Preparing for increased sophistication of shopping bots
By Jason Kent, Hacker in Residence, Cequence Security
Jason Kent is Hacker in Residence at Cequence Security, where he does research, community outreach, and supports efforts in identifying automated attacks against web, mobile, and API-based applications to keep Cequence's customers safe. Over the last 20 years, Jason has been ethically peering into client behavior, wireless networks, web applications, APIs, and cloud systems, helping organizations secure their assets and intellectual property from unauthorized access. As a consultant he's taken hundreds of organizations through difficult compliance mine fields, ensuring their safety. As a researcher he's found flaws in consumer IoT systems and assisted in hardening them against external attacks.
As retailers worldwide prepare for the holiday shopping season, bot operators are doing the same – selecting targets and gathering the tools and infrastructure needed to carry out their automated shopping bot attacks.
According to Forrester, over 60% of businesses report losing between 1% and 10% of their revenue to web scraping attacks alone. Unfortunately, this problem isn’t going away. It will likely get worse, as the State of API Economy by Google ranked retail as one of the top industries to experience the largest share of application program interface (API) traffic.
Compared to other kinds of automated bot attacks, shopping bots are perhaps the most sophisticated. They have become increasingly commercialized with bots-as-a-service availability, where users can subscribe to a service to execute their own shopping bot attacks. Shopping bot attacks combine scraping, account takeover, fake account creation and enumeration attacks to reach their end goal.
Let’s examine how brands can prepare for the increased sophistication of shopping bots this holiday season by examining four of the most common shopping bot tactics.
Common Shopping Bot Tactics
A considerable amount of money can be made in the resale and secondary markets for high-demand items, and threat actors are increasingly upping their investments in the tools they need to succeed.
Once upon a time, bot operators had to find the necessary resources – tools, passwords, scripts and infrastructure – to carry out an attack. However, the rapid rise of bots-as-a-service, a commercialized set of tools that allows almost anyone to become a bot operator, now allows virtually anybody to have access to a bot that can help them acquire the products of their choosing. The bot commercialization trend is having the greatest impact on hype sales, which occur when limited-quantity, high-demand products are released and the seller is inundated with requests from real customers and automated bots.
Before executing a shopping bot attack, bot operators often prepare using the following tactics:
- Fake Account Creation: Bot operators need two types of fake accounts to execute attacks. One set is created on the retail site to increase the odds of scoring the target high-value item. Botters will also need multiple email accounts for communications on the success of the purchase, delivery times, and so on. To maximize their chances of success, threat actors create hundreds or thousands of fake accounts using automation.
- Content Scraping to Track Inventory: When a retailer updates inventory before launching their new product, bot operators will use content scraping tools to check the inventory API to determine when the item will be available. Once that information is confirmed, bot operators use automation to log in to their fake accounts and pre-load their shopping carts.
- Cart Build-up, Cart Farming and Product Switching: Many online shopping carts today don’t expire – leaving the window open for bot operators to load their virtual shopping carts linked to their fake accounts with low-cost, unwanted products. Once the high-demand item becomes available, they will add the limited-quantity item to the cart for more rapid execution.
- Infrastructure Build-up: Large-scale shopping bot attacks require scalable, widely distributed infrastructure to help ensure that the malicious transaction appears as legitimate as possible. Commercially available proxy services allow bot operators to subscribe to many IP addresses, often based on location, through which they will route their malicious traffic. In doing so, the retailer is less likely to block the transaction for fear it is a real user.
- Third-party One-click Purchase APIs: One-click pay APIs, like Google Pay, PayPal Express and ApplePay, are designed for humans to have a frictionless purchasing experience. Unfortunately, these third-party purchase APIs are also a perfect target for attackers, as they allow them to complete their purchases more quickly and on a larger scale.
To protect shopper interactions and applications more effectively from malicious bots, retailers must embrace a real-time strategy to effectively detect malicious bot traffic and block it.
What Can Retailers Do?
Today, most retail and e-commerce companies do not have the visibility and protection capabilities they need to defend against the growing risk from APIs and other application connections. In preparation for the 2022 holiday rush, e-commerce and retail companies must stress test their infrastructure and identify potential risks and fraud.
Stress Testing Infrastructure: Excessive bot traffic is known for slowing down applications and negatively impacting a user’s experience, so often, retail and e-commerce companies deploy more infrastructure than necessary to compensate for the resources used by malicious bots. Retail and e-commerce companies must ensure their applications won’t collapse with the increased web traffic from legitimate shoppers and bots. Organizations with the time and resources to simulate attack traffic should do so — especially if they are releasing a hot new item in high demand. Security teams should take an outside-in discovery approach—viewing the organization’s attack surface from a threat actor’s perspective—which will allow them to better scope ways to increase capacity and run through several risk scenarios so that they have a plan of action.
Identifying Possible Risks and Fraud: Even with bot mitigation methods in place, retail and e-commerce companies are still very likely to have malicious activity that goes undetected. Bots adapt quickly and can retool and identify ways to bypass defenses. Security teams should prepare for this by continuously scanning for threats and employing countermeasures such as real-time blocking and alerts. For example, security teams should investigate further if order requests are increasing so rapidly that the back end is struggling to scale.
When preventing bot-based business logic abuses, a traditional security strategy will no longer suffice. To protect shopper interactions and applications more effectively from malicious bots, retailers must embrace a real-time strategy to effectively detect malicious bot traffic and block it. This can be achieved with a modern tool set centered around behavior-based threat detection and flexible mitigation.