researchers have observed three key landscape changes:

  1. The evolution of simple scrapers to account takeover class infrastructure
  2. An increasing number of commercial scraper services
  3. Developer groups scraping data for GenAI apps

Analysis reveals scraping is now one of the top five most popular attacks—and fastest growing—for all industries, increasing 432% in Q2 over Q1 2023.

100% Scraping attacks

2. Cybercrime-as-a-Service (CaaS):

Bad actors are advancing their skills by embracing the CaaS model, deploying bots and unleashing attacks that cause trillions of dollars in damages. This shift lowers the barrier to entry and grants access to cybercrime for a broader range of actors, making it easier to launch attacks with limited technical skills.

The CaaS model directly impacts e-commerce by establishing a marketplace where fraudsters can easily procure tools and expertise. This convenience enables threat actors to acquire specialized services, such as phishing kits, contributing to the escalation of advanced attacks on e-commerce platforms. The availability of these services enhances the efficiency and reach of cyber threats, posing a tangible and immediate risk to the security of online transactions, customer data, and overall operations.

The affordability and popularity of CaaS are pressing security teams to bolster their efforts against these rising threats. Beyond the immediate need for protection, the prevalence of CaaS reveals a broader challenge in adapting bot prevention to counter evolving cyber threats. The anonymity CaaS gives providers introduces a layer of complexity for law enforcement, emphasizing the ongoing struggle to keep pace with evolving tactics.

CaaS Quote from CEO of Arkose Labs

This dynamic landscape calls for not only defense against known threats but a continuous and proactive effort to stay ahead of emerging risks, reflecting the ongoing cat-and-mouse game between security professionals and cybercriminals.

The Growing Scourge of Attacks

The Growing Scourge of Attacks-eCommerce

Arkose Labs Can Help

Arkose Labs safeguards businesses by disrupting the financial incentives driving bot attacks. Our long-term bot mitigation and account security solutions focus on protecting critical user touch-points: account login and registration. By identifying hidden attack signals and undermining attackers' return on investment, we enhance security without compromising user experience.

Benefits of working with Arkose Labs

Our unique platform, Arkose Bot Manager, analyzes user session data to assess context, behavior, and reputation, classifying traffic based on risk profiles. Suspicious traffic faces enforcement challenges, distinguishing between legitimate users and fraudsters to block automated activities and ensure a secure consumer experience.

Arkose Labs for eCommerce & Travel

Book a Meeting

Meet with a fraud and account security expert

Request a customized demo to learn more.