In the Asia Pacific and Japan (APJ) region, over 1.15 billion web attacks were recorded in the commerce sector, across retail and hotel and travel verticals, according to a new report from cloud company, Akamai Technologies.

The Entering through the Gift Shop: Attacks on Commerce report found that commerce remains the most targeted web attack vertical, accounting for over 14 billion or one-third (34%) of observed incursions, largely due to the industry’s continued digitalisation and the attackers’ available selection of web application vulnerabilities to breach their intended targets.

The research also uncovered that Local File Inclusion (LFI) attacks increased 300% between Q3 2021 and Q3 2022 and are now the most common attack vector used against the commerce sector. This indicates an attack trend toward remote code execution and hackers leveraging LFI vulnerabilities to gain a foothold for data exfiltration.

Attack vectors such as Server-Side Request Forgery (SSRF), Server-Side Template Injection (SSTI), and Server-Side Code Injection have also been gaining popularity. They pose a significant threat to commerce organisations and other verticals, preventing online sales and damaging a company’s reputation.

As commerce organisations increasingly rely on web applications to drive customer experience and online conversions, adversaries target vulnerabilities, design flaws or security gaps to abuse web-facing servers and applications. Globally, retail remains the most targeted subvertical within commerce, accounting for almost two-thirds (62%) of attacks on the sector.

The top web attack target areas in APJ for retail are India and China. Loyalty and rewards programs, in combination with a proliferation of shopping days across these areas, present attractive opportunities for cybercriminals to ply their trade.

The hotel and travel subvertical also emerged as a particularly attractive target to attackers, with the bulk of all transactions conducted online, driven by Australia (63.72%), followed by India (22.44%).

“Amid the mid-year shopping and travel season, these insights around the commerce sector present a timely reminder that commerce organisations need to be on high alert to adapt to a myriad of methods used by attackers – from web applications and bots to phishing and the use of malicious third-party scripts,” Akamai security technology and strategy director for APJ, Reuben Koh said.

“To stay ahead of attack attempts, commerce organisations should stay updated on the latest attack trends and constantly re-evaluate their security posture and controls. When considering specific cyber defence solutions, organisations need to make sure that the chosen solutions are adaptive enough to counter against the ever-changing threat landscape and minimise the risks posed by adversaries who are getting more sophisticated every day.”