In this Brand Story episode, Sean Martin, along with Gabi Stapel and Erez Hasson from Imperva, explores the complex landscape of retail web and mobile security and the increasing role of AI-enabled bots (both good and bad) in e-commerce.
In this Brand Story episode, Sean Martin, along with Gabi Stapel and Erez Hasson from Imperva, explores the complex landscape of retail web and mobile security and the increasing role of AI-enabled bots (both good and bad) in e-commerce and the potential threats they pose.
Gabi and Erez highlight how these bots can exploit business logic and application capabilities, leading to new account fraud, account takeover, and price manipulation. They emphasize the importance of layered security and anomaly detection as key strategies to counter these threats.
The discussion also explores the need for businesses to differentiate between human and bot traffic. Gabi and Erez point out the potential backlash from legitimate users when bots buy and deplete inventory, and the subsequent impact on customer experience and the company's reputation. They also touch on the importance of monitoring the total value of the cart, as bots tend to purchase single items, resulting in net losses for the retailer.
The conversation further delves into the global and local aspects of commerce, including regulatory considerations like PCI DSS. Gabi and Erez discuss the upcoming changes in PCI DSS v4, which requires retailers to focus on managing scripts and changes to payment pages to prevent data breaches.
The episode also offers valuable insights for both large-scale and smaller retailers. Gabi and Erez underscore the importance of staying on top of security and vulnerabilities, regardless of the size of the business. They provide practical advice for retailers, such as implementing a waiting room web page or a raffle system for big sales events, and auditing purchases for limited product drops.
This episode is a must-listen for anyone involved in e-commerce and cybersecurity, providing a comprehensive understanding of the evolving landscape of cyber threats in the retail industry.
Note: This story contains promotional content. Learn more.
Guests:
Gabi Stapel, Cybersecurity Threat Research Content Manager at Imperva [@Imperva]
On LinkedIn | https://www.linkedin.com/in/gabriella-stapel/
On Twitter | https://twitter.com/GabiStapel
Erez Hasson, Product Marketing Manager at Imperva [@Imperva]
On LinkedIn | https://www.linkedin.com/in/erezh/
Resources
Learn more about Imperva and their offering: https://itspm.ag/imperva277117988
Catch more stories from Imperva at https://www.itspmagazine.com/directory/imperva
Blog | Online Retailers: Five Threats Targeting Your Business This Holiday Shopping Season: https://itspm.ag/impervkb2g
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Hello everybody, this is Sean Martin and you're very welcome for a new story here with our good friends at Inperva who do all kinds of things to help organizations protect their data. At every place, uh, you could ever imagine it being. And in any way that it, uh, might be misused or abused and, uh, they do some really good work, a lot, especially in the area of, of research as well.
And, uh, I'm thrilled. to have two guests on with me today, Gabby and Arez. We're going to look at the world of retail, the world of app security and API security and some of the trends in this space and the risks that retailers face, especially as we approach, uh, all the, all the days which seem to be earlier and more, more frequent of deals and specials and sales and all this stuff that get people to buy, but also attract, uh, The not so fun people to, uh, to engage as well.
So, um, thank you both for being here. I'm going to, I'm going to ask each of you to kind of share a few words about your roles and, uh, what you're up to at Imperva. And, uh, then we'll go from there. So Gabby, you first, please.
[00:01:17] Gabi Stapel: Yeah, of course. Thank you, Sean, for having us. Um, my name is Gabby. I work as a content manager for Imperva's third research team.
Um, so I get to work with a lot of really awesome people and dive into some really cool data and work on some great projects like this one with
[00:01:31] Erez Hasson: Hello, my name is Erez Hassan. I am an application security strategist here at Imperva. I've been working on the e commerce reports for quite a few years now, and specialize in application security, as I've said, and bot management and client side security.
[00:01:51] Sean Martin: Perfect. So give me, um, Erez, I'll start with you on this. Kind of give me the history of this research and... I don't know if you can hearken back to, uh, the, the early days, um, what prompted you to, to start collecting this data and analyzing this data. What, what's the objective of the report?
