DataDome

The holiday season is coming, and so are the bots. Are you prepared?

Table of contents
Scalping Bot management
Paige Tester, Director of Content Marketing
21 Nov, 2019
|
min

It’s the most wonderful time of the year … except if you’re in charge of cybersecurity at an e-commerce company.

‘Tis the season where malicious bot operators are busier than Santa’s little elves. And while we don’t want to put a damper on festive spirits, we do want to make sure that e-commerce SecOps professionals know the risks of neglecting bot protection during the most important revenue-generating days of the year.

Let’s take a closer look at what hackers were up to during last year’s holiday sales, and what you can do to protect both your Q4 revenue and your on-call team’s tranquillity this holiday season.

Bot traffic slows (and can even bring down) your site.

You have probably already scaled up your site infrastructure to tackle the extra influx of pre-holiday shoppers. But when you made your predictions, did you take into account the invisible visitors that can represent 30, 50 or even 70 percent of your total traffic?

Most malicious bot traffic goes undetected by standard analytics tools, which is why companies that don’t have a bot protection solution are often unaware of the serious impact this traffic has on their website performance (and on their cloud bill).

But large volumes of bot traffic will inevitably drain significant server resources, and may even bring your site to its knees, especially during peaks of human traffic like the holiday shopping period.

Here at DataDome, we often see an uptick of DDoS attack attempts around major online shopping events. We can only make educated guesses about what the attackers are hoping to achieve, but their motivation may be to elicit a ransom, to weaken their competition, or simply to earn bragging rights among other hackers.

DDoS attack attempts during the holiday season

Figure 1: A consumer electronics retailer sees a peak of DDoS attack attempts during one of the busiest shopping days of the year, shortly before Christmas.

In some cases, like the example above, the attackers quickly give up when they realize that their target is equipped with an advanced anti-bot solution. Others are more tenacious and may keep the pressure on for days on end.

Figure 2: A doubling of “normal” DDoS attack activity on the website of an entertainment products retailer during the 2019 end-of-year holiday shopping period.

Of course, not all bots that visit your site have ill intentions. For example, a wide range of bots edited by commercial players are collecting online content around the clock. Many of them may be helpful to your business, such as price comparison engines that bring new visitors to your site, or SEO software providers that help you improve your rankings.

However, during particularly busy shopping days, intense commercial bot activity will put an additional burden on your already strained infrastructure. The graph below shows commercial bot requests on the same website as in Figure 2 above.

Figure 3: Commercial bot requests on an entertainment products retailer’s website in late December 2019.

Luckily, this particular merchant never ran into trouble, because the DataDome solution automatically blocks unwanted traffic. But in the absence of an efficient bot management tool, the combined effect of human traffic, commercial bot activity and bad bot attacks would have taken a substantial toll on the website’s infrastructure.

Even good bots, such as search engine crawlers, may contribute to overtaxing your bandwidth. Their activity often intensifies during the very busiest shopping days, in order to catch every updated offer and every fresh piece of information. Unfortunately, when aggressive indexing comes on top of everything else that is going on, this otherwise very useful traffic can be the straw that breaks the camel’s back.

Figure 4: Good bot traffic on an online marketplace during the busiest end-of-year holiday shopping days in 2019.

Your product, marketing and logistics teams may have spent months creating, promoting and stocking up attractive holiday merchandise, but all that hard work may come to nothing if you are unable to stop bots from flooding and bringing down your site.

A good bot protection solution will help you avoid this potential disaster. For example, DataDome blocks all commercial bots by default, but you can easily allow-list any bots you want to let access your site. You can also use timeboxing or rate limiting to control the activity of good bots, or even completely block good bots during particularly busy days.

Rue du Commerce is a leading French e-commerce site which offers more than 10 million different products. As soon as the DataDome protection was activated, Rue du Commerce’s bandwidth consumption dropped by 30% to 40%, freeing up resources for legitimate users.

Read the customer story.

Bots usurp and abuse your customer accounts.

