Hackers employ nuanced tactics to evade detection

Threat actors evolved tactics, opting for a more nuanced approach that spread attacks across a broader timeframe to blend in with legitimate traffic and evade detection during peak holiday shopping times, according to Cequence Security.

2023 holiday season unveiled alarming realities

The months before the 2023 holidays demonstrated a change in tactics, techniques, and procedures by adversaries against prominent retailers. Attackers have shown that they are highly sophisticated and have great persistence and depth of planning.

“The 2023 holiday season exposed a chilling reality: cybercriminals are employing increasingly sophisticated attack methods and meticulously planning months to exploit vulnerabilities,” said William Glazier, Director of Threat Research at Cequence.

“This long-term approach allows them to target unprepared retailers and unsuspecting customers, particularly during peak shopping periods. This shift underscores the urgent need for heightened vigilance and proactive security measures throughout the year,” Glazier added.

Many companies, and retailers in particular, take the holiday season as their cue to focus more on security and begin to lock down their networks and applications. The data suggests that sophisticated attackers began their “attack runs” earlier in the year to lay the groundwork for holiday sales to try and avoid the retailers’ security lockdowns as much as possible.

In the second half of 2023 alone, gift card fraud increased by 110%, while scraping, loyalty card fraud and payment card fraud increased by a collective average of over 700% as attackers lay the groundwork for holiday sale attacks ahead of retailer security crackdowns.

These types of attacks are correlated and spiked together because those parts of the website, applications, and associated APIs are related, especially as they pertain to attacks. This insight shows that these retailers were not experiencing simple brute force-style attacks in isolation, but sophisticated attacks from adversaries displaying highly varied TTPs.

Rising threat of trust-building account takeovers

This threat example is another that employs the “long game” of low and slow attacks over time. “Social commerce” retailers combine ecommerce with social media, leveraging user contributions to build community. Most online retailers encounter attacks that employ standard well-known account takeover (ATO) tactics that peak during the holidays.

Account takeovers (ATOs) increased a staggering 410 times for retailers in the second half of the period analyzed (September – November 2023).

Surge of automated line-jumpers

The report shows that many products were added to carts via automated tooling to volumetrically flood systems, purchasing as many in-demand items as possible, effectively cornering the market and preventing sales to legitimate customers.

Whether it’s Taylor Swift concert tickets or the latest hot sneaker drops, bots are a massive problem for fans and retailers alike. The practice of using bots to “jump the line” is so pervasive and widespread that there are detailed explanatory Reddit threads, answers to Quora questions, and even readily available how-tos and “top bots” articles online.

With attackers constantly refining their tactics and expanding their arsenal, the need for a vast, historical threat intelligence database and an expert team to decipher the rapidly evolving API threat landscape has become increasingly paramount. Across their entire customer base, Cequence detected malicious traffic from 719 million unique IP addresses and 325 million malicious login attempts from June to November 2023, highlighting the scale of today’s threats.

“To combat sophisticated threats targeting APIs, today’s organizations must fortify their defenses with a holistic security approach that safeguards their APIs throughout their entire lifecycle,” Glazier continued. “This includes discovering and cataloging all APIs, ensuring rigorous adherence to industry standards, and deploying advanced threat detection and mitigation tools to defend against attacks.”