Chris Titze Imaging - stock.adob

Cyber attacks against APAC commerce sector surpass 1.1 billion

Retailers, hotels and travel-related organisations in the region saw over a billion cyber attacks last year amid the surge in e-commerce activity and online travel bookings

Over 1.15 billion cyber attacks were launched against retailers, hotels and travel-related organisations in Asia-Pacific (APAC) last year, underscoring the security risks that come with growing digitisation efforts in the commerce sector.

According to Akamai’s Entering through the gift shop: attacks on commerce report, retailers in India and China were the most targeted due to the popularity of loyalty and rewards programmes and a proliferation of shopping festivals that presented opportunities for cyber criminals to ply their trade.

As commerce organisations rely more on web applications to drive customer experience and online sales, adversaries have been targeting their vulnerabilities, design flaws and security gaps to abuse web-facing servers and applications. Globally, retail remains the most targeted subvertical within commerce, accounting for 62% of attacks on the sector.

With online travel bookings in APAC expected to grow at a compound annual growth rate of 9.8% from 2022 to 2030, the region’s hotels and travel organisations were also attractive targets, particularly those with vulnerabilities in existing workflows and supply chains.

As for attack vectors, Akamai’s research found that local file inclusion (LFI) attacks grew a whopping 300% between the third quarter of 2021 and the third quarter of 2022, making LFI, which tricks applications to run malicious files, the most common attack vector in the commerce sector.

This was a shift from a few years ago, when SQL injection was the most common incursion, indicating a trend towards remote code execution and hackers leveraging LFI vulnerabilities to exfiltrate data from victims.

Other vectors such as server-side request forgery (SSRF), server-side template injection (SSTI) and server-side code injection have also been gaining popularity. Akamai said these pose a significant threat to commerce organisations and other sectors, preventing online sales and damaging a company’s reputation.

Malicious bots

The region’s commerce sector also saw the number of malicious bots surpassing 765 billion in 15 months, contributed by the number and frequency of holiday shopping events and the growth in online travel bookings. However, following quarter-on-quarter growth throughout 2022, malicious bot activity decreased substantially in the first quarter of 2023.

“As we approach the mid-year shopping and travel season, these insights around the commerce sector present a timely reminder that commerce organisations need to be on high alert to adapt to myriad methods used by attackers – from web applications and bots to phishing and the use of malicious third-party scripts,” said Reuben Koh, Akamai’s security technology and strategy director for the region.

“To stay ahead of attack attempts, commerce organisations should stay updated on the latest attack trends and constantly re-evaluate their security posture and controls. When considering specific cyber defence solutions, organisations need to make sure that the chosen solutions are adaptive enough to counter the ever-changing threat landscape and minimise the risks posed by adversaries who are getting more sophisticated every day,” he added.

Read more about cyber security in APAC

Read more on Web application security

Data Center
Data Management