Imperva, a Thales company, the cybersecurity leader that protects critical applications, APIs, and data, anywhere at scale, warns that as generative AI tools and Large Language Models (LLMs) continue to proliferate and advance, cybercriminals are increasingly using these technologies to enhance the scale and sophistication of their attacks on eCommerce platforms.

With sales beginning as early as October and extending through late December, the holiday shopping season represents a critical time for online retailers. The surge in activity not only drives substantial revenue but also attracts malicious actors targeting retailers at a time when they can least afford downtime or a security incident. As this crucial period approaches, retailers must prepare for a range of AI-driven threats, including bots, distributed denial of service (DDoS) attacks, API violations, and business logic abuse.

“While cybersecurity threats are a concern year-round, they become even more pronounced during the holiday shopping season, when retailers often experience record-breaking sales,” says Nanhi Singh, General Manager of Application Security at Imperva, a Thales company. “Cybercriminals recognise this and are using generative AI tools and LLMs to capitalise on the increased volume of digital transactions, limited-time promotions, and the gift cards and loyalty points stored in customer accounts.”

In a recent 6-month analysis (April 2024 – September 2024), data from Imperva Threat Research reveals that, on average, retail sites collectively experience 569,884 AI-driven attacks each day. These attacks originate from AI tools like ChatGPT, Claude, and Gemini, alongside specialised bots that are designed to scrape websites for LLM training data.

An analysis of these attacks shows that cybercriminals are primarily using the AI tools to carry out the following types of attacks:

• Business Logic Abuse: The most common AI-driven attack (30.7%), business logic abuse involves exploiting the legitimate functionalities of an application or API to carry out malicious actions, such as manipulating prices, bypassing authentication, or abusing discount codes. AI enables attackers to automate these exploits at scale, making them harder to detect. To protect against these attacks, retailers should implement strict validation on all user inputs, employ anomaly detection systems to identify unusual activities, and regularly audit their business processes to identify functionalities that could be abused.

• DDoS Attacks: Representing 30.6% of all AI-driven threats to retailers, DDoS attacks aim to overwhelm a website’s resources, resulting in downtime that can lead to lost sales and reputational damage—especially during peak shopping periods. Cybercriminals are now leveraging AI to coordinate large botnets more efficiently, enhancing the effectiveness of these attacks. Retailers should invest in a DDoS protection solution that utilises machine learning to identify and mitigate malicious traffic in real time, ensuring that legitimate customers are not impacted.

• Bad Bot Attacks: Attacks from bad bots account for 20.8% of AI-driven threats targeting retailers. These automated threats engage in disruptive activities such as scraping pricing data, credential stuffing, and inventory hoarding (scalping). The infamous Grinch bot, in particular, is notorious for its inventory hoarding during the holiday shopping season, making it increasingly difficult for consumers to purchase high-demand items. With advancements in AI, bot operators can now create bots that convincingly mimic human behavior, allowing them to evade traditional security measures. To combat this threat, retailers should implement bot management solutions that utilise behavioral analytics to differentiate between genuine users and sophisticated bots.

• API Violations: As eCommerce platforms increasingly expose APIs for mobile applications and third-party integrations, API violations are on the rise, accounting for 16.1% of AI-driven attacks on retailers. Cybercriminals exploit vulnerabilities in APIs to gain unauthorised access to sensitive data or functionality. With the assistance of AI, attackers can quickly identify weak points in API implementations, making these threats particularly challenging to mitigate. To safeguard their APIs, retailers should enforce strict authentication and authorisation protocols, implement rate limiting to prevent abuse, and regularly conduct comprehensive security assessments and penetration testing.

These AI-driven attacks pose significant risks not only for retailers but also for consumers. Cybercriminals are leveraging AI to conduct bot attacks, abuse business logic, and disrupt systems, putting sensitive personal information—including credit card details, addresses, and account information—at increased risk. Successful attacks can lead to identity theft, financial loss, and a loss of trust in eCommerce platforms, with fraudulent charges and unauthorised account access negatively affecting consumers’ shopping experiences.

“In previous years, we’ve seen security threats like Grinch bots and DDoS attacks cause major disruptions during the holiday shopping season, affecting both retailers and consumers alike. Now, with the widespread availability of generative AI tools and LLMs, retailers are contending with a new wave of sophisticated cyberthreats,” adds Singh. “Without robust defenses, retailers risk facing a perfect storm of AI-driven attacks that could disrupt operations, compromise customer data, and tarnish their reputations during the most critical time of the year. To effectively mitigate these threats, retailers must adopt a comprehensive strategy that not only defends against these attacks but also allows them to respond swiftly without disrupting the shopping experience.”