With a thousand-fold increase in bot traffic on our e-commerce customers’ websites during the huge Cyber Week shopping frenzy last November, the main question that concerned e-commerce businesses was what bot operators were going to do next. With e-commerce and holiday shopping being cyclical in nature, were things going to look up for the industry? After the peak shopping season, we did observe a large dip in bot traffic to our e-commerce customers ─ that is, until just a few days before Christmas. Around that time, shoppers usually browse e-commerce websites to look for end-of-year discounts, hoping to snag popular gifts that may have sold out during the Black Friday sales frenzy. Retailers generally try to clear unsold stocks by offering attractive discounts which bring in millions of online shoppers ─ and huge volumes of bots, of course.
Leading up to the pre-Christmas shopping days, as online shopping activity starts growing, bot traffic starts climbing as well, as competitors and price comparison sites aggressively start scanning e-commerce sites to scrape their prices and product information. As always, these extraneous activities put significant strain on servers and related infrastructure, and in turn lead to slow page loads and high customer frustration. Our customers, of course, did not feel the impact from these bot activities as we shielded them from all the malicious bots trying to land up on their websites and apps.
FIGURE 1: Price Scraping Instances (December 2020)
When we look at how bad bot traffic on our e-commerce customers shaped up over the course of last December, from the 13th onwards there was a steep spike in traffic as scrapers, scalpers, fraudsters, and competitors deployed bots. This trend continued at elevated levels until the 23rd, when it spiked even higher as shoppers made last-minute purchases, no doubt attracted by the discounts typically offered by retailers to try to move as much product as possible. Competitors and price monitoring sites are especially busy with price scraping activities during periods when retailers try out various price discounting strategies to entice shoppers. After December 28th we see bot traffic volumes go down to their usual levels, indicating that bot operators had throttled down their scraping, scalping, and ATO-related activities as the holiday shopping season ended.
FIGURE 2: Bad Bot Traffic ─ December 2020
Apart from the usual price scraping bots, peak shopping periods are especially attractive to cybercriminals carrying out ATO (Account Takeover) attacks. Using lists of breached or stolen credentials including usernames and passwords (which many Internet users tend to reuse across several websites they use), bots use credential stuffing and credential cracking techniques to enter large numbers of log-in credentials in the hope of identifying those that work. These accounts are then taken over by botmasters looking to steal gift vouchers, discount codes, wallet balances, and similar forms of stored value that can be easily and quickly cashed out or used to make purchases. Others use bots to carry out scalping activities and resellers using bots to snap up popular products for resale at inflated prices.
FIGURE 3: Bots attempting Account Takeover (December 2020)
With the growing deployment of sophisticated 4th generation bots, the kind that can mimic the behavior of humans as they traverse websites and mobile applications, more and more e-commerce websites and apps are starting to implement some form of bot protection to secure these advanced bad bots. It is important to note that the bot traffic shown in these graphs represents those that were blocked by Radware Bot Manager when they were found to be attempting scraping, ATO, and other types of attacks such as denial of inventory and cart abandonment (both of which occur when bots place items into shopping carts without ever buying them, hence making those items unavailable to genuine shoppers).
FIGURE 4: Bot traffic by generation (December 2020)
As shown in Figure 4 above, over 78% of all bots hitting our e-commerce customers last December were sophisticated 4th-generation bots. These highly advanced bots are programmed to mimic how humans use websites and applications, down to the way they scroll, click, tap, and enter text. To evade detection, they often use ‘low and slow’ techniques that use thousands of IP addresses, many of them residential addresses that were hacked and infected with malware to make them a part of a large botnet. Conventional security solutions and WAFs cannot detect and differentiate these bots from human traffic, but Radware Bot Manager accurately detected and prevented them from attacking our customers.
With an ever-growing share of overall consumer spending shifting to online purchases, e-commerce enterprises would be well advised to adopt specialized bot management tools to protect their revenue streams and customer acquisition and retention efforts. Every announcement about a breach of account credentials or PII (personally identifiable information) at an e-commerce site tends to make existing and potential customers steer clear of such sites, given the large number of alternatives in the retail arena. Prevention being better than a cure, implementing a specialized solution like Radware Bot Manager that requires no infrastructure changes and can protect enterprises in e-commerce and any other industry against bot threats should be one of the easiest decisions for CTOs and CISOs to make.