Introduction
Black Friday has long been a cornerstone of the retail calendar, not just in the United States but around the globe. During this period, including Thanksgiving weekend and Cyber Monday, consumers anticipate steep discounts and rush to purchase products both in-store and online. However, these low prices also bring about a surge in unethical buying practices and automated attacks that can disadvantage both retailers and genuine customers.
Last year, we delved into how malicious bots exploited Black Friday 2022 sales by analyzing data from retail enterprises protected by F5 Distributed Cloud Bot Defense. In this previous article, we concluded that while Black Friday led to increased legitimate user traffic there was no widespread rise in unwanted automation across online retailers as a whole. However, grocery enterprises on the web and fashion and eCommerce mobile applications did see a notable increase in automated attacks. There were marked increases in malicious automation targeting user login and user registration pages, with a marked rise in attack sophistication during this period.
As retailers across the world brace for Black Friday 2024, they are wondering whether they will face similar challenges, or if new threats will emerge. This analysis hopes to shed some light on these questions based on Black Friday 2023, and suggest strategies to safeguard businesses and consumers in the upcoming Black Friday season.
Executive Summary
The 2023 Black Friday shopping season revealed critical insights into legitimate customer traffic and malicious automation trends. Retailers saw an impressive 46.6% increase in legitimate traffic compared to 2022 with elevated transaction volumes persisting for four days post-event. However, malicious automation declined slightly, year-on-year, a reduction largely attributed to the attackers growing weary of being continuously blocked.
Despite the overall decline, specific industries such as grocery and fashion retail experienced targeted automated attacks. Grocery retailers faced significant increases in bot-driven activities, particularly targeting web login and account registration flows, with malicious automation peaking at 21.8% on Black Friday. Similarly, fashion retailers were heavily impacted by bots targeting gift card abuse and account login pages. Mobile APIs also became a critical attack vector, with grocery retailers facing persistent scraping attacks on "add-to-cart" pages and fashion retailers enduring a surge in mobile API login automation leading up to Black Friday. These patterns demonstrate a shift in attacker behavior, with increased sophistication and focus on high-value flows such as fake account creation and credential stuffing.
Black Friday 2023 Analysis
Later sections in this article will explore the differences we found between how web and mobile apps are targeted, as well as highlight those industries most affected. Let us first start, however, at a high level and uncover whether malicious automation does indeed peak during periods of intense sales.
Legitimate Traffic Went Up!
In both 2022 and 2023, retail companies experienced a significant uptick in legitimate customer traffic leading up to Black Friday. The steep rise in the legitimate traffic volume during Black Friday 2023 is illustrated in Figure 1. Since Black Friday (labelled ‘BF’ in figures) falls on different days across the two years, the x-axis has been adjusted to show the number of days before and after ‘BF’ so we can easily compare the two years. This ‘BF’ scale for the x-axis will be used throughout this article.
Customer traffic to both web and mobile apps surged by 46.6% on Black Friday itself, with elevated transaction volumes persisting for the next four days (by contrast, 2022 saw an increase of 23.2% on Black Friday).
Malicious Automation Went Down
Figure 2 shows the change in malicious automation volume between 2022 and 2023. The first thing to note is that automation volumes in 2023, taken as a whole across all industries and application types, were lower than in 2022. This may appear to be good news for many retailers although, as we explore in more detail later, some industries are more heavily targeted than others.
We saw an average of 7.6% automation in 2023, down from 17.1% in 2022. This decrease is primarily attributed to malicious actors giving up after persistently being blocked by F5 Distributed Cloud since 2022. Automated attack volumes tend to trend down over time when attacks are effectively blocked due to attackers throwing in the towel and moving on to new targets.
Automation volume was also less volatile in 2023 compared with 2022 with only minor fluctuations throughout the 2023 Black Friday period. Digging deeper into this reduced volatility revealed that scrapers made up a much larger proportion of automation in 2023 compared with the previous year. Scrapers, such as those used by AI bots to harvest data, tend to have more consistent traffic patterns than other kinds of automation like reseller, gift card, fake account, and credential stuffing bots, which made up a larger proportion of 2022 automation.
Building Up to Black Friday
So far our analysis has focused on Black Friday and the three weeks preceding it. What can we learn if we look further back in time? We now go back three months before Black Friday and dive a little deeper. Figure 3 splits out the automation rates between ‘web’ (traditional websites) and ‘mobile’ (API calls made by mobile apps).
In 2023, while overall automation was down compared with 2022, malicious automation targeting web apps did increase in the month leading up to Black Friday. Bot traffic increased from 7.5% of all traffic to a peak of 14.0% a week before Black Friday. Automation remained between 10% and 12% of all traffic until the day of Black Friday when it dropped to previous values (7.9%).
This trend was not observed in 2022.
A possible explanation for the drop in proportion of web automation on Black Friday could include stock depletion of targeted goods due to high demand. Another factor in the decline in web automation percentage is the dramatic increase in legitimate users. This increases the denominator and causes the percentage automation to decrease significantly even if the volume of automation were to remain unchanged.