Are all your holiday shoppers who they appear to be?

Impersonator bots use leaked login-password databases to test those stolen credentials on the login forms of other sites, such as yours. Since many people use the same credential combinations across multiple sites, the typical success rate is between five and eight percent.

And once logged in, the cybercriminals can take control of the compromised accounts and make unauthorized transactions, often undetected for long periods of time.

Such credential stuffing and account takeover attacks often take place when the criminals expect your vigilance to be particularly low. Take a look, for example, at the graph below. There are always some account takeover attempts on this fashion retailer’s website, but on Christmas day in 2019, the “normal” volume of malicious requests was multiplied by four.

Figure 5: Account takeover attempts on a fashion website on Christmas Day 2019.

Without adequate bot protection, we can only imagine how the failed login alerts and the ensuing incident response would have ruined the on-call team’s holiday celebrations. As it happened, the AI-powered DataDome solution blocked the attack in total autonomy, so that the humans in charge of website security could continue to eat, drink and be merry.

Bots steal sensitive data.

How safe are your customer’s personal data? To deliver the best possible products, services and user experiences, you may be collecting and storing large volumes of user data online. But in doing so, you are facing consequential risks.

Data theft is often the primary aim of account takeover attempts. The data leaks that have made the news in recent months (EasyJetDisney+ …) illustrate what a major challenge protection of personal data and internet exchanges has become.

Again, hackers seeking to steal sensitive data will often strike when they expect to meet the least resistance. When the IT and SecOps teams of an online books and electronics store were enjoying a well-deserved break after last year’s holiday shopping craze, malicious actors saw an opportune window to attack.

Figure 6: Account takeover attempts on an online bookstore store during the end-of-year holiday period in 2019.

If you don’t have an account takeover protection system which effectively prevents attackers from accessing your sensitive data, aggressive attacks like this one can become very, very costly.

Exposing your users’ personal data will not only result in the loss of customer trust and hurt your share price. It can also make you liable to a hefty penalty—up to 4 percent of your global annual turnover—if the breach is found to be violating the EU’s General Data Protection Regulation (GDPR).

The GDPR legislation prompted the fashion and home decoration merchant La Redoute to tighten its security policy and strengthen its capacity to protect customer data. Their test of a WAF-like solution was unsuccessful: most bad bots were never detected. Since the DataDome solution was deployed, the company no longer sees any malicious activity related to bot traffic on its site.

Read the customer story.

How to have a peaceful holiday season:

Silent night, holy night … Does the perspective of a holiday season with no middle-of-the-night on-call incidents sound like a chimney-pipe dream? Put a bot protection solution on your wish list, and you may see the dream come true.

With an efficient bot protection system in place, your business and your customers will be safe from bot-generated fraud this holiday season. Your site infrastructure, your inventories and your marketing budgets will serve legitimate customers, and you don’t need to worry about downtime, chargebacks or penalties caused by bots.

DataDome is the #1 SaaS bot protection solution for e-commerce businesses, and we love nothing more than making spirits bright in our customers’ IT teams.

With a massive database of known bots, we know if they’ve been bad or good, and will block 99 percent of all naughty bot requests to your websites, apps and APIs in less than 2 milliseconds. As for new threats, our AI-based bot detection engine will identify and block even the most sophisticated ones in 50 milliseconds or less.

We practice sharing all year round, not only during the holidays, so any time a new bot is detected on a customer website, all our customers are immediately protected against the new threat.

Ready for a holiday season where all is calm, all is bright in the IT department? Start your free trial today, or contact us to schedule a demo!

DataDome
Paige Tester
Director of Content Marketing
Paige is the Director of Content Marketing for DataDome. With over a decade of expertise in content creation, she leads the development of in-depth, strategic content that highlights advanced bot detection and online fraud prevention techniques. Her work empowers cybersecurity professionals with actionable insights and cutting-edge knowledge, ensuring they stay ahead of emerging threats.

Related posts

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.

Watch a demo