Black Friday threat actors are better prepared and more sophisticated than ever

New research from F5 Labs has shown that Black Friday threat actors are better prepared and more sophisticated than ever before.

The analysis found that automated traffic became progressively more sophisticated in advance of, and during, the Black Friday period. It also noted that attackers moving early to target the promotional period when platforms may not have implemented heightened security measures.

Automation is becoming more sophisticated

F5 Labs distinguished between ‘low sophistication’ automation operating at the network (HTTP) level, ‘medium sophistication’ which can present as a browser or mobile device, and ‘high sophistication’, which interacts with an application in ways that mimic human behavior such as keystrokes and mouse movements.

Leading up to November, from August to October in 2022, almost half of automated traffic on the Web was low sophistication. Only around 33% of traffic demonstrated high sophistication. That trend steadily reversed throughout the period, and during November high sophistication attacks were regularly comprising nearly 70%. On Mobile a similar trend took hold, albeit via the replacement of low sophistication with medium sophistication automation.

“The increase in the sophistication of automation was a striking trend across both Web and Mobile,” said David Warburton, Director of F5 Labs. “As the busy shopping period approached, the volume of automation may have fluctuated but its sophistication was progressively growing.

“Threat actors know that low level automation is likely to be easily detected and that online retailers are improving the way they defend against attacks and share information.  Highly skilled and well-funded threat actors are responding by upping the sophistication of their work. This includes, but not limited, to exploiting the most recent vulnerabilities to gain unauthorised access to systems, deploying malicious software that can alert its code dynamically infects a new system, or using custom malware or social engineering techniques for an extended period. Concurrently, they have strategically shifted their attack objectives towards the most lucrative and damaging vectors.”

Attackers are moving earlier

Another notable trend was that the prevalence of automated traffic around Black Friday and Cyber Monday was not tied to the days themselves but tended to happen well in advance. In other words, during the early in the promotional period.

Certain sub-sectors of online retail were also found to be more susceptible to attacks such as credential stuffing, account takeover, gift card fraud, scraping and reseller bots than others.

The sector that received the highest levels of potentially malicious traffic – grocery on Web platforms – recorded its highest peaks within the first half of November, when automated traffic represented more than 35% of the total traffic. That compared to regular single-digit readings during September and October.

It was the same story on Mobile, where both fashion and eCommerce recorded bigger spikes in automated traffic prior to the Black Friday period than during it – the former peaking at 24% on 28 October and the latter at 16% on 27 October.

“We expected to see automated traffic peaking during peak sales times, but the data showed the opposite,” added Warburton.

“Instead, where there were surges in automation, they almost all happened either in the early part of the Black Friday period or prior to it. This suggests that threat actors are looking to take advantage of a period when online platforms may not have implemented heightened security measures. Retailers clearly need to be on high alert in advance of Black Friday and high-activity shopping events, and Defenders should expect the unexpected. In particular, they should use bot defense solutions that can keep pace with attackers that are constantly retooling and shifting their tactics. This should include rich client-side signal collection, aggregate data collection, and AI for long-term efficacy and near-zero false positives – as well as an ability to maintain access for good bots.”