We’ve all heard of the boogie man that steals children in the night-time. It’s been giving kids nightmares for years. Now, we have something that will give their parents a scare during the next few weeks. It’s the Grinch-bot and it’s quietly stealing presents in the weeks coming up to Christmas.
During the golden quarter, the period encompassing Thanksgiving, Black Friday, Cyber Monday, Christmas and the New Year sales, the Grinch-bot is proving to be a real party-pooper.
Like to real life Grinch from the books by Dr Seuss, the Grinch-bot is a thoroughly unpleasant individual. His job is to steal toys that everybody wants and hoard them to just before the big sales event of the season, driving up prices and making a killing on the profits.
Together with the Sneaker bot, they can do serious damage to your purse. If you are seriously into you footwear, then the Sneaker bot searches out the best sneaker (trainer) deals and secures item for resale on specialist markets.
New legislation
The bot problem has become so bad that US Congress has proposed legislation called Stopping Grinchbots Act 2018. It wants to outlaw the use of bots entirely to prevent their misuse and the deliberate inflation of prices.
But e-commerce bots have been used for years, not just for hyping prices. Some e-commerce domains see over 90% of their traffic coming from bots. They perform constant scraping of product and pricing information that skew online retail analytics. Bots pollute key metrics such as the conversion rates and lifetime value of a customer. Also, the volume of bots, particularly during peak times likes Black Friday, adversely affects website performance.
It can lead to reputational loss, cart abandonment and lost revenue if the website goes down or a transaction is interrupted.
The variety of bot attacks is more diverse in e-commerce than any other industry. The Grinch bot and Sneaker bot are also involved in unauthorised price and content scraping, denial of inventory, customer account takeover and gift-card fraud. They are thorough little pests for most retailers, all year round and not just for Christmas.
It’s Not Loyalty
It’s not physical money, and the account holder is not physically robbed, but a bot hack can destroy a huge amount of credibility and customer trust in a brand. Customers are spending more money year-round on limited edition or high-demand products, like the season’s hottest toys or the latest shoe release. Automated bots are the easiest method for attackers to get their hands on these goods. Because of their ability to rapidly repeat a specific task, bots are used to do things at speed that humans can’t or simply won’t do.
This demand is exactly the motivation malicious attackers need to exploit retailers and customers. But just how bad is the problem? The Imperva Bot-Management threat research team conducted the first-industry specific study into the impact of bad bots on the e-commerce industry (How Bots Affect e-Commerce).
We analysed 16.4 billion requests from 231 domains (July 2019) and found the sophistication of bots attacking e-commerce sites was on the rise.
Of the total e-commerce traffic analysed, 18% consisted of bad bots, 13% of good bots and 69% as humans. Of the bad bots, nearly four-fifths (79 percent) were classified as moderate or sophisticated risks, up from 76 percent in 2018. The rise in sophistication can be put down to the arms race at play between the bot operators and bot mitigation technology.
Stopping the Grinch
Most retailers have policies in place designed to block bots electronically and limit how many products any customer can buy. But that only does so much when malicious actors are using multiple bots.
The Stopping Grinch Bots Act would make it illegal to resell all products purchased by automated bots. Think of it like copyright laws and online privacy. That could give retailers a new weapon against online scammers.
But while we wait for a new law to come into effect – and then it will only cover the US – retailers need to protect themselves and their products from fraud. Almost all online retailers will have a fraud prevention team which uses a range of anti-fraud solutions to combat the various persistent threats.
It is paramount that a tool specifically designed to detect bots is used, as tools such as Web Application Firewall (WAF) struggle to detect sophisticated bots. A layered defence in-depth approach is the way to go. This should include DDoS to detect volumetric bots, WAF to detect malicious activity and Bot Management to detect application layer bot abuse.
Like any cybersecurity measure, it’s a constant battle to outwit the fraudsters and hackers. Global legislation will help but until its introduction, we still need to catch and convict bot creators. So retailers still need to be vigilant in the golden quarter and constantly monitor their web traffic.
If we all stay vigilant, we can ensure we all have a bot-free trading period. It’s up to us all so ensure the Grinch bot or Sneaker bot doesn’t steal Christmas.
Director of Product Marketing
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.