Almost three-quarters (71%) of UK consumers believe that nefariously named ‘Grinch bots’ are ruining Christmas by acquiring all the best presents.
This was one of the findings of new research from Imperva, a Thales company. Grinch bots are automated programs set up to monitor trending retail items and quickly purchase all available stock when such in-demand products are listed online.
The purchases are then re-sold on the secondary market for profit, Imperva’s projections indicate that the price of the country’s most popular gifts is inflated by up to as much as 105% on resale sites—a process that leaves genuine shoppers disappointed and empty-handed.
Superpowered by AI
And with bots now superpowered by AI, Imperva is warning that scalping is only going to get worse this Christmas, with Grinch bots able to target the most in-demand gifts more effectively than ever.
Sadly, this practice is nothing new. 40% of UK consumers have previously faced challenges when trying to buy a gift, often finding it sold out. Inventory scaling by cybercriminals using bad bots occurs all year round and has been done for some time now. These bad bots are coined by the term ‘Grinch bots’ during the artificially created ‘gift-buying season’ that runs from Black Friday in November through to the New Year sales in January.
A great example of this practice in action is the scalping that took place around Sony’s PlayStation 5 (PS5) games console. The Imperva 2024 Bad Bot Report revealed how, for a second consecutive year, Gaming (57.2%) saw the largest proportion of bad bot traffic, while Retail (24.4%) was second, and game consoles have been featured for decades now as must-have Christmas gifts.
The PS5 launched on 12 November 2020, in Australia, Japan, New Zealand, North America, and South Korea, with a worldwide release following a week later. But the drama started months before then with Sony’s botched attempt to circumvent the scalpers.
During a pre-launch presentation on 16 September that same year, Sony announced that pre-orders for the console would begin at various retailers the following day. However, several retailers in the United States and the United Kingdom unexpectedly opened pre-orders that evening. This led to a rush on pre-orders, resulting in scalping as many stores quickly sold out of stock. Sony issued an apology for the situation a few days later, and promised to provide more pre-order deliveries in the coming days, as well as additional stock throughout the rest of the year.
This didn’t deter the scalpers, though, with US retail giant Walmart releasing a statement by CISO Jerry Geisler titled ‘Doing Our Part to Ensure Customers, Not ‘Grinch Bots,’ Can Buy This Season’s Hottest Items’ laying out the preventative measures they were taking. The statement revealed how ‘One bot preventative action we implemented just hours before the PlayStation 5 event on 25 November blocked more than 20 million bot attempts within the first 30 minutes alone’. The scalping continued for years (exasperated by Covid and a micro-chip shortage), with reports still emerging in 2022 of re-selling activity.
It’s not all doom and gloom, however, with reports concerning the latest iteration of the PS5, the PS5 Pro, providing some festive cheer at least. Pre-orders for the PS5 Pro went live on 26 September 2024, and early reports bore headlines such as ‘Scalpers Are Already Ruining The PS5 Pro launch’. However, recent reports have shown that the new consoles are struggling to be re-sold, prompting delighted responses from video game enthusiasts celebrating an overdue win.
Information Security Buzz approached Cindy Lou Who for a comment, but she was unavailable at the time of writing.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.