Nearly Two-Thirds Of Holiday E-Commerce Traffic Was Bad Bots

The e-commerce industry is growing fast. In a matter of seconds, lucrative shopping deals are being availed and transactions are done. If an organization’s IT infrastructure is not up to the task of protecting applications that enable easy shopping, sophisticated automated attacks can happen in the blink of an eye.

The sophistication level of bad bots is increasing across industries. Their ability to mimic human behavior and be distributed over thousands of IPs is a major cause of concern to e-commerce firms and their applications. For example, 56 percent of bad bots on e-commerce firms were of fourth generation during Q1 – Q3, 2019. The fourth-generation bad bots are not only capable of mimicking human behavior, they also can be distributed over thousands of IPs and can be daisy chained to perform sophisticated automated attacks.

To better understand the threats that e-commerce firms are facing from bad bots, Radware commissioned research to study the traffic of e-commerce firms monitored by it from across the globe. The goal of this research was to understand different types of attacks that e-commerce firms are facing and bad bots’ behavior during big shopping days such as Black Friday and Cyber Monday. This article answers the following questions in detail: 

  • How bad bots targeted e-commerce firms during Black Friday and Cyber Monday 
  • What are the most targeted industries by bad bots  
  • What types of bots target e-commerce businesses 
  • What are four major threats to e-commerce firms from bad bots 

Black Friday And Cyber Monday 2019 

  • On Black Friday, 38.6 percent of traffic was bad bots on e-commerce firms.  
  • On Cyber Monday, 42.5 percent of traffic was bad bots on e-commerce firms.
  • These bots were observed performing account takeover, denial of inventory, and content scraping attacks among others.
Traffic Distribution During Black Friday and Cyber Monday 2019

Account Takeover Attacks

  • Nearly two-third of the traffic on the login pages was bots during Black Friday and Cyber Monday. These bots were observed performing account takeover attacks during the shopping days. 
  • Only one-third of the traffic was human on e-commerce sites during Black Friday and Cyber Monday this year 
  • Most of these bots were AuthBots and were distributed over thousands of IPs. 
 Black Friday and Cyber Monday 2019 – Account Takeover Attacks

Denial of Inventory Attacks

  • Nearly 90 percent of the traffic on cart page of e-commerce sites during Cyber Monday was bots on a significant number of e-commerce sites monitored by us.
  • On Black Friday, nearly two-third of the traffic was bots.
  • This was the reason behind higher cart abandonment rate on this year’s Black Friday and Cyber Monday. 
Black Friday and Cyber Monday 2019 – Denial of Inventory Attacks

Content Scraping Attacks

  • 40.1 percent of the traffic of category pages and 45.3 percent of the traffic on product pages was bots during Black Friday. 
  • 41.8 percent of the traffic of category pages and 40.2 percent of the traffic on product pages was bots during Cyber Monday 2019. 
  • These bad bots attempted to perform scraping of product listing and details from category and product pages of e-commerce firms. 
Black Friday and Cyber Monday 2019 – Content Scraping Attacks 

Most Targeted Industries by Bad Bots

With 26.4 percent of the traffic as bad bots, e-commerce industry was the most targeted industry in first three quarters of 2019, followed by real estate, online marketplaces and classifieds, and digital publishers. 

Most Targeted Industries by Bad Bots

Types Of Bots On E-Commerce Businesses

  • 56 percent of bots on e-commerce firms were of fourth generation. 
  • Fourth generation bots can be distributed over thousands of IPs based in different geographical locations and can masquerade as human users. 
  • Detecting fourth generation bad bots requires advanced technologies including intent analysis so that you can analyze a visitor’s intent and don’t end up blocking genuine users. 
Types of Bots on E-commerce Businesses

Top 4 Attacks On E-Commerce Firms From Bad Bots 

  • Account takeover, denial of inventory, content scraping, and carding are top four attacks on e-commerce firms  
  • Login pages are the most targeted pages of e-commerce firms to takeover user accounts or create fake accounts.
  • Cart abandonment by bots is another threat that e-commerce businesses are facing from bots.
Four Major Threats to E-commerce Firms from Bots

All large e-commerce platforms have sophisticated bot activity on their website, mobile apps, and APIs that can expose them to account takeover, scraping, denial of inventory, and loss of Gross Merchandise Value (GMV). E-tailers must be diligent in their approach to deal with sophisticated bad bots as attacks such as one on Black Friday and Cyber Monday can happen during Christmas holidays as well.

Note: A version of this article first appeared in Retail IT Insights.

Read “The Ultimate Guide to Bot Management” to learn more.

Download Now

Pavan Thatha

Pavan Thatha is a serial entrepreneur in cybersecurity with two decades of experience in the technology industry. Pavan currently serves as VP & GM of the Radware Innovation Center. Pavan joined Radware as part of Radware’s acquisition of ShieldSquare, a market leader in the bot management industry where he was co-founder and CEO. Prior to founding ShieldSquare, Pavan was the co-founder and CEO at a two-factor authentication startup named ArrayShield. Pavan is a gold medalist in electronics & communications from NIT, Warangal and completed his master’s from IIT Bombay.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center