[00:02:14] Erez Hasson: Sure. Um, we've, uh, known for years that the e commerce industry.
It's probably, unfortunately, the hottest target for, um, bad actors, cyber attackers. And for a good reason, the amount of incentives in this industry is very high. You have your user accounts that have a bunch of sensitive information in them. Whether it be personal information, whether it be payment information, um, you have a lot of value in the goods that are being sold on these websites.
So limited availability items, um, like sneakers or, um, collectors items, for example. And we've also seen specific circumstances, I would say, that have caused greater chaos for these specific, uh, Uh, situations. So take, for example, the chip shortage back in 2020 and 2021 that resulted in a shortage in GPUs, graphic processing units, basically graphics cards for gamers or PlayStation fives that have become very, uh, sought after by a lot of people.
And resulted in bots going after them. So there's always constantly new incentives for attackers to go after e commerce. Um, so this has prompted us to really look back ahead of the holiday shopping season at the trends that we've seen over the past, uh, 12 months each year and collect all that data to educate online retailers.
On the matter.
[00:03:48] Sean Martin: And there, there's no question. Uh, bad actors follow the money. And there, there's, there's plenty of money here in the retail space. And, but that, that's not any different, at least from my perspective, from the retailers themselves trying to find new markets, new customers, new new ways to sell new things, um, and make higher margins and protect the revenue that they, that they do generate.
And that, that says. Let me turn to tech, let me turn to processes and build an ecosystem of things that allows me to do that and reach more people and get more money. And so Gabby, I don't know if you can share kind of an overview and maybe Rez, you have some points as well. Some of the changes you've seen just in the retail tech ecosystem and tech stack.
[00:04:41] Gabi Stapel: Yeah, absolutely. Um, I mean, we've seen a lot of. Like just general changes and trends this year in terms of the attacks that we're seeing. Obviously, there's a huge rise in business logic and application DDoS that we'll get into. But then also, and I know you have some things to add here, but there's also the The earlier it's getting earlier in the season that we're starting to see these drops and these releases, um, and the holiday shopping season is really just extending out now.
[00:05:15] Erez Hasson: Yeah, exactly. And I think Sean, you put it pretty, pretty nicely there is that the, uh, retailers are doing a lot of these efforts to reach more customers just to do more. To provide a better user experience and as a result, we're seeing what we like to call the modernization of web applications, which results in more APIs being used, more resources being added to websites like JavaScript, um, various services like chat service to be, uh, be able to reach out to your customers to support them.
And all of these just expand the attack surface. Um, whether it be more APIs, just handling sensitive data and resulting in just a greater attack surface or more resources that results in, uh, more opportunities for bad actors to plant some malicious scripts and skim credit card information, for example.
[00:06:14] Sean Martin: And it's, it's interesting because I know we were talking earlier, um, before we, before we started recording that this. Buy now, pay later trend that we're seeing a lot of, and that's just one point in the life cycle of, of the customer engagement. And earlier, Gab, you mentioned the, the, the attacks on logic, which tell me that it's more than just searching and seeking out a vulnerability in an API.
It's understanding maybe that vulnerability in connection to the end to end process. Of how a transaction is completed from, from customer acquisition to, to actually set the, collecting the money, um, and putting it in the right account.
[00:06:59] Gabi Stapel: Yeah, exactly. Business logic attacks, um, this year were the most common attack we saw.
They made up almost 50 percent of, of all the, the attacks that we saw on retail sites. And I mean, that just goes to show that attackers are trying to find any. Any access point they can, and rather than doing these other attacks, in a lot of cases, they're just trying to exploit the actual logic that the site has and trying to get in and figure out what they can find, whether it's changing prices to get things cheaper or making accounts or whatever they can do, just exploiting the site's logic itself.
