Bots are Threatening Ecommerce Sites — Here’s How to Protect Against Them

Ecommerce sales are projected to reach $908.73 billion this year as pandemic conditions favor online interactions. Many businesses have spent the last year shoring up resources for online storefronts in order to meet consumer demand.

But as expected, attackers are following the money and targeting these lucrative sites. Online retail is a main target for cyberattacks, and bad bots play a primary role. With these automated tools, cybercriminals are able to attack far more targets, and in far more damaging ways, than they could accomplish manually.

There are several main threat vectors that cybercriminals use when attempting to compromise an ecommerce site, and each has its own unique method of protection.

Holding Sites for Ransom

Botnets, or interconnected devices running bot software, pose a threat to website operators. By flooding a website with incoming traffic, botnets are able to carry out distributed denial of service (DDoS) attacks.


During a DDoS attack, the hacker tries to cripple the victim’s network by overwhelming it with traffic. If this is successful, the attacker can hold the website for ransom, demanding payment (usually in the form of a cryptocurrency such as Bitcoin) from the site owners. The hacker threatens to maintain the attack until the ransom is paid so that the targeted site will have degraded availability to its customers or be unavailable altogether.

DDoS extortion is a particularly lucrative means of attacking ecommerce sites because their revenue is directly tied to website traffic. For large sites, the cost of downtime can be hundreds of thousands of dollars per hour, in addition to the ransom cost demanded by the attackers. During peak traffic periods, like the holiday shopping season or Black Friday, these platforms are particularly vulnerable and downtime costs increase.

To avoid these problems, retailers need effective filtering tools to block malicious traffic, sufficient bandwidth and other resources for absorbing even massive DDoS assaults, and the ability to autoscale resources as needed to minimize expenses for usage.

Watch Your Payment Systems

Credit card data is a valuable commodity on the dark web, with the details of just one credit card being worth up to $35. If a retail site processes its own payments, then it must make sure to protect its backend, as attackers know that many customers save their credit card data in their accounts.

A successful penetration of the site can affect customers and the retailer alike. The customers’ stolen credit cards can be used to make fraudulent purchases, while site owners will suffer from loss of reputation, possible regulatory fines and potential legal liability from the breach.

The best time to intercept these attacks is in their earliest stages. Because attackers use bots to search for vulnerabilities within a site’s backend, the onus falls on the ecommerce sites to mitigate bots. Because not all bots are bad, it is important to be able to differentiate between good and bad bots with a multi-stage filtering process.

Bots are “Stuffing” Credentials

Credential stuffing is another common attack that is based upon bad bot activity. The bots “stuff” usernames and passwords into ecommerce sites, attempting to gain access. Most of these credentials are obtained from data breaches of other sites; hackers know that many people re-use credential sets across sites, so credential stuffing can often be successful.

Once bots gain access to one or more accounts, their human masters will arrive soon afterwards. Along with attempting to change the credentials to lock out their rightful owners, the attackers will abuse the stolen accounts by making fraudulent purchases or performing other illicit activities.

Most retailers know that they need protection against credential stuffing and other ATO (account takeover) techniques. However, most do not realize that traditional defenses such as CAPTCHA challenges have become mostly ineffective. (Hackers today have tools that can solve or bypass CAPTCHA and reCAPTCHA challenges.)

To prevent credential stuffing and other ATO attacks, online retailers need to use techniques such as advanced rate limiting. This is a form of rate limiting that not only regulates each user’s attempts to access an application, but can also successfully detect “users” that try to evade rate limits with IP rotation and other methods.

Inventory Hoarding

Another common bot attack involves malicious actors (sometimes hired by rival marketplaces!) that configure bots to automatically place high demand merchandise into carts. The goal is to hinder true sales and prevent trending SKUs from gaining traction during peak buying periods.

Depending on how the ecommerce site is configured, these bots can have a significant impact on inventory; the website considers them legitimate buyers, allowing them to hold merchandise in their carts and prevent real buyers from accessing it.

These bots artificially deplete inventory and deny it to real buyers (which is why this attack is sometimes known as “inventory denial”). By not being able to sell these items, retailers can lose out on sales and drive down cart conversion rates.

Inventory denial bots are challenging to identify because they masquerade as legitimate shoppers and avoid any activity that is overtly hostile. In order to protect against them, ecommerce sites need to leverage the full array of hostile bot detection methods: not only basic approaches such as IP reputation databases and geolocation filters, but also advanced techniques such as browser environment verification, mobile API hardening and biometric behavioral profiling.


Ecommerce sites face a myriad of attack vectors that can threaten to hinder the performance of the site. In order for retailers to fully reap the benefits of ecommerce market growth, they must protect themselves from hostile bots; this will prevent costly attacks that could damage their sales, customer loyalty and brand reputation.

Tzury Bar Yochay is Co-founder and Chief Technology Officer of Tel Aviv-based cybersecurity company Reblaze and the co-creator of Curiefense.

Feature Your Byline

Submit an Executive ViewPoints.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: