It’s the Most Wonderful Time of the Year…for Attacks and Attackers

Published November 23, 2021
  • Share to Facebook
  • Share to Twitter
  • Share to Linkedin
  • Share via AddThis

It’s that time of the year again: the most wonderful time of the year for attackers. Between Black Friday, Cyber Monday, and heightened online spending in the weeks leading up until the year-end holidays (Chanukah, Christmas, Boxing Day, Kwanzaa, Festivus), the opportunities are ripe for bad actors looking to take advantage of shoppers and e-commerce apps alike.

In 2019, security researchers at F5 Labs found a 100% increase in new threat campaigns from November to December of that year. Many of these campaigns entered a network with something as simple as a phishing email, preying on users scouring their inboxes for discounts by using language employed by retailers in Black Friday and Cyber Monday promotions. Additionally, instances of web application attacks—such as DoS and DDoS attacks—also increased as attackers attempted to disrupt the profits of online retailers.

To safeguard your customers’ holiday shopping experience and to ensure your business-critical applications remain up and uncompromised, it is essential to secure your apps against common attack types that plague retail and e-commerce businesses during the holiday shopping period. Read on for some strategies to help your organization weather the holiday cyberattack storm.


Across the globe, phishing remains the most common or one of the most common attack vectors for cybercriminals. Last year in the United Kingdom, phishing accounted for 28% of all cybersecurity incidents, and in Australia, phishing accounted for 36% of incidents. In 2020, the number of phishing attacks doubled from the previous year, and since then, the number has remained at a consistent but high level. And unfortunately, this form of attack remains so prevalent because it works.

Cybercriminals can take advantage of shoppers looking for deals by sending emails that look familiar to Black Friday and holiday shoppers. And it doesn’t stop at emails: attackers may send fake texts (“Smishing”), or even imbed malicious QR codes into emails and social media promotions (“Quishing”). Emails and texts with urgent language that piggybacks off the Black Friday craze can cause even the most threat-savvy users to click on phishing links in emails, leading to the compromise of your networks and delivery of malware.  

Educating users on phishing is essential, but it is only the first line of defense. How do you stop malware from attacking and propagating after the user has clicked on a phishing link?

F5 SSL Orchestrator can help your organization stop phishing attacks before they harm your network. By decrypting encrypted payloads (such as email and social media communications, which heavily leverage TLS certificates), SSL Orchestrator can gain visibility into encrypted payloads to scan for malware. Thus, when a user clicks on a phishing link disguised as a Black Friday deal, the packet will be inspected, identified as malware, and blocked from traversing and infecting your network.

With an F5 Secure Web Gateway Services add-on subscription, your organization can also block users from accessing websites that contain malware downloads. Since the F5 SWG Services database is updated consistently and many malicious sites are created and torn down within days, you will always be guaranteed protection from the latest phishing web pages.

Credential Attacks

But phishing is not the only attack type online retailers are vulnerable to during this high traffic buying season. Credential threats—such as brute force attacks, credential stuffing, and leaked credentials—can also pose severe risks to your customers and lead to account takeovers. And nothing wreaks havoc on a customer’s holiday shopping experience like fraud and credit card theft.

Fortunately, there are several ways you can stop a credential attack before it causes immense damage. While not entirely inevitable, leaked credentials are a mainstay of the digital-first world. F5 Leaked Credential Check is an add-on to F5 Advanced WAF that stops leaked or stolen credentials from being used to access apps, automatically detecting and mitigating compromised credential use so your customers can go about their holiday shopping without fear of fraud and identity theft. You don’t have to worry about fraudulent accounts filling their carts with goods or using stolen credentials to finance their spending spree.

F5 Leaked Credential Check augments the protection provided by F5 Advanced WAF, defending your business-critical apps from attackers using stolen credentials

Another way to prevent leaked or stolen credentials is using Shape Authentication Intelligence which creates a “VIP Lane” by identifying known trusted users and shopping with a frictionless, safe, and fast experience. This is accomplished by leveraging AI—with a proprietary set of signals and advanced analytics—to identify returning, trusted users to your website and authenticate them frictionlessly and securely. The solution delivers a real-time recommendation to block or allow user access every time a user initiates a web application session, ensuring that even if an attacker steals your customer’s credentials, they will be unable to access your application. This guarantees that only real shoppers will be able to use their credentials to shop in your online store.