[00:07:33] Sean Martin: And Rez can, or Gabby, either of you, um. Maybe share a few examples, because as, as I'm sitting here putting myself in the shoes of SecOps, Engineering, DevOps, the IT infrastructure team, fraud team, perhaps, how do, how do those teams spot that something is going awry? I mean, you can, you can test applications before you deploy them, but when something's in, in flight, it might not be as easy to spot some of these things.
[00:08:10] Erez Hasson: Yeah, I would say it's tricky. It's a good question because one of those, uh, for an example, one of those business logic abuses that you could see is it's called new account fraud, where you would basically create a bunch of new accounts. You can obviously automate that using a bot. In order to abuse the new user benefits that that new account would get, you would get some websites will offer you 20 percent off for your first purchase.
So we've seen cases where bots were being used to create a massive amount of accounts and use those for those benefits. Um, then the security teams would have to have some sort of an account takeover or an account fraud prevention solution in order to be able, because a lot of the times, um, you have to find the anomalies, you have to find, oh, the exact same IP is creating a bunch of accounts, um, and things like that.
So it's a lot of heavy lifting for a fraud team.
[00:09:10] Sean Martin: And for me, uh, I like marketing. That's just the sign of a successful campaign. All those new accounts.
[00:09:18] Erez Hasson: All of it. It's a good point by the way, that causes a lot of painful pain for the marketing teams, because it's skews up their metrics and analytics. They cannot make proper decisions when they're based off of skewed metrics that bots have created for them.
So that's another very interesting point.
[00:09:38] Sean Martin: And Gab, any, any other examples, uh, on the, on the logic flow trends?
[00:09:43] Gabi Stapel: Yeah, there's, there's a lot. I mean, there's, um, there's, there's examples where attackers will go in and adjust the prices of things so they can get things cheaper or they'll, they'll exploit the functionality of the site.
And that's why we talk about. You know, layered security, because like a Rez said, it's just really finding the anomalies there and finding the differences. And, and, you know, in some cases that's, that's one solution. In some cases that is another, and you just, you need all that layered security there to catch that.
[00:10:12] Sean Martin: And I'm going to stick with big picture here for a moment. Um, I mean, retail isn't the only industry, uh, that faces fraud and the, the abuse that bots unleash on them. Um, what perhaps makes. Retail, such a prime target beyond just, there's a lot of money. Do you see changes in maturity levels? Do you see lack of, uh, less, I don't want to say less skill, but perhaps less team and resources to apply to protect against their infrastructure?
What, what makes them such a prime target?
[00:10:52] Gabi Stapel: Well, obviously, like you said, the financial reason, but I think on top of that, there's. There's lots of access points. I mean, especially with retail sites, you have payment processes, you have APIs, you have all these sort of access points that a attacker can use to, to try to find a way in.
I mean, you might have, um, you know, personal information in terms of accounts that people are creating, um, or. You know, any other, any other sort of information that they can get out of that. And there's a lot of opportunity in the retail industry for different kinds of bots. I mean, scraping, scalping, like anything you can do to try to get, um, to not only try to steal products, but also steal information from that site.
[00:11:34] Erez Hasson: Exactly. I would say it's that creativity of the amount of things that you can achieve using bots or different techniques. Um, like buying products that you can then sell for a significant profit and you can take advantage of certain situations. As we've mentioned, um, with the cheap shortage and the PlayStation fives and even when Covid started, we've seen people hoarding toilet paper and other, uh, commodities because people were, uh, looking for them.
And basically it's just, just a very opportunistic kind of industry, or there's always gonna be something new. Um, and as we've said, they try to delight their customers to provide a good user experience. Good buying journey. And as a result, the attack surface expands because, um, there's a lot of stuff that you can exploit.
[00:12:26] Sean Martin: Which to me says a lot of different ways, uh, bad actors can find a way in. They're going to use the least path of, or look for the least path of resistance and, and one that has, uh, not just resistance, but, uh, doesn't require a lot of funds and effort on their part. And, but that hasn't slowed down. They're, uh, their own innovations, right?
