The rise of the shopping bot and what it means for security teams [Q&A]
If you've ever tried to order a recently released tech product, like a new game console or the latest hot graphics card only to find it's sold out, you've no doubt felt frustrated. It's even more frustrating when the product then appears on secondary market sites at many times the original price.
What you're seeing here is probably the action of automated shopping bots that scoop up products for resale at a profit. Is this a form of cyber attack or is it just rather shady commercial activity? We spoke to Ameya Talwalker, co-founder of Cequence Security, to find out more about the behavior of these bots and what can be done to curb their activity.
BN: How do these bots work?
AT: For the sake of this conversation and because their classification is a bit of a gray area, I'll refer to the people perpetrating shopping bot campaigns as 'botters' rather than 'attackers'. Botters will use automated tools to achieve their end goal, much like an attacker would. Retailers deploy prevention mechanisms, much like they would to defeat an attack. So, there are indeed some similarities. Now, let's take a look at how these botters bypass security defenses.
First and foremost, the shopping bot tools have advanced and are simplified to the point where almost anyone can use them. Botters can just go online to a bot marketplace and purchase with the click of a button. These are effectively customized platforms designed to shoot at specific targets and they have become highly commercialized with 24x7 online support, guaranteed returns/scores and continuous updates and refinements.
Once the botter selects their tool, it's time to procure the infrastructure for the campaign -- in particular, the proxies the bots will use. Proxies enable botters to anonymize themselves to blend in with normal traffic. With rotating proxies -- which we call Bulletproof Proxies -- an army of bot shoppers can hide in the network traffic because the proxies are residential IPs used by legitimate shoppers. Expensive bot tools bundle in proxy services to make it even easier for a botter to use the tool.
With these shopping campaigns, botters have two more requirements that are essential to their shopping spree. They need to understand the targets and the exact dates during which to run their bots. Twitter and Discord 'cooking groups' have essentially solved these problems by creating a forum for groups to discuss what is needed in the bots to ensure that as much of the purchase process is as automated as it can be. The timing problem is addressed by other types of bots that people can subscribe to. Frequently, we see 'recon bots' crawling and indexing sites to monitor for the first hints of a sale or item release -- bots adding products to wishlists or creating fake carts is a tip off that a big bot campaign is coming.
BN: Are these bot campaigns a form of cyberattack?
AT: As someone who respects the hunt for a good deal, I struggle with what to call shopping bot campaigns. Are they attacks? We certainly wouldn't call it an attack when people line up outside of Best Buy on Black Friday -- at least up until the point when some poor soul gets trampled in a rush for a $100 flat screen TV. From the perspective of the retailer, though, it's really just semantics. The fact is that these types of attacks present real challenges that retailers have to address -- and those challenges are very similar to the ones they'll face preparing for and mitigating against DDoS attacks. We have seen plenty of examples of bots going out of control (ultimately it is software and it has bugs or in some cases it was user error) and causing a DDoS attack on retailers to bring their entire online operations down. This certainly looks like a cyberattack.
BN: What challenges do they present for digital enterprises?
AT: These shopper bot campaigns introduce tremendous stress to retailers' infrastructure and internal teams, while also creating a poor customer experience that can have a real impact on brand satisfaction, loyalty and revenue. Customers have to wait in these 'waiting rooms', typically offered by content delivery networks, hours before they can shop for these high-in-demand items. Ironically the same CDN vendors offer bot mitigation solutions which are rendered toothless against these advanced shopping bots. Advanced bots have built-in sophistication that allows them to get out of the waiting rooms before normal users, making the problem more severe.
One of the main problems lies with traditional, first-generation bot defense solutions, which are widely used and have proven to be obsolete, complex, ineffective or all of the above. Web application firewalls have to make quick decisions using outdated signatures and can't stand up to the constantly evolving, sophisticated tools built to circumvent them.
When botters use rotating proxies that blend bots with legitimate traffic, it makes it impossible for security teams to block the IP addresses outright, because that would mean they're blocking nearly all of the real shoppers as well. We're also seeing retailers struggle to detect this type of traffic because many bots have built-in human-like behaviors -- for example, moving the mouse around the screen before clicking the buy button -- to obfuscate their identity.
BN: Is this activity legal?
AT: With the exception of concert tickets, it is not illegal for malicious actors to use bots to corner the market with the purchase of high-value items. There is a lot of money to be made in the resale markets for electronics like gaming consoles or graphics cards, sneakers, and other luxury retail items like purses. And because it's not illegal, all it takes is someone with rudimentary computer skills, a credit card and some hustle to get into the game. Because the money is so good in the resale game, there have been tremendous advancements in the tools and infrastructure available for botters to use. The bots are easily accessible, easy to deploy, are designed and continuously improved upon to allow them to legally and effectively get past web application firewalls and commonly used first-generation bot mitigation tools. In all likelihood, there is more money being made in the tools, than there is in the target-product resale market.
BN: What actions can retailers take against shopping bots?
AT: At its core, a successful detection strategy rests on understanding the transaction flow for good humans, at large scale. Retailers need to be able to detect behavioral anomalies, some of which include:
- An abnormal ratio of requests targeting exclusively popular brand items, without appropriate browsing requests to get to those pages or requests to other products that a normal user would at least have a high likelihood of visiting.
- IP-rotation patterns that are characteristic of using rotating residential proxy services, particularly the rotation of an IP address throughout one shopping session.
- The presence of the recon bots that are watching for drop dates and sales and seem to continually look for items and pages that may not exist yet.
To deter bots we've seen sites deploy waiting rooms, shut down mobile apps, block IPs -- all things that impact the real person trying to buy their kid a Christmas present -- around which the bots can instrument. Solutions like ours that use behavioral fingerprinting techniques are the only ones that will be able detect the bots (even as they evolve) and then provide the business the ability to choose what action to take. Block them completely, let some shop, or even send them to a fake site to distract them and give humans a chance to purchase the goods as the retailer intended.