APJ commerce sector cyberattacks are rampant esp. retail, hotel & travel verticals

Commerce in the Asia Pacific-Japan (APJ) region is reeling from cyberattacks, exposing the vulnerability of these big entities in the most populated business regions of the globe that hold tons of data.

A study last year forecasted that merchant losses from online payment fraud will exceed US$362 billion globally between 2023 to 2028, with losses of US$91 billion alone in 2028. The reason, a rise in eCommerce transactions in emerging markets as merchants there are facing new threats, such as an increased use of AI for attacks.

Read more: Digital banking fraud: 55% of frauds in India were third-party account takeover frauds

Online payment fraud is where cybercriminals run false or illegal transactions online, with fraud strategies, such as phishing, business email compromise or account takeover.

According to a report by Akamai Technologies, Inc. (NASDAQ: AKAM), there is an increasing number and variety of attacks on the commerce sector. It found that in the APJ, over 1.15 billion web attacks were recorded in the commerce sector, across retail and hotel and travel verticals.

“As we approach the mid-year shopping and travel season, these insights around the commerce sector present a timely reminder that commerce organizations need to be on high alert to adapt to a myriad of methods used by attackers – from web applications and bots to phishing and the use of malicious third-party scripts,” explained Reuben Koh, Security Technology and Strategy Director (APJ), Akamai.

As we approach the mid-year shopping and travel season, these insights around the commerce sector present a timely reminder that commerce organizations need to be on high alert to adapt to a myriad of methods used by attackers – from web applications and bots to phishing and the use of malicious third-party scripts

Reuben Koh, Security Technology and Strategy Director (APJ), Akamai

“To stay ahead of attack attempts, commerce organizations should stay updated on the latest attack trends and constantly re-evaluate their security posture and controls. When considering specific cyber defense solutions, organizations need to make sure that the chosen solutions are adaptive enough to counter against the ever-changing threat landscape and minimize the risks posed by adversaries who are getting more sophisticated every day,” concluded Koh.

Globally, commerce remains the most targeted web attack vertical, accounting for over 14 billion (34%) of observed incursions, largely due to the industry’s continued digitalization and the attackers’ available selection of web application vulnerabilities to breach their intended targets.

The report also finds that Local File Inclusion (LFI) attacks increased 300% between Q3 2021 and Q3 2022 and are now the most common attack vector used against the commerce sector. Just a few years ago, SQL injection (SQLi) was the most common incursion. This indicates an attack trend toward remote code execution and hackers leveraging LFI vulnerabilities to gain a foothold for data exfiltration.

Attack vectors such as Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Code Injection have also been gaining popularity. They pose a significant threat to commerce organizations and other verticals, preventing online sales and damaging a company’s reputation.

Retail: Most Targeted Subvertical

As commerce organizations increasingly rely on web applications to drive customer experience and online conversions, adversaries target vulnerabilities, design flaws or security gaps to abuse web-facing servers and applications. Globally, retail remains the most targeted subvertical within commerce, accounting for 62% of attacks on the sector.

The top web attack target areas in APJ for retail are India and China. Loyalty and rewards programs, in combination with a proliferation of shopping days across these areas, present attractive opportunities for cybercriminals to ply their trade.

Hotel & Travel

The hotel and travel subvertical also emerged as a particularly attractive target to attackers, with the bulk of all transactions conducted online, driven by Australia (63.72%), followed by India (22.44%).

APJ is the fastest-growing market for online travel bookings, expected to expand at a compound annual growth rate of 9.8% from 2022 to 2030. In addition to vulnerabilities in existing workflows and supply chains, these factors could be contributing to the jump in cybercrime in the region, and more specifically, attacks on this sub-vertical.

Read more: Enhancing security through technology: The future of safety measures

Akamai observed malicious bots targeting the APJ commerce vertical surpassing 765 billion in 15 months, contributed by the number and frequency of holiday shopping events throughout APJ and the growth in online travel booking.