Half of Australians will do most of their holiday shopping during the four days from Black Friday to Cyber Monday, but security experts warn that a flood of generative AI (genAI)-driven attacks will make the holiday season fraught with risk.
One cohort of monitored retail sites collectively experienced 569,884 AI-driven attacks every day during the six months between April and September, according to new research from Imperva Threat Research, which warns that historical traffic surges point to even more attacks this year.
Fraudsters have long targeted holiday shoppers and websites with attacks – manipulating promotions, pilfering customer accounts to steal gift cards and loyalty points, and using phishing emails to trick consumers into installing malware – but genAI has taken fraud to the next level.
Fully 30.7 percent of the observed attacks leveraged genAI to find and exploit weak spots in retailers’ application programming interfaces (APIs) that could be used to manipulate prices, bypass authentication, or abuse discount codes.
“AI enables attackers to automate these exploits at scale, making them harder to detect,” researchers said, warning that AI is also enabling distributed denial of service (DDoS) attacks and ‘bad bots’ that evade purchase controls to hoard high-demand items for resale.
The fact that the average retail website uses 398 different resources – many from third parties – makes it easy for cyber criminals to sneak their way into retailers’ systems, leveraging AI to write and inject malicious JavaScript that evades detection.
“With the assistance of AI, attackers can quickly identify weak points in API implementations, making these threats particularly challenging to mitigate,” Imperva general manager of application security Nanhi Singh said, noting that the average retailer is targeted by 5,570 API attacks daily.
Imperva systems scanned 3.65 trillion traffic requests in September alone, comparing metadata, known IP addresses, and behaviour to confirm that the attacks came from a genAI large language model (LLM) with “a very low likelihood of false positives,” the company told Information Age.
Armies of bots are competing with human shoppers
Bots abusing business logic to secure special deals, scrape prices or exploit loyalty schemes drove 43 percent of all attacks on the retail sector – well above the 22 percent found in other industries – while using ‘low and slow’ techniques that “carry out significant attacks using fewer requests.”
Half of all Australians expect to do most of their Christmas shopping over the Black Friday to Cyber Monday weekend. Photo: Shutterstock
While Imperva has seen as many as 102,742 malicious logins in a single incident targeting an online retailer – part of a surge in attempts that grew by 82 percent between last October and November – low and slow attacks average 41 login attempts per incident to fly under the radar.
Such ‘evasive bad bots’, which use AI to run complex attacks like cycling through random IP addresses, visiting sites using anonymous proxies, changing their identities, mimicking human behaviour, delaying requests, and defeating CAPTCHAs, are causing major problems.
“Policy abuse is overwhelming to three-quarters of merchants” as AI tools fuel a “hotbed of bad behaviour” including lodging false item-not-received claims, returning worn or damaged items, reselling goods for profit, and misusing promotional codes, a recent Riskified analysis found.
“Abuse and fraud have evolved to become more prolific, sophisticated, and challenging to detect, driven by Dark Web forums, social media and malicious AI tools” – with evasive bad bots comprising 70 percent of bad bot traffic to retailers, compared to 51 percent in other industries.
Retailers should use behavioural analytics systems to spot AI, Singh said.
“Without robust defences, retailers risk facing a perfect storm of AI-driven attacks that could disrupt operations, compromise customer data, and tarnish their reputations during the most critical time of the year.”
The most want-it-ful time of the year
Vigilance is critical for Australians – 58 percent of whom expect to finish their holiday shopping by the end of November, according to new Shopify research of 2,000 consumers that also found 49 percent expect to do most of their shopping across the Black Friday-Cyber Monday long weekend.
Shoppers will take on more debt this holiday shopping season even as they opt for less expensive goods – with 63 percent going instore for large purchases but buying small things online from the likes of Temu, leaving them vulnerable to offers and AI-enhanced phishing campaigns.
Consumers’ online-first shopping habits have primed them for shopping-related fraud, with recent figures from Commercetools suggesting that 70 percent of Australian and New Zealand shoppers are more likely to purchase from an online retailer offering personalised experiences.
And while 62 percent of the 1,001 respondents to Commercetools’ survey said they are concerned about AI persuading them to make unnecessary purchases, fraudsters’ chronically high success rates confirm that a good deal, presented in the right way, is irresistible to many shoppers.
The lure of such offers is magnified given the use of social media for shopping: two-thirds of Commercetools respondents said they engage with brands through their socials while 51 percent shop using Facebook, Instagram, and TikTok – all of which are favourite vectors for criminals.
With 58 percent of attacks on retailers and customers originating from phishing attempts, according to a recent Trustwave analysis, “the rise in e-commerce threats and the alarming trends in cyber fraud underscore the need for heightened vigilance,” Trustwave CISO Kory Daniels said.
“A single incident can undermine customer trust and lead to long-term financial impacts, making robust cyber security measures not just a necessity but a critical components of sustainable business practices in today’s retail landscape.”