Ever since the Covid pandemic forced governments around the world to impose lockdowns and work-from-home policies last year, there has been a serious shortage of supplies of crucial computer chips that power many aspects of modern life. For millions across the globe, the sudden transition to working from home, along with students required to switch to online classes, further added to the demand for new PCs, Wi-Fi routers and other products needed to cope with stay-at-home orders. Sales of laptops, PCs, smartphones, gaming consoles and other products shot up as a result. These shifts in consumer and industrial consumption, along with chip production bottlenecks and changes in manufacturers’ strategies, have combined to create a situation where chips are in high demand and very short supply. As a result, certain popular products like PlayStation 5, the Xbox Series X, and Nvidia’s latest RTX 3080 graphics cards have all been extremely hard to find in stock at most online retail sites.
What we are now seeing is a huge uptick in scalpers bots to quickly buy out goods such as the latest PlayStations and graphics chips almost as soon as they are made available for online sale. Scalper bots are easily available for purchase online, and many of them are “all-in-one” bots that can not only crawl websites to find the desired goods, but can also fully automate the process of adding products to a shopping cart and completing the payment process. These bots are programmed to regularly scan online retailers’ sites to see if certain products are available, at which point they quickly add to their shopping carts as much of the desired product(s) as they are allowed to buy in one go (because many retailers put purchase limits on high-demand products to give more buyers a chance to buy them). Then, the bot proceeds to complete the purchase within seconds using credit card information that has already been provided by the bot user.
How do scalper bots work?
First, a scalper or buyer looking to buy a high-demand product buys and downloads a retail bot that scours the internet for available stocks. The bot user either creates a new user account or reuses an existing account at an online retailer. To speed up purchases, the bot user stores credit card information as part of the user profile. In recent years, there has been increasing use of ‘virtual credit cards’ which can be used just once and negate the need to enter one’s card details. By using virtual cards, scalpers can evade blocklists created by retailers who try to prevent abuse by scalpers who use actual credit cards.
While scalping bots have aroused the ire of online retailers as well as customers hoping to snag a high-demand product, variations of these bots are also used to carry out cart abandonment or denial of inventory attacks, in which popular products are quickly added to shopping carts but never actually purchased. These attacks hurt the sales and reputation of an online retailer as real consumers find it extremely hard to buy the goods they want.
Another way of evading fraud detection systems used by retailers is to create several accounts in different names and with different mailing addresses. Scalpers also regularly rotate through lists of residential IP addresses that were compromised by malware that allows hackers and fraudsters to route their bot traffic through those addresses, since most large retailers have blacklists of IP addresses that were earlier used to carry out attacks.
In addition, common browser fingerprinting tools used by many popular websites are able to recognize if the same computer or smartphone is being used for several attack campaigns, which further incentivizes botmasters to launch distributed attacks that appear to originate from a wide range of other computers and smartphones that were compromised by malware (i.e., a botnet). As shown in Figure 1, some bot attacks can use thousands of IP addresses, while others use a single address to launch thousands of bots. The former is known as a ‘low-and-slow’ attack since conventional website and application defense systems cannot detect distributed attacks originating from thousands of IP addresses.
Figure 1: Bot hits using one IP address vs. multiple IP addresses.
After the initial account creation process is completed, scalpers let their bots run, and they automatically scour retailers’ sites to find hard to get products almost as soon as they are made available online. The rest of the process ─ adding to shopping cart and completing the payment ─ is automated as well. Security tools such as CAPTCHAs are easily bypassed by automating the solving of these challenges to outsourced teams of remote workers who solve them in real time.
In Figure 2, we see the volume of bot traffic on popular product categories offered by one of our customers in the e-commerce industry. Scalper bots can scan a retail website or application millions of times faster than any human can, and query product information across entire categories such as computers, smartphones, gaming devices, and others. In turn, such high bot volumes also lead to website and application slowdowns and outages, which frustrate consumers and reduce conversion rates in online retail.
Figure 2: Product categories most impacted by bot traffic
For resellers and fans of popular products such as Sony’s latest PlayStation 5 gaming console and Nvidia’s latest graphics cards that are loved by avid gamers, scalper bots can be easily set up to only scan for those particular products across several online retailers’ websites and mobile applications. Figure 3 shows the bot traffic trend on pages showing PlayStation 5s and Nvidia’s RTX 30xx series graphics cards.
Figure 3: Bot traffic trend for PlayStation 5 and Nvidia RTX 30xx series GPUs
One of our customers, a leading online retailer in Europe, experienced high volumes of bot traffic searching for any available PlayStation 5 and Nvidia RTX 30xx-series GPUs, as shown in Figures 4 and 5 below. Even over a short 18 day period, these blocked bot hits ranged from approximately 1600 hits to nearly 11 million hits for these product categories.
Figure 4: Nvidia RTX 30xx series pages: Bad bot hits, unique IP addresses used, and unique User Agents used
Figure 5: PlayStation 5 product pages: Bad bot hits, unique IP addresses used, and unique User Agents used
Apart from scalpers snatching up available inventory for resale at huge profits (sometimes even multiples of the original price) on eBay and other portals, let us not forget that bots also target e-commerce websites and applications to carry out Account Takeover (ATO), Carding Fraud, Denial of Inventory/ Cart Abandonment attacks, not to mention Content Scraping and Application Denial of Service attacks. Every year, we see significant advances in bot technology and programming to more closely mimic human behavior and thus evade conventional website and application defenses such as WAFs. Only a specialized bot management solution such as Radware Bot Manager can detect these advanced human-like bots amongst thousands or even millions of real shoppers visiting a large e-commerce site.
To learn more about bot threats to online retail and other industries that bots target, read our research findings in our E-commerce Industry’s Automated Threat Landscape. If you’d like even more foundational knowledge about bots of every kind and the various activities they engage in, as well as best practices in bot mitigation to secure your online enterprise, read our comprehensive e-book The Ultimate Guide to Bot Management.