This blog is based on the Akamai paper, “Entering Through the Gift Shop: Attacks on Commerce, State of the Internet, Volume 9, Series 3”, published June 2023.

Akamai released a report earlier this year that explained how today’s commerce organizations house a “treasure trove” of PII and payment details that lure cybercriminals across their large attack surface. Commerce platforms have many components from apps and APIs to their infrastructure ecosystem like PoS terminals, IoT devices, and mobile. Third-party vendor scripts can elevate customer experiences but can add risks like Magecart attacks through vulnerable open-source libraries.

The report also points out that commerce security and IT teams are challenged by budget constraints as they protect personal data and their infrastructure. While it is less regulated than fintech or healthcare, commerce requires the same stringent security level.

This blog summarizes key eCommerce threats highlighted in Akamai's recent report. It covers emerging risks facing the commerce industry across areas like web applications, third party scripts, ransomware, bots, and phishing. By drawing on important statistics and trends observed by Akamai across their suite of security tools, the blog provides an overview of today's threat landscape for commerce businesses.

Targets on commerce: leading sector for web app & API attacks

Targets on commerce: leading sector for web app & API attacks Image

Unsplash+ in collaboration with Philip Oroni

The commerce industry continues to be the most targeted sector for web application and API attacks, with more than 14B attacks observed by Akamai January 2022 - March 2023. Cybercriminals exploit vulnerabilities to steal data and commit fraud as commerce organizations use web apps to deliver better experiences and drive conversion rates.

LFI emerges as the top web vector attack in commerce

Local file inclusion (LFI) recently surpassed SQL injection (SQLi) as the leading attack vector, increasing by 314% between Q3 2021 and Q3 2022 according to Akamai threat researchers.

The report indicates attackers are now leveraging LFI vulnerabilities for directory traversal attacks and deeper breaches. This is in contrast to a higher volume of SQLi attacks a few years back that mainly permitted access to sensitive data. LFI exploits input validation weaknesses to allow unauthorized access and system compromise. Akamai cites improper input validation as the main cause of LFI vulnerabilities. Even major brands have fallen victim to LFI attacks per the report.

Emerging server-side vulnerabilities threaten commerce

Server-side vulnerabilities like server-side template injection (SSTI), server-side request forgery (SSRF), and server-side code injection are emerging as serious threats to commerce organizations due to their potential for data theft and service disruption.

Server-side flaws allow attackers to bypass authentication and gain administrative access. SSTI is favored for zero-day attacks. Akamai sees surging authorized vulnerability scans for SSRF vulnerabilities and attack attempts to find and abuse them.

These attacks can severely damage business operations and reputation. Surveys from the report - Norton shows about 63% of consumers said they worry about their data being stolen and Arcserve indicates nearly 60% of consumers wouldn’t buy if a site had been compromised in the last 12 months.

Ransomware groups are also exploiting server vulnerabilities aggressively. Retail is the 3rd most targeted industry for ransomware by Conti in the first half of 2022, as indicated in the Akamai ransomware report.

Third-party scripts: a security risk for commerce

Third-party scripts: a security risk for commerce

Unsplash+ in collaboration with Philip Oroni

Ecommerce sites rely heavily on third-party scripts for functionality like payments, chatbots, analytics etc. This introduces security risks as Akamai indicates that 50% of commerce JavaScript is from external vendors.

“Attackers can inject malicious code” into sites by compromising trusted third-party scripts per the report. Vulnerabilities in third-party code can also create openings for breaches. Lack of visibility into third-party scripts leaves gaps attackers leverage for supply chain attacks. Third parties with site access but weaker security become pathways to infiltrate larger targets per the report.

Consumers also face risks of stolen data and unauthorized transactions from attacks like Magecart which target payment scripts. While third-party scripts provide useful functions, over-reliance in commerce creates expanded attack surface and supply chain cybersecurity challenges.

Magecart attacks: commerce's invisible threat

Magecart is a form of web skimming attack targeting eCommerce sites to steal customer payment information. It injects malicious code into first or third party scripts like payment pages. Magecart code scrapes payment details entered by customers during checkout before being sent to the hacker's server.

Three main methods are used as indicated in the report:

  1. Exploiting vulnerabilities in popular eCommerce platforms to inject code.
  2. Adding or editing code (through a vulnerability) within third party vendor scripts loaded by targeted sites.
  3. Buying deprecated domains still in use and loading malicious code.

Web skimming attacks like Magecart are challenging to detect since they operate client-side within browsers. However, the impacts can be severe - brand damage, lost customer trust, stolen data, fines for compliance violations, and major financial losses.

