Scalping is an age-old practice that used to be carried out by touts and resellers buying event tickets and certain goods that were in high demand, and later selling them for a considerable profit.
Today, scalping has mostly moved online, where millions of consumers buy products and services every single day, and transactions are often completed in minutes.
Scalpers today leverage sophisticated “All-in-one” bots that are sold online and programmed to regularly scan e-commerce, ticketing, and other websites and applications to find and quickly buy large quantities of desired products (such as certain brands of sneakers and gaming consoles) before regular consumers even get a chance to log in to make their purchases. The scalped products are then quickly resold through sites like eBay and other portals that serve the secondary market.
An Overview of Automated Scalping Attacks
Scalper bots are deployed to regularly visit popular e-commerce portals at frequent intervals to scan for product “drops” ─ launches of highly anticipated products such as fashion sneakers or gaming systems. Before that, the scalpers behind these bots create user accounts at online stores under various identities, using different IP addresses, payment cards, and shipping addresses, and combinations thereof, to evade fraud detection systems.
Many product launches are advertised well in advance of the drop date, and the bots ramp up their visits in anticipation of the launch. As soon as the products are made available for consumers to buy, scalper bots swoop in and snatch up as many items as they can, using the previously created user accounts, along with online accomplices such as “CAPTCHA Farms”, teams of outsourced workers who work for shady agencies that specialize in solving such anti-bot measures in real time.
Scalping is illegal in many countries, but is not always prosecuted by legal authorities, as scalpers’ identities are difficult to ascertain because of the anonymity that the Internet provides. In the past year after the Covid pandemic started, scalpers were reported to have bought out large supplies of essential products that had suddenly come into high demand such as face masks, hand sanitizer, as well as entertainment systems such as PlayStation 5 game consoles and high-end Nvidia graphics cards.
How Radware Bot Manager Prevents Scalping Attacks
Types of Scalping Attacks
Scalping has always been about being among the first buyers of products and tickets in limited supply, and bot technology has made it easy for scalpers to find items as soon as they are posted for sale, quickly buy them before the average consumer can even log in to the online sales portal, and then resell them at whatever prices buyers are willing to offer.
Products such as certain brands of fashion sneakers and apparel produced in limited volumes, as well as those made in large quantities and have high consumer demand, such as the latest gaming consoles, high-end graphic chips (used not only for gaming and video production but also to mine cryptocurrencies) have in recent years become some of the most-scalped goods.
Just as in the pre-Internet era, concert and sports event tickets continue to be bought and sold by scalpers. Even as many online sellers have taken steps to mitigate scalping, such as requiring buyers to pick up their orders from retail stores rather than getting them home delivered, scalping is not likely to go away. There is a lot of profit to be made from scalping due to mismatches between supply and demand, and scalpers keep finding ways to get to the head of the line.
How to Stop Scalpers and Prevent Scalping
Some portals have implemented limits on the number of items that buyers can place in their shopping carts. Others now require in-person pick up of products from their stores or have introduced points of friction to slow down scalping activities (which can also irritate genuine shoppers). These can include requiring proof of identification, solving CAPTCHAs, issuing tokens that give priority to existing customers or those enrolled in loyalty programs, and so on. Unfortunately, none of these approaches are scalable for large e-commerce and ticketing portals, as scalpers usually find ways to defeat these mitigation practices.
Today, scalper bots are easily available for sale online, and some sophisticated bot developers even provide customer service and outsourced CAPTCHA-solving processes to enable their users to make the most out of them. If an enterprise tries to stop bots using traditional approaches such as blocking IP addresses or certain regions and data centers, scalper bot operators will soon start using hijacked residential devices and proxies to slip under the radar.