Retail fraud surges 700% during 2023 holiday season, Cequence reveals
Cybercriminals exploited vulnerabilities during the 2023 holiday shopping season with a new, more nuanced approach, resulting in a rise in retail fraud by nearly 700%, according to the 2023 Holiday Season API Security Report released by Cequence Security.
The report highlights that threat actors are now spreading their attacks over a broader timeframe to blend in with legitimate traffic, thereby evading detection in the run-up to peak shopping times.
Data for the report was drawn from anonymised traffic and threat data from Cequence's customer base, which includes Global 2000 and Fortune 500 companies. The study aimed at Cequence's retail customers examined transactions and threats arising in the months leading up to the holiday season, categorising active threats. The resultant threat intelligence forms an essential component of Cequence's products, equipping them to mitigate threats and block attacks, protecting customer businesses.
William Glazier, Director of Threat Research at Cequence, warns about the chilling reality unveiled by the holiday season: "Cybercriminals are employing increasingly sophisticated attack methods and meticulously planning months in advance to exploit vulnerabilities."
Glazier emphasised the significance of a long-term strategy adopted by cybercriminals, enabling them to exploit unprepared retailers and unsuspecting customers, especially during busy shopping seasons.
"This long-term approach allows them to target unprepared retailers and unsuspecting customers, particularly during peak shopping periods. This shift underscores the urgent need for heightened vigilance and proactive security measures throughout the year," Glazier said.
Key findings of the report include a pre-holiday cyber onslaught, with gift card fraud up by 110% in the second half of 2023 and scraping, loyalty card fraud and payment card fraud jointly escalating by over 700%. It also points to a rising threat of Trust-Building Account Takeovers (ATOs), which proliferated 410 times in the latter half of the analysed period.
An additional unsettling aspect highlighted by the report is the surge of automated line-jumpers–products added to shopping carts via automated tooling to foreclose the sales to legitimate customers.
The report also draws attention to the scale of the threats faced today. Cequence detected malicious traffic from 719 million unique IP addresses and 325 million malicious login attempts from June to November 2023.
Glazier argues for the need for a "vast, historical threat intelligence database and an expert team to decipher the rapidly evolving API threat landscape" to combat these escalating and evolving threats.
Glazier recommends a holistic security approach to stave off these advanced threats targeting APIs. He stressed the need for "discovering and cataloging all APIs, ensuring rigorous adherence to industry standards, and deploying advanced threat detection and mitigation tools to defend against attacks," as a part of this comprehensive strategy.
The findings underline organisations' need to fortify their API defences throughout their entire lifecycle to be suitably equipped for the evolving threat landscape.