Per the report, upcoming Payment Card Industry Data Security Standard (PCI DSS 4.0) rules require justifying all checkout page scripts and detecting unauthorized changes to better protect payment data from threats like web skimming.

Consumers bear the brunt of bot attacks and phishing

Consumers bear the brunt of bot attacks and phishing

Photo by Mohamed Nohassi on Unsplash

The Akamai report describes how eCommerce customers are being targeted by attackers using account takeover, credential stuffing, and other techniques to steal personal data and make fraudulent transactions. Stolen customer information also gets sold on the dark web. These attacks indirectly damage merchant reputations, overload security teams, and divert business resources into fraud investigations. Attacks aimed at customers ultimately hurt eCommerce businesses as well.

Bots continue to create havoc

Malicious bots targeting commerce sites surged to over 5 trillion requests in just 15 months per Akamai data, enabling various fraud schemes and customer experience degradation through tactics like price scraping. While some bots may seem benign, they still affect the overall customer experience through degraded performance or tactics designed to bring customers to competing sites.

Akamai observed that bot activity spikes targeting commerce sites during holiday shopping periods, then declining the following quarter. These bots enable credential stuffing attacks by automating stolen username/password lists to take over accounts, with password reuse across sites enabling success.

Per the report, Okta reported 10 billion credential stuffing attacks in early 2022 with retail heavily targeted, as hackers steal loyalty points and monetize account data, leading to financial losses for both consumers and merchants.

Scalping high-end retail, tickets, or discounted items with bots

Scalpers leverage bots to bulk purchase limited inventory like event tickets or sneakers, either building their own bots or licensing them from underground services specializing in hype sales events. The bots increase their checkout success when supplies are low and demand is high.

Scalpers also use scraper bots to identify discounted or rare products across sites, analyze the data to optimize profit margins, and generate “shopping lists” to purchase inventories in bulk for resale across multiple accounts.

While scalpers profit, consumers ultimately pay premium prices, sometimes unaware of markups, enabling the scalpers’ practices. Scraping bots increase costs for retailers through spikes in traffic, instability from overloading servers, distorted analytics, and loss of consumer trust and revenue when shoppers turn to other brands.

Phishing over the holidays

Retailers are highly targeted by holiday phishing schemes impersonating brands, with over 30% of campaigns aimed at commerce per Akamai's Q1 2023 data. While actual victimization rates are lower, the surge in retail-spoofing phishing indicates criminals aggressively try to steal personal and financial data from customers during peak shopping seasons. Vigilance around protecting credentials is essential as attackers exploit the holiday rush.

Learn more today on how to stop bots and bad actors in their tracks

All of these details, carefully tracked by Akamai, point to the commerce industry’s vulnerabilities as traffic volumes increase - especially during the upcoming holidays. Download the “Entering Through the Gift Shop: Attacks on Commerce” report to get further details on research findings, best practices, and case studies.

If you are looking to thwart malicious traffic and understand your site’s visitors - PhotonIQ AI-powered Fingerprint Services, Honeypot Service for bots, and Virtual Waiting Rooms help you identify and isolate bots or bad actors, to prevent havoc and conserve resources for actual paying customers.


Fingerprint Services generate persistent visitor profiles by analyzing over 300 distinctive browser and device factors to create unique user fingerprints. These IDs follow real users across sessions and devices, even in incognito mode, to differentiate humans from spoofing bots. Detect suspicious patterns and tie devices to user accounts to thwart fraudsters and bots looking to waste resources or steal identities and items.

Honeypot Service

Honeypot services handle the complexity of building and managing sophisticated traps to detect bots in real time. Honeypots utilize dynamically generated traps like honeytokens and honey files randomly placed across pages to attract and deceive bots. By continuously monitoring bot interactions with these unpredictable traps, analytics identify effective triggers to block future bots and deploy new traps as needed. This dynamic and tailored approach helps eCommerce businesses stay one step ahead of bots.

Virtual Waiting Rooms

Virtual Waiting Rooms act as intelligent gatekeepers to help protect eCommerce sites from traffic surges and bad bots. The queuing rules are configurable to recognize suspicious visitors like scrapers and send them to honeypots. Advanced routing identifies previous customers for fast access and sorts SEO bots to cached versions without hitting origin services. Intelligent mechanisms optimize customer experience by controlling visitor flow based on traffic spikes, server loads, and other defined criteria. Key metrics provide visibility to fine-tune settings and maximize uptime during traffic peaks. With edge speed and low latency, Virtual Waiting Rooms keep eCommerce sites running smoothly.

Chat with an Enterprise Solution Architect today for more details on how you can implement PhotonIQ services in 60 days or less.

First photo by Unsplash+ in collaboration with Mariia Shalabaieva.