Uh, what do we see in terms of bot sophistication? They're, they're still progressing, even if, even if retailers aren't in that, that regard.
[00:13:02] Erez Hasson: Yeah, that's unfortunately correct. Or for the third year in a row, we're seeing an increase in bot sophistication. It has gone as far as 53 percent of the bad bots that we're seeing are now classified as advanced, which is the most, uh, sophisticated type of bot, uh, that we see.
And there's a good reason for that, because again, this is a very, uh, very, uh, profitable industry for them. And bots, you have to understand that you have to look at these as a business. They are a business for these bot operators. So, the bigger their profits... The more they're going to put into the sophistication of these bots, and these bots will go through the entire process.
It's not just like a script anymore. The bots, if you want to buy a certain product, like a sneaker or a collector's item, they would first of all query the product page. So they start with the product page. They're looking for inventory. They want to make sure that they have. Inventory, and then they would go and put that into the cart.
Some of them are able to overcome CAPTCHAs, um, and they would go through the entire purchasing process. So they're not just scripts anymore. They're programs that people are putting a lot of effort and money into. And which really turns this into a cat and mouse game. Um, so a really a bot management kind of, when you look at bot management, it has to be able to adapt to these attacks that constantly shift.
[00:14:29] Sean Martin: And so there's a lot of points in there. You started earlier with the account creation. I don't know where that fits into your scenario, but, um, I don't know if they look for inventory first and okay. They have 50, 50 of these limited edition shoes that they made. They only have 25 left. I'm going to create 25 accounts and, and buy them and then reduce the price and buy them.
Um, how, how does an organization. Begin to see that that's actually happening. So some of it's transaction based. Some of it is, um, just general app usage. Some of it, we can see like the query of the inventory might be traffic related. Anything interesting in your research that, that helps organizations kind of say here, here are the things I need to be looking for and.
Any trends that you saw from this most recent year for that?
[00:15:26] Erez Hasson: I would say that any organization that prepares to have such a big sale or selling a limited edition item at this point in time, they have to prepare. And expect to see bots that are going to target their inventory. Um, and, and it's not just that.
It's a combination of strategies that you need to prepare for. Because yes, they're going to see a lot of bots, but they're also going to be seeing a lot of legitimate human users that are very interested in getting their hands on that latest product. Um, So these organizations must be prepared to, uh, properly analyze and differentiate their traffic between those humans and those bots.
Um, and it is for them, I think at first, a lot of organizations might not understand because they might say, we have sold a product, right? For us, we don't see it as a problem. We, the inventory is gone. Yes. Eventually a bot bought them, but for them, they made, they made their, their money from the sale. But there's a lot of issues that go beyond that.
So for example, these, um, gonna, these bots buying them are going to cause a lot of outrage within legitimate human users that are going to be saying, and we've seen this many times, we'll go on Twitter or X nowadays, go online and just complain about certain retailer. We were not able to buy these because of bots and that outrage results in just negative, uh, consequences for that business because they get bad PR.
And then one other interesting thing that you could also look at is the total value of the cart. So if I was to buy, let's say a PlayStation, I would usually probably pair that with another controller or a couple more video games for me to play as I actually start using it. If a bot is interested in certain inventory, it will only get one item.
And that's it. So that results in net losses for the retailer. Um, so eventually I think retailers might not see it, but then they start seeing it with complaints from customers. And as I said, this was in the past. I believe that nowadays, if you are a retailer that you're planning such a big sales event or a limited edition event, You have to be ready to face bots and you have to be able to differentiate the human users from them because the customer experience is key for those e commerce websites.
[00:18:00] Gabi Stapel: Yeah. A res is exactly right. I mean, you just, if you're, if you're a retailer that's doing one of these drops, I mean, you have to be prepared for it. And that's a combination of both front end and back end things that you can do. Right. Because I know that example, for example, like in some sneaker drops.
