Anatomy of a Retail Shopping Bot

by Matt Keil on June 14, 2021

Whether they are participating in it or competing against it, retailers worldwide are preparing for Amazon Prime Day. No doubt threat actors are doing the same, choosing their targets, assembling the tools and infrastructure to execute their automated shopping bot attacks. Threat actors have taken note of the money to be made in the resale and gray markets for high-demand products and have increased their investment in the malicious tools needed to be successful. The automated shopping bot opportunity and investments are best exemplified in the rapid rise of Bots-as-a-Service, a commercialized set of tools that allows almost anyone to become a bot manager.

Relative to other types of automated bot attacks, shopping bots are among the most sophisticated, combining elements from scraping, fake account creation, account takeover, and enumeration attacks to achieve their end goal.

Finding the target: Just as you and I might search for the item we want to purchase, so too will threat actors. Whereas we will find the desired object manually, threat actors use automation, scraping data from many sites, compiling it for use when the item goes on sale. For retailers, scraping is a difficult attack to defend against because it can be executed against APIs or via an HTTP Get instead of HTTP Post. Both techniques are capable of bypassing JavaScript telemetry collection used to block the activity.
Preparing for the purchase: With the data for the target item compiled, the next phase is to mimic a legitimate buyer. Imitation happens in two ways – through classic account takeovers, or more commonly, through fake (guest) account creation. Most retailers will allow you to purchase using a guest account, which usually requires a valid email address. Threat actors use automation to create valid email accounts that are used to execute multiple purchases, which in the case of high-demand items, increases the chances of success. Defending against this type of activity requires advanced telemetry that combines multiple behavioral patterns to uncover the true intent.
Purchase execution: In some cases, threat actors will use their own credit cards and shipping addresses to complete the purchase. For those that wish to remain anonymous, some services allow you to establish alternative payment mechanisms and shipping addresses. Using enumeration techniques, shipping confirmations can be tracked and checked anonymously.

Making Automated Shopping Operationally Efficient

As organizations execute cloud-first initiatives, they often look to SaaS offerings when adding or replacing enterprise applications. The reason: SaaS offerings help enterprises reduce the operational burden of deploying the application. Automated shopping bots have followed the same path. A threat actor no longer needs to assemble the arsenal of tools like OpenBullet, predefined attack configs and Bulletproof Proxy subscriptions to execute their attack. Now, fully commercialized Bots-as-a-Service (BaaS) combine each of the elements described above, augmenting them with plug-ins and other ancillary services. BaaS offerings range in price from $400.00 to $5,000.00, are specialized for certain sites, offering how-to guides, 24×7 support, user reviews with some offering guaranteed hit rates.

Whether the automated shopping attack is manually executed or fully automated via BaaS, retailers are faced with a problem that impacts the bottom line. According to Forrester Research survey of more than 400 respondents, 63% report losing between 1% and 10% of their revenue to web scraping attacks alone.

Sponsorships Available

Cequence Bot Defense Can Help

If you’re one of the organizations looking to improve your defenses against automated shopping bots, you should check out Cequence Bot Defense. It is a dedicated bot mitigation solution that differentiates itself from others by being the only offering to not require the use of JavaScript or mobile SDK integration efforts.

See the platform in action: