Retail’s #1 Demographic This Holiday? Bots.

November 16, 2017 — by Daniel Smith0

main

Attack Types & VectorsSecurity

Retail’s #1 Demographic This Holiday? Bots.

November 16, 2017 — by Daniel Smith0

More than half of all internet traffic is bot-driven.  That means, if you have a website, you have experienced bots in one way or another. Bots are automated software that interacts with your website for a number of different reasons, both in a legitimate and illegitimate way.

In general, there are two different types of bots, the good and the bad. Good bots are bots like Search Bots, Crawlers and Feed Fetchers. Specifically, GoogleBot is a bot used by Google that’s known as a spider and used to update their search index. Good bots also serve critical functions such as price aggregators or customer service chatbots. However, for every good bot in the world, there is a bad bot wreaking havoc.

Bad bots create significant problems for retailers.  They steal intellectual property via activities like web scraping, undercutting or stealing pricing information and disrupting inventory management. For example, Sneaker bots have transcended the sneaker market and are now allowing collectors the ability to purchase multiple pairs of highly anticipated and limited product before a normal user can access the website.

Radware’s research indicates that bot traffic represents more than half of the internet traffic seen today. Some retailers even see bot activity exceeding 75% of the total traffic among their organizations. Of that bot traffic, 49% is considered to be generated by bad bots. This is problematic considering a third of organizations cannot distinguish the difference between a good bot and a bad one.

Malicious bots have gotten so bad that this year New York passed a bill, S.8123/A.10713, that makes it a Class A misdemeanor charge for scalpers to use automated retail bots to purchase tickets. This bill came after it was discovered that several 3rd party resellers were able to purchase nearly 40% of the available tickets for a Broadway show, Hamilton, using automated bots.

[You might also like: Web Application Security in a Digitally Connected World]

Today you can find a number of vendors that are selling automated software packaged for scalping so resellers can take advantage of e-commerce sites. Some of these bots are so advanced that they have the ability to break CAPTCHA and other mitigation techniques.

Automated bots also create a problem for analyzing website traffic and user behavior. These automated bots impact traffic data by poisoning the data set, resulting in a reduced quality of analysis and limited optimization.

Different verticals are impacted by bot traffic in different ways. By understanding what bots affect you and what those bots do, it will help you implement a better bot management solution.

For retailers, bots are literally everywhere. Radware’s research indicated that 72% of retailers reported experiencing negative consequences due to web scraping attacks, including gathering of pricing information (56%), help inventory (45%), website copying (39%) and inventory depletion (32%).

Completely bot-driven activities include web scraping, web application DDoS, and brute forcing. Non-automated, bot-assisted activities include API manipulation, SQL injections and other attacks like Cross-Site Scripting. Automated bots for malicious purposes can also easily bypass systems like CAPTCHA and other mitigation techniques, presenting most organizations who depend upon tradition detection with serious challenges in combating these bot-related activities.

40% of respondents in a recent survey claim their organization updates applications at least once per week, posing a great challenge for organizations to keep control of. At the same time, those that develop automated software hire dozens of developers who work around the clock to defeat these changes.

Sneakerheads

One of the more notorious activities lately involving automated bots is those used by Sneakerheads, a.k.a. shoe collectors. Sneakerheads use automated bots to purchase limited-edition sneakers. Not long ago, sneakerheads had to be physical. What I mean by this is that before automated bots, it was a contact sport. Sneakerheads would have to travel to shoe stores and often camp out for days just to see what was being released and decide on the spot if they were going to purchase the shoe or not. Because of the hype around specific drops, things turned violent and left shoe companies looking for a new way to release their products. Even in-store releases were susceptible to being backdoored to the highest bidder. Eventually they moved to the internet to prevent physical confrontation as customers walked out of a store. But with any item sold online, with massive hype behind them, opportunists quickly started gaming the system for profit.

Today sneakerheads are hackers, programmers and tech-savvy collectors. They buy, rent and build custom tools used to automate the process of purchasing shoes with Add-To-Cart (ATC) bots. They target sites with limited product offerings such as Supreme, Nike and Adidas. Some of the more popular bots for sale are All in One (AIO) bot, Another Nike Bot and other customized packages. These bots are constantly being updated to defeat the latest defenses deployed by retailers to prevent the use of automated bots for purchase.

Sneakerheads use the term ‘cook’ to describe the process of purchasing shoes with an automated bot.

For vendors, during a shoe drop their traffic often resembles that of a layer 7 DDoS attack. Supply is never equal to demand and oftentimes websites see hundreds of thousands of sneakerheads attempting to purchase a pair from a limited drop of around 10,000 shoes. Savvy operators will scrape a website prior to the release for information related to the shoe they are looking to purchase.

The bigger problem for shoe collectors is opportunists that do not intend to wear their purchase, instead prefer to capitalize on market demand by reselling their inventory. Some sneaker bot operators are able to ‘cook’ dozens of shoes at a time before a human even has a chance to access the website. For example, a sneakerhead who uses a bot to purchase a pair of V2 Yeezys for $220 can turn around and resell the confirmation for $2,000! Multiply this by a few dozen pairs and it quickly becomes clear why these sneaker bots have become so popular: Profit. And with this profit and opportunity, a sub-industry around reselling shoes was born.

Because of this explosive growth in sneaker bots, it has dramatically diminished the chances of the average Joe copping a pair of limited-edition sneakers. Because of this shift, many people have wondered if companies really can ensure a level playing field for their potential customers. Companies that sell sneaker bots often believe that the playing field will only be level once everyone owns a sneaker bot.

[You might also like: Evolution is the Name of the Game]

Nike attempted to give sneaker bot operators a run for their money this year when they released the Momofuku SB Dunk High Pro. Through its SNKRS app it required those that wanted to purchase a pair to unlock the shoe in the app by scanning the menu of David Chang’s Fuku restaurant in New York City. If you didn’t have access to the menu, you could simply go to the web version of the menu or scan a SNKRS poster located in NYC. It was believed that this method showed some promise to help combat the growing problem around sneaker bots and automated retail bots in general.

In general, automated bots can create application performance issues and increase the cost of maintaining your website. The negative impact includes reputation damage. If a standard user is not able to purchase a release at face value due to automated bots, they will be forced to purchase the item from a reseller. This markup on the item will leave the consumer bitter and not likely to return.

How do retailers deal with the bot problem?

Blocking bots in general is a fundamentally flawed strategy. When you block the bots, good bots such as Search Bots, Crawlers and Feed Fetchers cannot do their job, resulting in a negative outcome for businesses.

Bots, crawlers and spammers, using new techniques to disguise malicious traffic, can exhaust resources and scrape sensitive information from websites or cloud-based assets. A good Web Application Firewall (WAF) needs to be able to sniff out these clandestine bots.

Bad bots tend to be financially-motivated. Vendors that sell automated software (like sneaker bots) often have developers on their payroll who work daily to defeat the latest changes to an e-commerce website. They do this so when a new shoe such as Yeezys and Jordans are released, their bots can defeat a website’s changing tactics and avoid detection.

Overall, a bot management solution can help you reduce the negative impact to your website traffic. By using many techniques like fingerprinting, CAPTCHA, IP rate-based detection, in-session detection and terminations, Javascript challenges and dedicated anti-bot solutions, organizations can fortify web applications exponentially and level the playing field for those wishing to purchase items without the aid of automated software.

Download “Web Application Security in a Digitally Connected World” to learn more.

Download Now

Daniel Smith

Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.

Leave a Reply

Your email address will not be published. Required fields are marked *