They'll have signups ahead of time where you have to like get on a list and you have to go through a lottery and all that sort of thing in order to even be eligible to buy one of these products that's on this big drop. And then on the back end, I mean, like Rez said, you can also look at what people have in their carts, you know, are they buying a combination of things to actually play the game or are they just buying like five playstations, you know, or.
Things like that. And then also looking at like the activity, what are they doing? What sort of actions and interactions are they doing with the page? And then, um, you know, for example, like in our protection, we look at the IP and where that's coming from and has it been involved in other things in the past?
And, and then we have a risk. We like analyze the risk of that IP address. Could it be a bot or not based on its activity? And so things like that where you're tracking these users and seeing what they're doing is really important.
[00:19:04] Sean Martin: Super interesting and and I want to stick with the report for another moment and I'm just wondering, are there, are there any other highlights from it?
I'm thinking in terms of the global nature of commerce, the, um, but then also the local, the local nature of it. Um, you want to make sure that that, uh. Yeah. Who's buying it is, is allowed to buy it. Um, and then there's things like, uh, I don't know if it's necessarily a regulatory or I guess it ultimately is a regulatory, but, uh, digital sovereignty, data sovereignty, um, organizations need to think about some of this stuff too.
So any other points from the report that kind of highlight the global yet local areas of business?
[00:19:56] Erez Hasson: Yeah, yes, I would say that you've mentioned regulatory, so a big one is PCI DSS for everyone who's accepting or processing payments and PCI DSS in 2022 come up with version 4, which has a lot of significant updates to it, and there are two interesting requirements within that PCI DSS requirements 6.
4. 3 and 11. 6. 1 that relate specific specifically to payment pages. And the scripts that are allowed to operate and run on the client side within those payment pages. And the reason for this change is that the PCI DSS acknowledge attacks such as Magecart, which take advantage of the resources that are loaded on the client side, which basically is the user's side.
So your browser, whatever is loaded on your browser. These attackers can exploit and within even a single line of JavaScript code, they can skim data from your web browser. So whenever you input your credit card number or even your login information, that could go to an attacker. And it's essentially a single record data breach which amounts because it's very, um, kind of stealthy in its nature.
It'll amount to a massive data breach eventually. So that really mandated, uh, PCI DSS to update, uh, there in version four and make sure that retailers should now focus on managing scripts and, um, manage, uh, changes to payment pages and ensure that nothing like that can happen.
[00:21:36] Gabi Stapel: Yeah, no, this is a really good point.
I, um, in our data specifically in the last. In the last year, the average amount of transactions on an average day that we see coming through payment processes is about 1. 1 million. So, I mean, we're seeing a huge volume of transactions, and that's just what we're seeing here. Um, and obviously this goes up and down depending on the season, but like just an average day, 1.
1 million payments. So, this is a huge deal, and it's, it's definitely something that, that needs to be protected and needs to be, be, um, You know, I guess protected.
[00:22:10] Sean Martin: Yeah. So talk to me, I picture two, I mean, there's always the, the middle part that's, that's gray and, and, and mushy, but I see two types of organization.
You have, you have your. Behemoths that operate globally. They have a ton of inventory, ton of customers, many products and apps and APIs to make it all work. And so that's one environment and they do some of these big drops, let's say, right, and, and huge, huge sales. And then you have, as you work your way down smaller organizations that.
That use a lot of, I'll say, uh, common or standard infrastructure and a lot of pre built components, and they may offer specials or sales, but may not expect to have tremendous amounts of traffic. So these two, two different environments clearly operate differently, but then also need to consider the risks.
So I'm going to start with the lower end because many of them might listening might say, I don't do big drops. I don't expect millions of people to come in and overwhelm my site, but that doesn't mean that they're not at risk. Right? Um, so let's speak to those folks first. How can they, as they prepare for the season, uh, how can they prepare for and begin to plan or, or, shore up their security posture to, to better protect their, the revenue that they generate.
