Singapore – A recent report from cybersecurity firm Imperva revealed that cybercriminals are increasingly using technologies like generative AI and large language models to increase both scale and sophistication of their attacks on e-commerce platforms.
According to their 6-month analysis data, retail platforms collectively experience an average of 569,884 AI-driven attacks daily, driven by AI tools such as ChatGPT, Claude, Gemini, and bots specifically created to scrape websites for large language model training data.
Business logic abuse was also found to be the most common AI-driven attack, which makes up 30.7% of said incidents. This type of attack involves exploiting the legitimate functionalities of an application or API to carry out malicious actions, including manipulating prices, bypassing authentication, or abusing discount codes. AI enables attackers to automate these exploits at scale, making them harder to detect.
Following these attacks, the firm further encouraged retailers to protect themselves from said attacks by implementing strict validation on all user inputs. These measures also encompass using anomaly detection systems to identify unusual activities and conducting regular audits of their business processes to identify functionalities that could be abused.
About 30.6% of AI-driven threats to retailers were also accounted for by DDoS attacks, overwhelming a website’s resources. This leads to downtime that can lead to lost sales and reputational damage, especially during peak shopping seasons.
Retailers are also advised to invest in a DDoS protection solution that utilises machine learning to identify and mitigate malicious traffic in real time, ensuring that legitimate customers are not impacted.
In addition to these threats, attacks from bad bots composed 20.8% of AI-driven threats targeting retailers. These automated threats engage in disruptive activities such as scraping pricing data, credential stuffing, and inventory hoarding.
Ultimately, as e-commerce platforms increasingly expose APIs for mobile applications and third-party integrations, API violations also saw approximately 16.1% of AI-driven attacks on retailers.
Based on their research, cybercriminals exploit vulnerabilities in APIs to gain unauthorised access to sensitive data or functionality. With the assistance of AI, attackers can also quickly identify weak points in API implementations, making these threats particularly challenging to mitigate.
For this type of threat, retailers are encouraged to enforce strict authentication and authorisation protocols, implement rate limiting to prevent abuse, and regularly conduct comprehensive security assessments and penetration testing.
“While cybersecurity threats are a concern year-round, they become even more pronounced during the holiday shopping season, when retailers often experience record-breaking sales,” said Nanhi Singh, general manager of application security at Imperva, a Thales company.
She further explained, “Cybercriminals recognise this and are using generative AI tools and LLMs to capitalise on the increased volume of digital transactions, limited-time promotions, and the gift cards and loyalty points stored in customer accounts.”
“In previous years, we’ve seen security threats like Grinch bots and DDoS attacks cause major disruptions during the holiday shopping season, affecting both retailers and consumers alike. Now, with the widespread availability of generative AI tools and LLMs, retailers are contending with a new wave of sophisticated cyberthreats,” added Singh.
“Without robust defences, retailers risk facing a perfect storm of AI-driven attacks that could disrupt operations, compromise customer data, and tarnish their reputations.
during the most critical time of the year. To effectively mitigate these threats, retailers must adopt a comprehensive strategy that not only defends against these attacks but also allows them to respond swiftly without disrupting the shopping experience,” she concluded.
