The growing army of ‘Grinch bots’ trying to steal Christmas
Five minutes before the drop, you’re ready. Browser poised, you’re logged in, payment info up to date. As the scheduled time approaches, you start frantically refreshing. And . . . not again! Another limited release sold out in seconds. Don’t blame the lightning-fast fingers of your fellow human shoppers. Blame the Grinch bots.
A “bot” refers to any software program designed to simulate a human user on the internet. There are “good” bots—such as the web crawlers Google uses to index the internet—and there are “bad bots,” used for things like account-takeover attacks (to gain access to financial accounts or personal data) and inventory scalping. (The bots that Elon Musk worried about before his purchase of Twitter were so-called account-generation bots, which create fake social media users.)
Inventory-scalping bots, aka “Grinch bots,” tend to proliferate as the holidays approach. Last year, bot-related attacks on retail sites grew 10% in October, and another 34% in November, according to data published by cybersecurity firm Imperva in its 2022 Bad Bot Report. In September and October of this year, Imperva saw an average of 69.5 million bot requests across e-commerce sites daily, versus a monthly average in 2022 of 46.5 million. Thanks to a massive attack that hit a major retailer with 5.2 billion automated requests, this November has been the busiest month yet for the cybersecurity firm, which serves more than 6,200 enterprises and organizations worldwide.
Bots likely played a big role in last week’s Taylor Swift-Ticketmaster imbroglio. In a well-intentioned effort to deter bot scalpers, Ticketmaster had distributed unique codes to preregistered users, which let them in for a presale. But when the site opened up for these 1.5 million “verified” fans, it was hit with 14 million users—humans and bots. Chaos ensued, and thousands were left without tickets. Before general tickets sales began, resale tickets were already appearing, with reports as high as $28,000. The regular public sale was canceled.
Here’s what you should know about these potential holiday spoilers, including what businesses are doing to stop them—and how you can improve your odds against them.
Bots are getting worse
According to Imperva, which has tracked human and bot traffic since 2014, nonhuman software agents currently account for about 42% of all internet traffic; and since 2018, the proportion of bad bots across all websites has increased from 20.4% to nearly 28% in 2021. Nearly two-thirds of bad bot traffic is classified as “evasive”—that is, it uses techniques such as imitating human-like mouse movement and clicks, regularly changing IP addresses, and timing requests to appear more like a legitimate user. Over 31% of bad bot traffic is “advanced,” meaning it uses cutting-edge detection-evasion scripts. Bad actors don’t even need to troll the dark web to find a plug-and-play bot for their needs—software is easy to find on the plain old internet.
Retail is a target
Bots impact many industries—about 84% of financial institutions, for example, have experienced account takeovers in the past year, costing billions of dollars, according to research by the Aberdeen Group. But many of the most advanced bad bots now target retail and travel sites. Imperva estimates that roughly 40% of all traffic to retail sites comes from bots; and in 2021, 22.6% of all online retail logins were malicious—nearly twice the volume of other industries.
Bots hurt consumers and retailers
You might think that it doesn’t really matter to a company like Sony or Nike if their game consoles or sneakers are consistently snapped up by scalpers. Not so. “Most immediately, it impacts the retailers that sell the PlayStations or other goods on behalf of the manufacturers,” says Pam Murphy, CEO of Imperva. For one thing, the sheer volume of inventory scalping can overwhelm retailers’ sites and make them hard for anyone to access. “Retailers also have to deal with disgruntled customers who really want to get their hands on the object, who go in there straightaway as soon as it’s available, and fail to get anything into their cart,” she says. “It hurts their reputation.” Retailers also miss out on selling the add-ons or accessories that real customers typically buy to go with something like a new gaming console. “When the bots take the main equipment, people are not going to buy the accessories,” says Murphy. Scalpers probably impacted video games sales, too—in the first month of PS5 sales in late 2020, for example, one analysis found that just one in three consoles sold had actually bought a game, suggesting the rest were sitting in scalpers’ closets.
Travel is another big target
In 2021, 70.3% of advanced bot attacks were on the travel industry, a 10% increase from the previous year. Travel is targeted by bot operators to try to undercut prices of their competitors, and to steal loyalty points. Bad bots are often used for “seat spinning,” which hurts third-party travel-booking services by claiming an airline seat or hotel room for a 24-hour period without paying for it—a service that many sites provide as a “benefit”—and then try to resell the reservation at a higher cost on a different site. If the bot operator can’t sell the reservation, they release it back, creating an inventory management headache for airlines and hotel chains, and creating a false sense of scarcity for consumers.
Bots are (mostly) legal
Serious regulation of bad bots has been slow in coming. In 2016, the BOTS (Better Online Ticket Sales) Act went into effect, prohibiting the use of automated software to get around purchase limits on tickets for concerts, theater performances, live sports, and other events. The first case brought under the Act was last January 2021—which gives you an idea of where bots stand on the Federal Trade Commission’s list of priorities. The Stopping Grinch Bots Act of 2021—which would crack down on e-commerce scalping bots, was introduced in the U.S. House and Senate by Democratic lawmakers last November. It has been in committee in both houses for the past year.
What businesses are doing to fight them
Cybersecurity firms like Imperva, Human Security, and others protect clients from bad bots through extensive threat monitoring—creating inventories of IPs with bad reputations, for a start—and behavioral analysis. “You establish a baseline for what is normal, and then everything above that, you have to sort of be wary about it being a bot,” Murphy says. Tip-offs can include things like an unusual volume of failed log-in attempts, elevated “bounce rates” (an increase of website visitors who show up and leave after just a few seconds), lots of failed attempts to validate gift cards, and a sudden increase in visitors from an unexpected location or geography. Each customer can create their own set of blocking rules: “It’s important not to create false positive and block real customer activity,” says Murphy. At a minimum, businesses should make sure their software is patched for the latest vulnerabilities and put extra security around parts of their site —log-in, gift cards, checkout—that bots are going to go after. Many companies, of course, have more than just a website. “Don’t forget that you have a lot of APIs,” says Murphy. “You may have mobile sites. We often see businesses forgetting about those. And you’re only as strong as your weakest link.”
What shoppers can do to beat the bots
Resist the urge to do what scalpers want (and what eBay and StockX don’t mind) you to do: buy the unattainable toy, gadget, or ticket at their ridiculous markup. Not only does this support the scalpers, but your risk of additional scams—like the theft of personal information and credit card data—increases as you move further from the legitimate retail market. You can prep for the next drop with advice from the likes of experts like journalist Matt Swider (who offers tips and alerts about gaming console drops) and numerous experts on sneakers and other goods. Security experts also suggest shopping from retailers that show signs that they are taking bot security seriously, with “are you human” challenges, like CAPTCHAs. “That tells you there’s some authentication happening,” says Murphy. “If you’re greeted with challenges when logging in, that’s a good sign.”
(91)