[00:23:57] Erez Hasson: It's a good point. I mean, the smaller ones cannot always also, um, allow themselves to, like, they don't, they always can invest in a lot of, uh, uh, strengthening of their security posture. Um, but they still should be expecting. You've mentioned that they don't always do these small drops or the product drops.
So, um, we, we have seen actually small, um, retailers that do these product drops and they usually, unfortunately don't go well for them. We're, uh, we've seen drops getting canceled and they have to redo them without actually letting go of the inventory, but it actually goes to show that they are aware because the fact that they go.
And, uh, audit the purchases and see who bought them means that they are still aware. So for specific product drops, you definitely have to verify who's purchasing them. And we've seen people adding more, um, measures to prevent such fraud. So. For example, make sure that people have to have an account in order to purchase a specific item, or limit the amount of items that they can put in the cart to one or two, depending on your policies.
And then, as I said, even after that, it's recommended to go and audit these purchases. And this is strictly talking about the limited product drops. As for the greater scheme of, like, security posture... You have to plan in advance and make sure that if you are doing a big event such as this. Maybe you should look at having a waiting room type of, uh, uh, web page on your website that puts you in a queue in order to control, uh, the number of people going in.
And as someone who's had to come in and buy those limited, uh, edition items, because I'm a big, I'm a big nerd that loves all these collector's items myself, so. I much rather have a queuing system or as Gabby mentioned, a raffle than knowing that it was whoever gets there first because you're never going to get there first before a bot.
So it's much better to have it as a raffle or as a waiting room. Um, so I would recommend to kind of plan in advance, understand what you're looking to do. If you're going to have a big event, prepare for traffic. If you know that you're adding a new capability to your website, something we haven't talked about is even small businesses, do they have gift card?
Uh, options. So whenever you have a gift card option, you would usually pair that with a gift card balance checking page where you would go in your input, your gift card number, and it'll tell you how much balance you have on it. We have seen bots basically brute forcing that in order to find, uh, validated gift card combinations and steal money off those gift cards.
So you have to really consider every functionality that you're adding to your website. And kind of plan around that, whether it be right limit the amount of requests you can put into that or specific other techniques that you can do to limit the numbers or the abuse. Kind of think in advance as to how attackers can exploit the functionalities that you're going to be putting on your website.
[00:27:17] Sean Martin: Yeah, the gift card one is one that lasts well after the holidays as well, because those were given as gifts. Exactly, yeah, yeah. You can't let, can't let your guard down after. So true. Gabby, so I made a number of assumptions that, um, were not necessarily correct. I didn't think smaller companies would do big drops because they didn't have the resources to do something like that.
But, but it actually makes sense when you think about it, right? That, that that's the way for them to actually... Generate more revenue because they can, they can, they can do that. So are there any misconceptions that, uh, maybe I might make or others might make as they think about this problem?
[00:28:01] Gabi Stapel: Well, I don't know if this is necessarily a misconception, but.
Whether or not you're a small company, a large company, whatever, I think sometimes people can feel like, Oh, I'm not big enough to be a target or not big enough to be attacked. And everyone is. And so my advice for a smaller company in a slightly different direction would be to just stay on top of security and stay on top of vulnerabilities because there's so many different Resources and things that you're using as a small company, especially a retail site, you know, whether it's a wordpress site or some sort of payment processing A.
P. R. Whatever it is that you're using to build your website to build your your functionality, vulnerabilities are going to pop up in that. And Just stay on top of it and update things when you can because, because that's always a way for attackers to get in and they, they will exploit that. So.
[00:28:49] Sean Martin: And as we begin to wrap here, um, I'll let, let either of you note any other highlights from the report that you'd like.
Um, but I'd also like to maybe hear from you a story of How an Imperva customer engaged with you and said, we think we might, there could be, we don't know something bad happening here. We don't know where, how to really lock down that it is bad or, or we do know it's bad, but we have no idea how to refactor the app, restructure the infrastructure, um, protections in place that.
Don't destroy performance or customer experience. We still want to offer what we offer, but not, not impact that. Can either of you describe, uh, kind of what those conversations sound like? I'm not looking for customer names necessarily, but just what that engagement sounds like. So people listening can kind of resonate with this.
[00:29:51] Gabi Stapel: Yeah, I mean, I'll let Arez go more into the customer side of things, but in terms of things from the report, I mean, we talked earlier about business logic attacks and, and like we said, one of those is like account takeover where you're creating these accounts are taking over existing counts and, and trying to abuse the functionalities within that.
And one really interesting thing that. We've seen this year is huge rise in application DDoS. I mean, it went up 417 percent from last year, which is just a crazy number. Um, and especially around the holiday shopping season. I mean, every year we're getting into that now where we're just seeing these like massive upticks in application DDoS attacks.
And one thing that I find really interesting is the connection between business logic and DDoS, because, for example, with account takeover is one of them specifically that we see where an attack will start off as an account takeover attack, and then it'll turn into a DDoS attack because attackers, especially using bots, are trying so many account combinations and login combinations so quickly that it's just completely overwhelming the system.
And so it becomes a DDoS attack, even though that wasn't the attacker's initial intention. So whether or not The attack is something that the attacker like intended to or thought about conducting on this site. I mean, it was an unintended consequence. So you always have to be prepared for these sort of things.
And you always have to have the security and the ability to defend against these attacks.
[00:31:09] Sean Martin: I'm going to pause before you for you take over as because. Uh, Gabby, a little, a deeper dive on the DDoS Distributed Denial of Service for folks. Many listening to the show probably know, but some may not know what that is.
And there's the accidental or unintended, uh, uh, unavailability of services because of something Abad is doing. But then I've also heard stories of Intended or intentional, uh, competitive analysis services, right? From, I've heard in terms of buying flights and taking, taking up seats on planes and things like that.
So can you, a moment to help retailers understand that risk?
[00:31:54] Gabi Stapel: Yeah, so, so basically a DDoS attack, a distributed denial of service attack is, is where an attacker is sending so many requests, whether intentionally or unintentionally in the case of the ATO attacks, but so many requests to the site that it just completely overwhelms the site and then no one can access it, right?
So they're, they're denying service for the legitimate customers. And, and so this, like you said, I mean, can be, Can be done for competitive purposes. I mean, we see retail sites that get targeted a lot by DDoS. Um, and like I said, I mean, sometimes that is the unintended consequence of another attack that just went too big.
Or, I mean, it can be for competitive purposes because, you know, attackers want someone to go to their site instead of another site. So they're going to take down the other site and, and make people not able to access that so that they'll go to the competitor instead. Um, and then sometimes it's just done, you know, for, for something that.
I mean, it could be hacktivism. I mean, for example, in, in Israel recently, we saw when attacks started on Israeli sites, um, on October 7th, we saw a rise in attacks on retail sites too. Now, you know, that obviously that's not part of any sort of like war effort or whatever, but I mean, attackers were just trying to get anything in Israel they could just to, to hit them hard.
Um, So there's a lot of reasons for DDoS and a lot of, um, a lot of reasons for attackers to do it, but it is a really common attack and, and it's up, I mean, almost 420 percent from the last year. So definitely something people need to be aware of.
[00:33:20] Sean Martin: Absolutely. Any impact on the experience is an impact on the business for sure.
Exactly. Or as any. Any additional highlight from the report that you wanted to flag? And then I'm, I'm, I'm really interested in, in the, uh, the customer engagement from, from Impervus.
[00:33:35] Erez Hasson: Absolutely. Absolutely. I think I can give, I can give an example that kind of encompasses everything that we've talked about packages nicely.
So there's a big global retailer, um, that shows, and this goes back to the story of retailers doing launches on Black Friday. To do a very big launch on black Friday, a couple of years ago of the collector's items and sure enough, they had bots all over. So we have seen, and they reached it out to us in advance and we had bot management running and.
