COVID-19 has accelerated changes in the way attackers hit web applications. Based on behaviors we observed during our research, we developed five predictions on how web application security will change as we come out of the COVID-19 period – and what security pros can do about it.

1. More sophisticated account takeover (ATO) attacks.

The COVID crisis has created new opportunities for attackers. It has also accelerated the innovation and development of new attack tools. Consumers changed their usage patterns and the attackers followed them. For example, use of online retail, food delivery and e-learning services has spiked. These big traffic shifts – often the doubling or tripling of legitimate users – present an opportunity for attackers to victimize inexperienced website operators defending against hard-to-spot distributed attacks.

During COVID, we saw an increase in “sophisticated” attacks using tactics such as headless browsers (without GUIs) and JavaScript-enabled bots. We also saw an increase in bots with detailed business logic capabilities that navigate multiple pages and can solve CAPTCHAs. The attackers also expanded their attacks to smaller sites than what we’ve traditionally seen for these type of attacks. Generally, this type of ATO attackers focus on larger targets like the top 50 Internet retailers. In contrast, attacks against smaller sites pre-COVID were mostly “spray” attacks using brute force ATO attempts with crude bots. This means either that professional cybercrime rings responsible for sophisticated attacks are now broadening their targets to include smaller sites, or that more sophisticated bot and ATO attack tools are easier to access on the dark web. As the tools grow more available, attackers of all stripes will continue to use them.

  • Result: There’s a new level of attack sophistication facing a wider array of websites.
  • Impact: Operators of all sites and web applications, regardless of size, need to learn how to defend against far more sophisticated attackers. Simple Web Application Firewall  (WAF) rules and rate-limiting won’t work anymore. Operators must learn how to defend new attacks to protect their revenues and reduce time and resources wasted remediating and reacting to attacks.

2. Distributed (and harder to stop) botnets.

During COVID, we saw an increase in botnets that were more broadly distributed and had higher-quality IP addresses that used a large range of residential addresses. This implies that cybercriminal gangs have access to larger botnets than previously or that the tools to create (or rent) distributed botnets got easier to use and became more widely available. This broad shift will make it harder to spot attacks earlier and will reduce the efficacy of IP-address reputation as a way to spot bots.

  • Result: Detecting malicious bots will require more advanced machine learning that can better spot and predict bots that are lower volume and coming from higher reputation IP addresses
  • Impact: Every web application team will need to either understand machine learning or use a web application security service that deploys machine learning to stay ahead of the attackers. Business units and e-commerce revenue teams need to reconsider technology choices for their web defense.

3. Online hoarding and bot-buying for in-demand items.

During COVID, the shopping bot and hoarding behavior emerging online went mainstream. Some of the software for these hoarding applications was open- sourced. We expect people will leverage the same technology for additional use cases around the short-term scarcity of products online.

  • Result: Shoppers not using bots will struggle to buy in-demand items like pulse oximeters and isopropyl alcohol. Hoarding tools will appear quickly whenever there’s a supply interruption, driven by easy access to open source technologies. Businesses must deal with more disruptions caused by hoarding bots including site latency, skewed site analytics and unhappy customers.
  • Impact: Retailers must more broadly adopt bot mitigation measures to ensure fair access to their products, reduce infrastructure costs and maintain analytics integrity.

4. Bots will target government websites.

COVID has forced all organizations to accelerate digital transformations and move processes online. It’s also true for government agencies. More governments are asking citizens to put critical PII online. Full records of personal information are a lucrative target for attackers who can resell it or leverage it to defraud innocent users. Many of these new government web applications have not been thoroughly tested and might have security vulnerabilities. New operators of these web applications are inexperienced with bots, hoarding and other forms of web application attacks.

  • Result: Organized attackers will gravitate towards government web applications for high-value, high-impact attacks.
  • Impact: We see large spikes in attacks as the bad guys target newly digital government sites to harvest PII and financial institution data. Government operators of online properties must consistently test, validate and improve their security stances to protect users from the increased cadence and severity of attacks.

5. Magecart attacks on retailers (and consumers) continue to soar.

With everyone staying home more and avoiding malls and stores, online shopping has skyrocketed. Many businesses are now creating new online sites and online offerings in response to COVID. However, when organizations quickly make changes, their websites are more vulnerable to security risks and insertion of unauthorized code, such as Magecart. In addition, as the number of new sites and new offerings grows in response to COVID there are more new targets for attackers. We observed attackers cynically taking advantage of fundraising sites and targeting them to steal credit card information and other data. The Magecart groups have noticed all of this and they are upping their attack frequency and severity. Magecart attacks target front-end infrastructure with unauthorized code that skims sensitive information, such as email-password combos or financial data like credit card or bank account information. Some Magecart attacks redirect customers to lookalike domains where they receive a payment request and then their data gets skimmed. Other Magecart attacks merely snoop and skim data from payment forms that are legitimate on a website or mobile application.

Result: With the volume of online shopping traffic likely to grow as COVID lingers, Magecart attacks will become even more lucrative for cybergangs.

Impact: Web application owners will need to improve front-end security and closely monitor code changes, as well as website behavior for anomalies and signs of Magecart penetration.

Moving forward, organized cybercriminal gangs will expand their reach to grab even more of an expanded pie. For website operators, these trends are an impetus to up their web security game and tune their internal capabilities, web security technologies and services to handle this permanently enhanced threat status. On a more positive note, there are some clear proactive steps organizations can take to make web security a lot better after COVID.

Ido Safruti, co-founder and CTO, PerimeterX