Akamai Technologies‘ report, ‘Entering through the Gift Shop: Attacks on Commerce‘, finds that commerce remains the most targeted for web attacks, accounting for more than 14 billion (34%) of observed hacking.

Retail remains the most targeted in the commerce sector, accounting for 62% of attacks.

As organisations increasingly rely on web applications to drive customer experience and online conversions, hackers can target design flaws or security gaps to abuse web-facing servers and applications.

GlobalData’s thematic analysis of the retail sector finds that the frequency of such cyberattacks has been increasing since 2020, with notable attacks on JD Sports and WHSmith reported in Q1 2023.

In addition, Akamai finds that the most common attack is local file inclusion (LFI). This involves attackers exploiting vulnerabilities in how a web server stores or controls access to its files.

Reportedly, a few years ago, the most common attack was against structured query language, which is programming used to manage databases. Akamai states that the move towards LFI indicates a trend towards remote code execution and hackers leveraging LFI vulnerabilities to gain a foothold for data exfiltration.

What are the other key findings from the report?

  • Half of the JavaScript that the commerce vertical uses comes from third-party vendors. This introduces the increased threat of client-side attacks.
  • Attackers could also abuse security gaps in scripts, enabling a pathway for criminals to infiltrate bigger, lucrative targets in supply chains.
  • Akamai observed malicious bot requests surpassing 5tn events in 15 months, with assaults against commerce customers proliferating via credential stuffing attacks that can lead to fraud.
  • More than 30% of phishing campaigns targeted commerce brands in Q1 2023.

Akamai senior vice-president and general manager of application security Rupesh Chokshi comments: “The commerce sector is characterised by a complex ecosystem that leverages web applications and APIs to drive business. Cybersecurity leaders and practitioners must understand the critical threat trends impacting this industry.”