In the first 15 minutes of that lunch, we mitigated 9 million bot requests to that specific product page. So that goes really back to that conversation of product launches and to if that would have not been mitigated, it would have been a distributed denial of service attack. It would have taken down the infrastructure.
And the same global retailer has reached out to us recently because they are doing these launches all the time. And this goes back to the story of early holiday shopping. Because they launched a product around two weeks ago, um, so fairly early in the season and they were, as I said, they were preparing for more bots to come for it and more bots with new techniques.
So these bots were trying to manipulate the fingerprints, which are essentially, um, what part of the mechanisms that detect bots. And with the help of our product team and the security team, they were able to To create new rules for them and mitigate that attack. So I think that's kind of a nice example that ties it all together.
[00:35:19] Sean Martin: Yeah, I love it. I love it. Then the interesting thing that I'm picking up throughout this whole conversation, um, as, as I maybe try to wrap up here is. As technical teams, it's easy to get into the technicalities of how have I built my infrastructure? How have I built my apps? What APIs am I using? What APIs am I exposing?
And not really looking at the connection to that from that to business logic and from that to the impact on on the customer experience and from that the impact on on revenue, right? Recurring customers coming back and There may be options to build better protections into the apps and then the client facing things and in the backend on the infrastructure, but having a partner like Imperva to help really understand the full end to end, right?
What's the entire customer journey, how do bots and other human driven bad actors insert themselves into that process? How can you, at scale, protect your apps and your APIs and your data, wherever it is? Without impacting performance or the, or the user experience. And, um, so let the legitimate through and, and keep the, uh, the bad stuff out.
Um, at scale takes a lot of knowledge beyond just API security. And I, I, I hear from you and clearly in your example, uh, that relationship that you have with your customers really, really takes things to the next level. Um, I mean, as always, uh, fantastic to, to chat with, with you and, uh, interesting to hear some of the findings.
From this year and, and some of the trends from previous years as well. So I, all I can say is hopefully people are listening and recognizing that the risk risk exists and, uh, there are options to mitigate it and, uh, keep your customers happy. So, Gabby and ez, um, thank you so much. Uh, any final words before we wrap up here?
[00:37:47] Gabi Stapel: Thank you, Sean. Um, yeah, I mean, the only last thing I wanna say is that recently there was this release of, of this attack called HTTP two. Um. Which is a new form of DDoS where you can basically multiply the requests that are coming from one specific device and I mean, I talked about the rise in application DDoS and and how prevalent that is and how much it's increased just this year.
And that's that's pre HTTP 2. And so. This is something that's just going to get worse and we're going to see bigger and bigger attacks. Um, so prepare for it, be aware of it. Um, and it is out there.
[00:38:22] Sean Martin: We didn't, didn't get to touch on all the legacy stuff. All right, Rez, any final thoughts?
[00:38:30] Erez Hasson: Uh, I would probably focus on, and this is not a legacy stuff.
It's probably more, uh, it's more new, but as I've said, Magecart and client side attacks. Before the regulations are put in place and come mandatory in March of 2025, the PCI DSS, we are expecting to see an increase in attacks as attackers make sure to exploit it as much as they can before more and more organizations are mandated to actually, uh, deploy client side protection.
[00:39:01] Sean Martin: And we, we all know. Sitting here on the podcast, know that compliance isn't security, but it is a way to gain a baseline understanding and then to begin to prepare so you can take it to the, uh, the ultimate maturity level, but a good place to start and right around the corner. So good to prepare. Well, thank you again.
Both of you for, uh, for joining me for this story and, uh, thanks to the Improva team for, uh, continuing to do the work you do so I can shop safely online along with everybody else. And, of course, there'll be links in the show notes, uh, to access some materials from Improva so you can learn more about what...
What they do and how they do it and, uh, to connect with Gabby and Arez as well, uh, on social so you can, uh, you can have a chat with them and learn more about what, uh, what's in the report, the additional stuff that we didn't cover. So thank you again and, uh, we'll see you all on the next one.