A new report released today by application programming interface security company Cequence Security Inc. warns that retail fraud is up nearly 700% as cybercriminals exploit the holiday shopping season.

The report is based on anonymized traffic and attack data from billions of transactions from Cequence’s customer base, which includes Fortune 500 and Global 2000 companies. It found that threat actors are evolving tactics and opting for a more nuanced approach that spreads attacks across a broader timeframe to blend in with legitimate traffic and evade detection.

Key findings in the report include what is described as a “pre-holiday cyber onslaught,” with gift card fraud increasing by 110% in the second half of 2023, while scraping, loyalty card fraud and payment card fraud increased by an average of over 700% as attackers lay the groundwork for holiday sale attacks ahead of retailer security crackdowns.

The report found a rising threat of trust-building account takeovers, with account takeovers up a whopping 410 times for retailers in the second half of the period analyzed, September to November 2023. Also discovered was a surge of “automated line-jumpers,” a process that involves large numbers of products being added to carts via automated tooling to volumetrically flood systems, purchasing as many in-demand items as possible to corner the market and preventing sales to legitimate customers.

Across its entire customer base, Cequence detected malicious traffic from 719 million unique IP addresses and 325 million malicious login attempts from June to November 2023, highlighting the scale of the threat.

“The 2023 holiday season exposed a chilling reality: cybercriminals are employing increasingly sophisticated attack methods and meticulously planning months in advance to exploit vulnerabilities,” said William Glazier, director of threat research at Cequence. “This long-term approach allows them to target unprepared retailers and unsuspecting customers, particularly during peak shopping periods. This shift underscores the urgent need for heightened vigilance and proactive security measures throughout the year.”

Glazier added that to combat sophisticated threats targeting APIs, organizations must discover and catalog all APIs, ensure rigorous adherence to industry standards, and deploy advanced threat detection and mitigation tools to defend against attacks.

Image: DALL-E 3