When bots are used to launch automated attacks leveraging stolen credentials to gain access to your customers’ accounts fraudulently, it is essential to determine whether login is originating from a bot or a human and whether the login request is made with malicious or benign intent. Bot Defense delivers dedicated, outcome-driven defenses that protect critical assets from sophisticated attacks, safeguarding accounts from takeover and defeating credential stuffing attacks, protecting your customers from fraud during a time when wallets might already be stretched thin.

Credential stuffing attacks are distressingly easy—and inexpensive—to orchestrate

But fraud does not stop with automated schemes. Challenged by security defenses against automated attacks, cybercriminals continue their exploit and pivot to manually log into accounts or even leverage human click/labor “farms” to bypass anti-automation solutions. By monitoring transactions across the entire user journey, including after a successful login, Account Protection identifies user intent, detecting malicious activity to stop fraud before it happens. Account Protection is powered by a closed-loop AI engine and large-scale unified telemetry built on over a billion transactions per day.

Web Application Attacks

During the holiday season, which typically sees a massive spike in traffic to online retailers, it is also crucial to protect your web applications to ensure your shoppers can continue accessing and browsing your site and shopping for the holidays without the downtime and with a frictionless experience. Attacks against your web applications—including DoS and DDoS attacks—can cut into your holiday shopping revenue streams and lead to frustration and friction for the end-user.

Depending on the deployment model that best suits the needs of your network, F5 provides a line of web application firewalls powered by the robust F5 WAF engine technology to help protect your business-critical applications during the busy holiday season.

With F5’s powerful WAF engine, protect your applications wherever they are hosted, and consume it the way that works for you

F5 Advanced WAF protects your apps with behavioral analytics, application-layer encryption, and proactive bot defense. It defends against sophisticated DoS attacks with behavioral DoS protection and automated Layer 7 DoS and DDoS detection for your traditionally architected web applications. Leveraging an F5 Threat Campaigns, an add-on intelligence subscription for Advanced WAF can be used to map a specific attack incident to a widespread, sophisticated threat campaign, helping to stop extensive attacks before they do significant damage. You can also block specific IP addresses used in web application attacks with the F5 IP Intelligence add-on.

NGINX App Protect WAF protects your modern architected apps and APIs from the latest, most advanced attacks and data exfiltration methods. It leverages security controls ported directly from F5 Advanced WAF, with CI/CD integration for developers. NGINX App Protect DoS may be a good fit for your business to defend your modern web applications against attacks designed to render your applications unavailable. NGINX App Protect DoS protects your organization against hard-to-detect Layer 7 DoS attacks and leverages a no-touch configuration model to simplify DoS security for modern apps. And as the solution defends against more attacks, it learns and adapts accordingly.

And for a fully managed SOC solution for deployment in a hybrid or multi-cloud environment, consider Silverline Web Application Firewall and Silverline DDoS Protection. Silverline Web Application Firewall is a managed service that protects your applications from layer 7 attacks, zero-day attacks, OWASP Top 10, and credential stuffing. Silverline DDoS Protection scrubs network level and signature-based attacks while defending against multi-terabit volumetric attacks and Layer 7 attacks. As an add-on, Silverline Threat Intelligence Service can detect and block IPs used in DDoS attacks to ensure that frequent bad actors are prevented from committing future attacks.

To retain the attention of attention-split holiday shoppers, access to your application must be frictionless and secure.  F5 Shape’s platform safeguards the world’s largest apps, protecting billions of transactions every day. Get a free application threat assessment to learn more about your attack surface, and learn how you can prevent e-commerce account takeover by attending our upcoming webinar.

Learn More

To discover how your organization can protect itself and do good for your customers this holiday shopping season, please contact your F5 Sales Manager or email us