Bots-as-a-service and why they might interest shoppers [Q&A]

Bots tend to have a poor reputation, launching cyber attacks, beating you to the best bargains on eCommerce sites and generally being a bit of a pain in the Net.

Nowadays bots are frequently available 'as-a-service' so it's possible to rent one for a period of time to execute an attack. But, according to research for Cequence Security, 32 percent of respondents say they've used a shopping bot before and 38 percent say they might in the future. So that's 70 percent of people who are thinking, 'If you can't beat them, join them.'

We talked to Jason Kent, hacker in residence at Cequence, to find out about the rise of bots-as-a-service, the methods that enable consumers to rent bots, and whether they're necessarily a bad thing.

BN: Has the ability to rent bots lowered the entry barrier for cybercrime?

JK: Absolutely. The evolution of bots is such that there is a widespread understanding of how most any e-commerce application works, which has then led to fully automated shopping with the intent of purchasing something before a legitimate buyer can. This layer of abstraction has made bots available to a wider audience that may not have/need a specific amount of technical prowess. In fact, the money to be made is now expanding from the product gray market to bots-as-a-service platforms where you or I can rent a bot to get the thing we want -- for a fee.

BN: What can businesses do to detect and defend against bots?

JK: The concept of a needle in a haystack doesn't really apply here, the imagery is more like finding a haystack in a haystack. The 'best' bot traffic will look just like your legitimate user traffic. The botters will have analyzed the application, the workflow, and reversed engineered the client or SDK use for prevention. The challenge a business faces is how to separate malicious from legitimate while in the middle of a massive hype-sale. The key to the business is to use automation to surface the bot traffic while enabling legitimate users to make their purchase. Not an easy task.

BN: What are the ethics of shopping bots, how are they different from, say, auction sniping tools?

JK: Shopping bots, in essence, quickly add a desired item to cart and initiate checkout, at computer speed. This means that anyone that is working at the speed of a human is going to lose out. Is it unethical? There are arguments in either direction. They do result in a sale, but at the expense of a loyal customer. We also see fraud associated with these types of activities. In order to make more money, the botters need more financial input, more processors, more collaboration and platforms. This means they go looking for more ways to check out (often using stolen credit cards) or other activities that are illegal like account take over creating additional theft. Shopping bots directly impact the business bottom line -- IT infrastructure cost overruns, skewed sales and marketing analytics, employee frustration, disgruntled customers, and brand damage.

BN: Can the use of bots compromise eCommerce security?

JK: It depends on the bots. We often see attack automation that is pointed directly at security. Looking for admin accounts, vulnerable components or even attempts to directly take over the server operating system is possible. There are all types of bots out there. They might be looking for free goods, a host to run a cryptominer, hype sale items, open databases, etc… Many of the bots running today are trying to pry their way into corporate environments for some type of gain.

BN: Does the use of shopping bots put business reputations at risk?

JK: It does in a variety of ways. As a consumer, if one knows the experience at a particular store is going to be frustrating, we shy away. Or we vent on social media. Research shows that the cost of acquiring a new customer is far greater than the cost of keeping an existing customer. Brand and reputational damage are a huge problem from the business, as is the impact on vendor relationships. Suppliers don't want to be associated with a business that causes customer frustration. If the bots win and the customers complain, the vendors pull allocation. The organizations that are on top of this however, have seen big increases in customer satisfaction and other factors that positively impact their bottom line.

Image credit: Shutter_M/depositphotos.com