Pay attention to suspicious traffic
Posted: Mon May 26, 2025 3:25 am
during peak online shopping seasons, you might encounter increased traffic from genuine shoppers mixed with malicious traffic. If you notice an uptick in traffic, it’s a good idea to check your security logs for any irregularities. Security logs are stored in the following path:
In the above examples, the attempts came from a specific ip address or multiple ip addresses from the same autonomous system numbers (asn). One possibility is that these were genuine storefront login attempts by a shopper who mistakenly forgot their username, but further analysis is needed to confirm. As you begin to analyze the logs, patterns will start to become apparent.
Secure b2c commerce storefront for shopping
implement b2c commerce storefront security strategies that america phone number list safeguard shopper and storefront data, such as mfa, firewall, and bot mitigation. Find out more on trailhead, salesforce's free online learning platform.
Start trail
+1,200 points
trail
prepare your salesforce b2c commerce storefront for holiday shopping
evaluate your site performance, scalability, and security in anticipation of the shopping season.
Monitoring traffic
every security analyst should ask themselves the following questions when examining these types of security logs:
is this amount of traffic considered normal when compared to your typical traffic metrics? Take this hypothetical scenario for example: does it make sense for your organization to have daily traffic of 10,000 hits during peak hours, and for 10% of that traffic to result in customer_not_found?
Did the traffic come from the same source (ip addresses, same asns), or from a country that your store doesn’t deliver to?
Did the events come from web browser versions that are out of date or not typically used anymore?
For example, the user agent mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; rv:11.0) might have been a common user agent back in 2015 when windows 7 was a common web browser, but is not commonly used in 2024.
If you determine that your log activity doesn’t align with typical patterns or expected activity, the next thing to look for are successful authentication attempts from suspicious sources. Many users tend to reuse the same username and password combinations for different sites, making their accounts vulnerable to threat actors who can test the leaked credentials against multiple sites to see if the same combination works. If you suspect a bad actor has gained access to a user account, the quickest containment step for the short term would be to initiate a password reset for that account. If you’re worried about having to perform the password resets one-by-one, the following two endpoints can be used via ocapi to perform bulk password resets.
In the above examples, the attempts came from a specific ip address or multiple ip addresses from the same autonomous system numbers (asn). One possibility is that these were genuine storefront login attempts by a shopper who mistakenly forgot their username, but further analysis is needed to confirm. As you begin to analyze the logs, patterns will start to become apparent.
Secure b2c commerce storefront for shopping
implement b2c commerce storefront security strategies that america phone number list safeguard shopper and storefront data, such as mfa, firewall, and bot mitigation. Find out more on trailhead, salesforce's free online learning platform.
Start trail
+1,200 points
trail
prepare your salesforce b2c commerce storefront for holiday shopping
evaluate your site performance, scalability, and security in anticipation of the shopping season.
Monitoring traffic
every security analyst should ask themselves the following questions when examining these types of security logs:
is this amount of traffic considered normal when compared to your typical traffic metrics? Take this hypothetical scenario for example: does it make sense for your organization to have daily traffic of 10,000 hits during peak hours, and for 10% of that traffic to result in customer_not_found?
Did the traffic come from the same source (ip addresses, same asns), or from a country that your store doesn’t deliver to?
Did the events come from web browser versions that are out of date or not typically used anymore?
For example, the user agent mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; rv:11.0) might have been a common user agent back in 2015 when windows 7 was a common web browser, but is not commonly used in 2024.
If you determine that your log activity doesn’t align with typical patterns or expected activity, the next thing to look for are successful authentication attempts from suspicious sources. Many users tend to reuse the same username and password combinations for different sites, making their accounts vulnerable to threat actors who can test the leaked credentials against multiple sites to see if the same combination works. If you suspect a bad actor has gained access to a user account, the quickest containment step for the short term would be to initiate a password reset for that account. If you’re worried about having to perform the password resets one-by-one, the following two endpoints can be used via ocapi to perform bulk password resets.