Whether they are participating in it or competing against it, retailers worldwide are preparing for Amazon Prime Day. No doubt threat actors are doing the same, choosing their targets, assembling the tools and infrastructure to execute their automated shopping bot attacks. Threat actors have taken note of the money to be made in the resale and gray markets for high-demand products and have increased their investment in the malicious tools needed to be successful. The automated shopping bot opportunity and investments are best exemplified in the rapid rise of Bots-as-a-Service, a commercialized set of tools that allows almost anyone to become a bot manager.
Relative to other types of automated bot attacks, shopping bots are among the most sophisticated, combining elements from scraping, fake account creation, account takeover, and enumeration attacks to achieve their end goal.
- Preparing for the purchase: With the data for the target item compiled, the next phase is to mimic a legitimate buyer. Imitation happens in two ways – through classic account takeovers, or more commonly, through fake (guest) account creation. Most retailers will allow you to purchase using a guest account, which usually requires a valid email address. Threat actors use automation to create valid email accounts that are used to execute multiple purchases, which in the case of high-demand items, increases the chances of success. Defending against this type of activity requires advanced telemetry that combines multiple behavioral patterns to uncover the true intent.
- Purchase execution: In some cases, threat actors will use their own credit cards and shipping addresses to complete the purchase. For those that wish to remain anonymous, some services allow you to establish alternative payment mechanisms and shipping addresses. Using enumeration techniques, shipping confirmations can be tracked and checked anonymously.
Making Automated Shopping Operationally Efficient
As organizations execute cloud-first initiatives, they often look to SaaS offerings when adding or replacing enterprise applications. The reason: SaaS offerings help enterprises reduce the operational burden of deploying the application. Automated shopping bots have followed the same path. A threat actor no longer needs to assemble the arsenal of tools like OpenBullet, predefined attack configs and Bulletproof Proxy subscriptions to execute their attack. Now, fully commercialized Bots-as-a-Service (BaaS) combine each of the elements described above, augmenting them with plug-ins and other ancillary services. BaaS offerings range in price from $400.00 to $5,000.00, are specialized for certain sites, offering how-to guides, 24×7 support, user reviews with some offering guaranteed hit rates.
Whether the automated shopping attack is manually executed or fully automated via BaaS, retailers are faced with a problem that impacts the bottom line. According to Forrester Research survey of more than 400 respondents, 63% report losing between 1% and 10% of their revenue to web scraping attacks alone.
Cequence Bot Defense Can Help
See the platform in action:
Never miss an update!