William Glazier Manager, CQ Prime Threat Research and Data Science at Cequence Security
As the holidays draw nearer and consumers begin frequenting their favorite online retailers in search of the perfect gift, it seems an appropriate time to put the spotlight on a topic that gives shoppers heartburn as they search online: shopping bots that automatically buy up all inventory.
For example, it could be the latest Nike Air Jordan shoe, or the hottest items on Supreme’s clothing site, or any other site where the product customers want sells out almost immediately. Yet somehow these items always seem to be available for resale on the secondary market, at extraordinarily high markups, putting a dent in the holiday budget for the most fashion-forward folks among us (known to some as “hype-beasts”).
In this article we will explore bad actors’ motivations for carrying out this type of business logic abuse, some of the requirements to execute the attack, and finally some detection strategies for those retailers looking to ensure the best possible experience for their customers attempting to buy their products.
At a high level, the motivation for carrying out this abuse is simple – there’s a lot of money to be made. The demand for these popular items vastly outpaces the supply, as is natural with many “limited-edition” items. Any adversary with computer skills and the desire to hustle can easily tap into the arbitrage this creates in the market, where the original retail price is much lower than the price consumers ultimately pay on a secondary market.
In some ways, the relationship between retailers and “botters” began in a somewhat symbiotic way. Retailers were essentially guaranteed sell-outs, tremendous growth numbers for their online business metrics, and lots of buzz for their products.
However, as more consumers purchase online, the “soft” costs (bad press, poor customer experience, etc.) become more of a problem. If customers can’t buy the products they really want, it can generate frustration. And if they buy from a secondary market, they can be left with a bad feeling of getting ripped off. Nevertheless, the growth and subsequent value of secondary market sites has soared over the past few years, providing legitimacy and a well-functioning market for legitimate retailers, bad actors, and consumers alike.
To analyze what a person needs to carry out one of these campaigns, it helps to relate back to our CQ Prime Four Pillars of Detection framework.
- Tools: there are many types of “botting” tools that can be used by almost anyone. These include AIO Bot, SupremeBot, EasyCop, NikeSlayer, etc., and are available for purchase on many marketplaces. These tools are effectively customized platforms designed to attack specific targets, and due to their popularity, are continually updated and refined through crowdsourcing. Terminology such as “grails,” “cooking,” “copping” and more are all examples of lingo that is specific to this category of attack tool.
- Infrastructure: Once again, this component of the campaign offers many services specifically for attackers trying to abuse retail sites, by automating the entire purchase flow thousands of times and anonymizing themselves. One example of these services is the popular “Rotating Residential Proxy” service offered by many providers that we examined in our CQ Prime report on Bulletproof Proxies. These proxy services allow attackers to blend in amongst the exact same type of IPs used by legitimate customers. Blocking these IP networks outright is functionally impossible from a detection perspective, and the bad guys take advantage of this loophole and drive a truck through it, using services that take care of the IP rotation for them.
- Payload & Behavior: With these attacks, bad actors have two more requirements that are essential to their monetization scheme. First, attackers need target brands and exact dates during which to run/use their bots. They must know which items they want to procure, and they must know when the items will “drop” so they aren’t burning through resources before the items are available. This frequently manifests itself in operators writing a “recon bot” that crawls and indexes sites and monitors for the first hints of a sale or item release. Second, they need a mechanism to quickly and efficiently carry out the purchase process, have credit cards to make payments, locations to hold inventory, and most importantly – efficient markets to quickly resell their goods at a high margin.
The markets for tools and infrastructure are so well developed that trying to develop signatures and block IPs will be a fruitless game of whack-a-mole forever. So the focus, in this case, needs to be on the underlying attacker behavior. Fundamentally, these bots want to purchase hot brand items, lots of them, as fast as possible. There is an extremely competitive landscape among bot operators themselves, and they are resource constrained. They must be fast and efficient, and can’t waste time or money introducing human-like behavior that will send spurious requests. But forcing them to change their behavior can negatively impact the operators’ ability to earn a profit.
At its core, our detection strategy rests on understanding the transaction flow for good humans, at large scale. We can then use the knowledge of “good-at-scale” to detect behavioral anomalies, some of which include:
- An abnormal ratio of requests targeting exclusively popular brand items, without appropriate browsing requests to get to those pages or requests to other products that a normal user would at least have a high likelihood of visiting.
- IP-rotation patterns that are characteristic of using rotating residential proxy services, particularly the rotation of an IP address throughout one shopping session.
- The presence of the “recon bots” that are watching for drop dates and sales, and seem to continually look for items and pages that may not exist yet.
These types of automated bot attacks are a problem that is not going away, and retailers need strategies to mitigate and reduce the damage these bots can do to their brand, their customers and their user experience. After all, robots don’t wear sneakers and real humans would like to know they’re not engaging in an unwinnable “race against the machines” just to buy a holiday gift before it’s gone.