During any holiday season, consumers have a tough time wrestling with each other for best-selling products, but now times have become even tougher, thanks to the proliferation of online “scalper” bots.
These robot shoppers emulate the activity of ticket scalpers in the real world.
“In a scalping attack, cybercriminals unleash automated scalping bots to buy sought-after products, such as limited editions of sneakers, concert tickets, designer clothing, game consoles or hot toys,” explained Kim DeCarlis, CMO of PerimeterX, a web security service provider in San Mateo, Calif.
“They set up fake accounts that browse product pages and execute checkouts to increase their chances of success,” she told the E-Commerce Times. “Then, after they’ve snapped up the best inventory, it is sold at inflated prices on third-party sites or sketchy secondary markets.”
2020 a Different Year for Bots Too
In a typical year, there are spikes in scalper activity around the holiday season when “must-have” products for gifts emerge. But, as everyone knows, 2020 hasn’t been a typical year.
“We saw spikes in Web traffic and attacks cascading across a variety of segments, including food and grocery, e-learning and hospitality, fashion and home goods, freelance, media, and marijuana during the shifts in online activity that began as COVID-19 swept the globe,” DeCarlis explained.
She added that there were even bots dedicated to finding highly coveted grocery delivery time slots for those who didn’t want to shop in person. In the U.K., it’s been reported those kinds of bots have been used to steal delivery slots earmarked for the elderly.
“Bots hoard valuable merchandise,” observed Sandy Carielli, a principal analyst with Forrester Research. “The pandemic has shifted the definition of valuable merchandise.”
“Pre-pandemic, common items of value targeted by bots were sneakers and theatre tickets,” she told the E-Commerce Times. “Early in the pandemic, when hand sanitizer was at a premium, bots hoarded that.”
Some cleaning items still haven’t lost their allure to the automated hoarders. “Every time I try to buy Lysol or Clorox wipes, they are snatched from me, whether on Amazon, Walmart, Target, or Office Depot. They are gone before I can complete my order,” Rosemary Coates, president of Blue Silk Consulting, a business advisory firm in Los Gatos, Calif., told the E-Commerce Times.
By the same token, some items never lose their value to scalper bots. “While gaming systems are always desirable, the fact that more people are staying home probably increased their value this time around,” Carielli noted.
Bots pose significant challenges to e-commerce sites. “Bots can be extremely difficult to distinguish from legitimate customers,” explained Paul Bischoff, privacy advocate at Comparitech, a reviews, advice and information website for consumer security products.
“To a retailer, the purchase activity looks pretty normal, other than being really fast,” he told the E-Commerce Times. “Once the purchase has been made, it can be difficult and costly to cancel the transaction.
According to the 2020 Identity Fraud Report, released in May by Javelin Strategy & Research, between 60 and 70 percent of all traffic to checkout pages is made up of malicious bots. That gets substantially worse during flash sales when as much as 90 percent of traffic to pages can be generated by bots waiting for new products to go on sale.
The report also revealed that 40 to 80 percent of retail login attempts are made by malicious bots.
DeCarlis added that from Thanksgiving to Cyber Monday this year, consumers spent $34.36 billion, an increase of more than 20 percent over 2019 when sales were $28.49 billion. During that period, her company, PerimeterX, which protects some of the largest and most reputable websites and mobile applications, detected 8.1 billion bot requests.
Anyone doubting the significance of bot attacks need only look at how angry PlayStation 5 customers are, added Carielli.
“Aside from frustrating their customers, retailers also risk blowback from the manufacturers, who might not be happy that so much of their merchandise ended up with bots.”
“If I were Sony,” she continued, “I’d be reluctant to allocate as much of the next big gaming system to retailers that couldn’t demonstrate their ability to block the bots.”
Bots can create a detrimental barrier between a brand and a consumer.
“If a consumer is trying to establish a relationship with a brand, direct access, availability, and price are very important to them,” explained Tom Tovar, CEO of Appdome, a Redwood City, Calif. maker of a security and integration platform for mobile developers and enterprise professionals.
“If you insert a bot into that relationship, it’s disrupted,” he told the E-Commerce Times. “Now the consumer has to buy from a person who is potentially selling it at a 300 percent markup. That dramatically impacts the brand’s ability to establish and maintain a relationship with a consumer.”
Tarnishing the Brand
These bots hurt the brands that want to ensure fairness and a good online experience for their customers and that dislike seeing their offerings go for high prices on secondary markets, noted DeCarlis.
“Bots can also impact an e-commerce business’s infrastructure and can crash websites and negatively impact response times for human visitors,” she said.
Retailers may not fully realize how harmful these bots can be because they are selling out their desirable inventory, added Carielli.
However, there’s a huge customer satisfaction issue, she continued. Loyal human customers will get frustrated and look to other retailers to get what they want, taking their peripheral and game purchasing with them.
“The bots aren’t buying any of those companion products, so the retailers lose sales there,” she said.
“The retailer gets money either way,” added Comparitech’s Bischoff, “but retailers that allow bots to flourish aren’t bringing in new customers and can earn a bad reputation.”
There are a variety of tools for battling bots. Most involve monitoring information such as IP addresses, service provider information, and traffic volumes. There are also solutions using machine learning and behavior-based and predictive analytics.
However, Appdome’s Tovar maintained that retailer response to bots has been fairly limited to date.
“Limiting the number of purchases is the easiest response, but it doesn’t really change anything,” he said. “The bots will rotate IP addresses and create fake user names, so limiting purchases really doesn’t provide an effective block to the bots.”
“Limiting purchases may be a deterrent to the human hoarder,” Tovar added, “but it won’t help against automated attacks.”
Carielli from Forrester Research agreed that there are plenty of solutions available that can block, delay, or frustrate bots.
“Such responses increase the cost of the attack and make it less profitable for the attacker,” she said. “The question is whether retailers have implemented sufficient bot protections. The outcry over the PS5 suggests that many have a ways to go.”