Retail fraud has increased nearly seven-fold, exposing retailers to heightened cyber risks during the holiday shopping season, according to Cequence Security's 2023 Holiday Season API Security Report.
The study highlights the evolution of threat actors' tactics as they adopt a nuanced approach, spreading attacks across a broader timeframe to blend in with legitimate traffic, avoiding detection ahead of peak shopping times.
The research was developed by the CQ Prime Threat Research Team, drawing on real, anonymised traffic and attack data sourced from Cequence's customers, many of which are Fortune 500 and Global 2000 companies. The team focused on retail customers in the run-up to the 2023 holiday season, identifying and categorising active threats.
"The 2023 holiday season exposed a chilling reality: cybercriminals are employing increasingly sophisticated attack methods and meticulously planning months in advance to exploit vulnerabilities," said William Glazier, Director of Threat Research at Cequence. "This long-term approach allows them to target unprepared retailers and unsuspecting customers, particularly during peak shopping periods."
Key findings from the report include a surge in pre-holiday cyber onslaught, with gift card fraud alone increasing by 110% in the second half of 2023. Scraping, loyalty card fraud and payment card fraud collectively saw an uptick of over 700%.
Moreover, account takeovers increased a staggering 410 times in the period analysed from September - November 2023, suggesting a rising threat level. Furthermore, the report shows that many products were added to carts via automated tools that flood systems, thereby preventing sales to legitimate customers.
Glazier emphasised the importance of a vast, historical threat intelligence database and expert team to interpret the rapidly evolving API threat landscape. Between June to November 2023, Cequence detected malicious traffic from 719 million unique IP addresses and 325 million malicious login attempts across their entire customer base, indicating the scale of modern threats.
Glazier recommends that to counter sophisticated threats targeting APIs, organisations must strengthen their defences with a comprehensive security approach. "This includes discovering and cataloging all APIs, ensuring rigorous adherence to industry standards, and deploying advanced threat detection and mitigation tools to defend against attacks," he concluded.
Cequence, a pioneer in Unified API Protection, unifies discovery, compliance, and protection across all internal and external APIs to defend against fraud, business logic attacks, exploits, and unintended data leakage. The flexible deployment model supports SaaS, on-premises, and hybrid installations. Cequence solutions scale to handle the most demanding Fortune and Global 2000 organisations, securing more than 8 billion daily API calls and protecting more than 3 billion user accounts across these customers.