Application Programming Interfaces (APIs) have long served as the invisible backbone of online retail. They empower retailers to seamlessly integrate the intricate web of ecommerce systems, orchestrating everything from payment processing to shipping logistics and inventory management. This interconnectedness, however, has also made the retail sector a lucrative target for threat actors. Facing a barrage of 19 billion malicious API requests in 2023 alone, retailers suffered relentless attempts to exploit vulnerabilities in any link of the API chain, potentially leading to data theft, operational disruption, or financial damage.

Back-to-school season is prime time for threat actors. Retailers have recognized this for years, typically amping up security during peak buying times. However, this approach is no longer foolproof. Sophisticated attackers launch “attack runs” earlier in the year to lay the groundwork for seasonal sales, effectively circumventing retailers' security lockdowns.

Playing the long game

In the past, threat actors favored “smash and grab” cybercrime: simple, opportunistic schemes targeting readily accessible vulnerabilities. Today, however, they're evolving. Investing more time and resources in stealth, they spread attacks over longer periods, aiming to fly under the radar and inflict greater damage at peak times.

Threat actors are outsmarting security lockdowns by creating high volumes of valid accounts via standard APIs earlier in the year. This calculated move aims to establish trust and credibility within the market, fostering increased social sharing and expanded reach far ahead of peak shopping seasons. Threat actors employ sophisticated tooling and automation to bolster the accounts' legitimacy to mimic normal user activity, including communication with other accounts, liking content, and subscribing to services. 

However, the sheer scale of these operations often surpasses human capabilities, raising red flags. The resulting inundation of activity crowds out legitimate users and jeopardizes the company's and its marketplace's integrity. This type of attack exemplifies modern retail attacks' meticulous planning and persistence.

Beyond the long game, threat actors frequently deploy a real-time tactic: account takeovers (ATOs). Instead of spending time crafting thousands of “legitimate” accounts, ATOs involve targeting and seizing control of existing customer accounts, offering a much faster path to success. This threat is constant, but unsurprisingly, activity surges during the peak shopping periods, with a staggering 410-fold increase in ATOs during the second half of the year.

Bot attacks remain a threat

Another tried-and-true tactic in the retailer's digital battlefield is the ever-evolving bot attack. Remember the concert ticket frenzy or the fleeting TikTok trends snatched up by automated scripts? These are just the tip of the iceberg. The ease with which bots manipulate systems is alarming: detailed Reddit threads, how-to guides, and even “top bot” rankings readily proliferate online. The numbers paint a stark picture: of 154 billion API requests, a staggering 22 billion originated from bots.

Here's how these bot attacks unfold: Threat actors leverage tooling and automation to flood the system with a high volume of actions. They add large quantities of in-demand items to their carts to corner the market and block legitimate customers from purchasing. Successful attacks result in attackers reselling these items elsewhere at exorbitant markups, further fueling customer and seller frustration.

What can retailers do to prepare

The old model of scrambling to tighten cybersecurity before large sales won't suffice anymore. As threat actors prepare well in advance, retailers must do the same. Establishing a comprehensive and year-round security strategy is essential to effectively combat the surge of fake accounts and other threats during peak seasons.

Given the vital role of APIs in the retail industry, companies must fully grasp their usage and implement comprehensive defensive strategies. Exposed and unmanaged APIs, or shadow APIs, are seen as low-hanging fruit to threat actors employing the “smash and grab” tactics. Visibility is paramount in the realm of API security. By diligently cataloging internal and external APIs, retailers can gain a comprehensive view of the entire attack surface, empowering them to enforce compliance with security standards across every API. This comprehensive visibility is crucial to effectively defend against rapid attacks and more insidious long-game maneuvers, safeguarding retail operations and fortifying customer trust.

We list the best payment gateway.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro