Especially during the holiday shopping season, retailers’ APIs and apps are being targeted for account takeovers by bad bots.

According to the 2023 Imperva Bad Bot Report, 17% of all attacks on APIs came from bad bots abusing business logic. Attack patterns don’t exist to monitor for these exploitations, and it’s impossible to apply a generic rule and assume all application and API deployments are secure.

“The pandemic accelerated the digital transformation of Asia’s retail sector, as companies swiftly adapted to changing consumer needs. However, the region’s diverse markets, complex supply chains, and varying cybersecurity readiness levels have left Asian retailers vulnerable to increasingly complex security threats,” says George Lee, Senior Vice President, Asia Pacific and Japan, Imperva. 

“The surge in bot sophistication over the past year is especially concerning, as this breed of automation can exploit business logic, compromise APIs, and take over user accounts, posing a tangible threat to retailers’ year-end  sales and impacting their bottom line.”

Some very recent additional findings from Imperva include:

1. Web traffic rises steadily throughout October and November as Cyber Monday dethrones Black Friday as the online holiday shopping event of the season

The holiday shopping season is starting earlier than ever before, evidenced by the steady rise in web traffic across retail sites in October and November.

Unlike prior years when Black Friday was the milestone sales event of the holiday shopping season, shoppers took advantage of promotions and sales in early November. In 2023, the peak in online traffic was recorded on November 19 with a second notable peak occurring on Cyber Monday (November 27). In fact, there was 42% more web traffic on retail sites on Cyber Monday than on Black Friday.

2. Volume of bad bots rises during the holiday shopping season

Bad bots account for 26.3% of all web traffic to online retail websites, higher than the annual average of 22.7%. Human traffic on retail sites dropped by nearly 3% while the proportion of good bot traffic remained similar to the annual average.

3. Account takeover (ATO) attacks have been rampant throughout the holiday shopping season

The number of ATO attacks have risen since September, with a spike in attack activity recorded on November 8, 14, and 24 (Black Friday). 

The number of attacks spiked by an astonishing 85% on Black Friday. For comparison, ATO attacks on Black Friday 2022 increased by 66%.

The intensity of these attacks is also increasing. The number of malicious login requests soared 82% between October and November.

We’ve also monitored frequent spikes in account takeover attacks targeting online retailers’ APIs this holiday shopping season, with a notable peak in late October. 

4. Attacks targeting retailers’ APIs increases as the holiday season progresses

API traffic accounts for 45.8% of all traffic to online retailers, up from 41.6% last year. With that in mind, the rise in attacks targeting online retailers’ APIs becomes quite notable. Attacks increased by 6% in October and another 9% in November.

These attacks could be designed to expose a business logic vulnerability, an exploit of an application’s intended functionality and processes. In retail, attackers can exploit business logic to manipulate pricing or access restricted products. 


As the holiday shopping season continues, here are Imperva’s recommendations for online retailers to remain vigilant to avoid cyber risks:

    • Prepare for a high volume of traffic, as well as distributed denial-of-service (DDoS) attacks.
    • Prioritize the security of the client side.
    • Marketing and eCommerce campaigns are likely to become targeted by bots.
    • Protect critical paths and website functionalities from bots seeking to abuse business logic.
    • Encourage good account credential hygiene and safety.
    • Stay ahead of the scammers.