Retailers experienced over half a million (569,884) AI-driven attacks per day according to a recent six-month analysis by cybersecurity firm Imperva.
These attacks originate from AI tools like ChatGPT, Claude, and Gemini, alongside specialized bots that are designed to scrape websites for LLM training data.
The Thales-owned firm observed a range of AI-driven threats, including bots, distributed denial of service (DDoS) attacks, API violations, and business logic abuse.
"In previous years, we've seen security threats like Grinch bots and DDoS attacks cause major disruptions during the holiday shopping season, affecting both retailers and consumers alike. Now, with the widespread availability of generative AI tools and LLMs, retailers are contending with a new wave of sophisticated cyberthreats,” said Nanhi Singh, General Manager of Application Security at Imperva.
As the holiday shopping season approaches, retailers expect to experience their busiest sales period.
“Cybercriminals recognize this and are using generative AI tools and LLMs to capitalize on the increased volume of digital transactions, limited-time promotions, and the gift cards and loyalty points stored in customer accounts,” Singh said.
AI-driven attacks that could also disrupt operations, compromise customer data, and tarnish retailers’ reputations.
Top AI-Driven Attacks Affecting Retail Sites
In the firm’s research, it identified business logic abuse as the most common AI-driven attack, accounting for 30.7% of all incidents.
Business logic abuse involves exploiting the legitimate functionalities of an application or API to carry out malicious actions, such as manipulating prices, bypassing authentication, or abusing discount codes.
DDoS attacks, which aim to aim to overwhelm a website’s resources, accounted for 30.6% of all AI-driven threats to retailers.
Cybercriminals are now leveraging AI to coordinate large botnets more efficiently, enhancing the effectiveness of these attacks
Attacks from bad bots account for 20.8% of AI-driven threats. These automated threats engage in disruptive activities such as scraping pricing data, credential stuffing, and inventory hoarding (scalping).
Read more: Europol-Led Operation Endgame Hits Botnet, Ransomware Networks
The infamous Grinch bot is notorious for its inventory hoarding during the holiday shopping season, making it increasingly difficult for consumers to purchase high-demand items.
With advancements in AI, bot operators can now create bots that convincingly mimic human behavior, allowing them to evade traditional security measures.
Finally, as e-commerce platforms increasingly expose APIs for mobile applications and third-party integrations, API violations are on the rise, accounting for 16.1% of AI-driven attacks on retailers.
Cybercriminals exploit vulnerabilities in APIs to gain unauthorized access to sensitive data or functionality.
With the assistance of AI, attackers can quickly identify weak points in API implementations, making these threats particularly challenging to mitigate.
To safeguard their APIs, retailers should enforce strict authentication and authorization protocols, implement rate limiting to prevent abuse, and regularly conduct comprehensive security assessments and penetration testing.
“To effectively mitigate these threats, retailers must adopt a comprehensive strategy that not only defends against these attacks but also allows them to respond swiftly without disrupting the shopping experience," Singh said.