By Bill Brenner, Senior Tech Writer, Akamai SIRT
Retail was hit hard in Q1 2016 by malicious actors who targeted the business sector with web application attacks. That is among the findings in the State of the Internet Security Report for the first quarter of the year.
The retail sector suffered almost half of all web app attacks.
Hotel and travel was the second-hardest hit, followed by financial, high technology, media and entertainment, the public sector, SaaS and business services.
Retailers are frequently targeted for DDoS attacks, but they are also targeted for web application layer attacks for significant reasons.
Retailers have large amounts of valuable information in their databases, and if an adversary is able to find a SQLi vulnerability, the attacker can access the retailer's information.
Retailers also have a large number of visitors to their websites. As a result, attackers will find and exploit XSS vulnerabilities to deface retailers' websites, causing a loss of trust among customers.
Alternately, the attacker may use a compromised site for a watering hole attack, loading malware on site visitors' computers. Retailers may also be a target for unvalidated requests. For example, if an attacker could control the price of the item being purchased, items could be sold at a price that is different from the retailer intended.
Merchants need to be cognizant of all possible ways their web applications may be compromised.
By comparison, retail suffered only a tiny portion of all DDoS attacks in Q1 2016. As has been the case for many quarters, the gaming industry bore the brunt of DDoS attacks during the quarter.