• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Cequence Security

  • Products
    • Cequence Application Security Platform
    • CQAI
    • CQ botDefense
    • CQ appFirewall
    • CQ Connect
    • CQ Insight
  • Deployment
  • Attack Types
    • API Abuse
    • Enumeration Attacks
    • Account Takeover Attacks
    • Fake Account Creation
    • OWASP Top 10
    • Content Scraping
    • Denial of Wallet
    • Denial of Inventory
  • Threat Research
  • Resources
  • Services
  • More
    • Blog
    • About
    • Partners
    • Careers
    • Contact
    • News
    • Events
  • Demo

Find insights, views, and today's best practices about web application security from our thought leaders on the Cequence Security team.

Blog

Find insights, views, and today's best practices about web application security from our thought leaders on the Cequence Security team.

  • Category   Category  
    • Artificial Intelligence
    • Bot Attacks
    • CISO Series
    • General
    • JavaScript - SDK
    • Threat Research Posts
    • Web Application Firewalls

July 29, 2019 / Bot Attacks, General

When does Comparison Shopping Become Malicious?

Comparison shopping is a proven and accepted practice within the retail industry. Pre-internet era versions meant shoppers would physically visit the retailers to get their “bottom line” price. Early online comparison shopping meant you could use search to find the desired product and compare vendors from the comfort of your own home, only physically venturing to the brick and mortar location as needed.

The evolution has continued with retail automation taking some of the comparison efforts away through “price smash or price match” features. The goal of these features is to ensure the vendor makes the sale, regardless of price, and given that the intent of the consumer is to get the best price, the result is a positive one.

At the same time, retailer pricing strategies and tools have evolved using these same techniques, albeit in a formalized, legitimate manner with the intent of ensuring their products are priced accurately. The opportunity for automation and add-on services has spawned a new generation of tools focusing on the topic of pricing intelligence, with vendors that are outwardly focused on helping retailers gain and maintain a competitive edge.

Recently, one of our customers discovered some of the same search and comparison techniques used in an automated, yet malicious manner. This raises the question of when does the age-old practice of comparison shopping become malicious? Here is what we found.

  • Search Abuse: Using automation to find a retail item for purchase is common practice. A search for sneakerbot, NikeBot, or Ticketbot will not only allow you to find a bot to automate finding the high demand item you desire, but it may also help you purchase them. Going one step further, the automated search bots found in our retail customer environment exhibited the following characteristics:
    • The search queries targeted every single web application URI across all of their locations.
    • The search patterns were too perfect and too fast to be human.
    • The queries were distributed across a wide range of locations that didn’t match the locations of the search queries themselves.
    • Many of the queried items did not exist, placing a significant strain on their infrastructure.

Taken collectively, the findings described provided strong evidence that the intent of the search was malicious.

  • Content Scraping: As with search, the practice of copying web content is an accepted one, as evidenced by content aggregators in the hospitality/travel and healthcare industries. The scraping activity observed during our investigation exhibited the following characteristics:
    • The automation targeted URIs that did not exist.
    • Multiple masking/evasive techniques were used to disguise the attack, including browser spoofing and forgery along with sophisticated user agent rotation.
    • As with search abuse, some of the items scraped did not exist.

Viewed under a single pane of glass, the intent of these activities was deemed to be malicious. 

Online interactions are well known for lacking in context. Emails are easily misinterpreted, instant messages and social media posts even more so. Even further removed and lacking in context are search and browsing activity. In retail environments, where margins are razor-thin, and the actual intent of the transaction is unknown, the decision to allow will be more common than deny. With the added context around automation and the techniques used to mask the activity, the decision to deny can be made more confidently.

Share
Matt Keil
Director of Product Marketing

Primary Sidebar

To get the latest post, join our blog subscription list.

SUBSCRIBE NOW

You Might Also Like

  • Tales from the Front Lines: Protecting Financial Services Mobile Application APIs From Automated Attacks

    November 12, 2019

  • Tales from the Front Lines: A Long Weekend Ruined for Whom?

    November 5, 2019

  • Here’s Why Online Holiday Inventory is Often Gone Before You Get There

    October 24, 2019

  • API Security Podcast: How APIs Enable Digital Transformation and Automated Attacks

    October 18, 2019

  • How Zoosk Detects and Mitigates Malicious Bots

    October 15, 2019

  • Prying-Eye Vulnerability: Direct-to-API Enumeration Attack Enables Snooping

    October 1, 2019

  • Analysis: Preventing Fake Account Creation and Romance Scams

    September 4, 2019

  • Another Day, Another Data Breach

    August 5, 2019

  • Bulletproof Proxies: The Evolving Cybercriminal Infrastructure

    July 31, 2019

  • Introducing CQ Prime–the Cequence Security Threat Research Team

    July 31, 2019

  • CQAI: Using Machine Learning to Determine Transactional Intent

    July 25, 2019

  • Fortune 500 Retailer Saves $1.7 Million by Eliminating Account Take Overs

    July 18, 2019

  • AWS VPC Traffic Mirroring Integration Coming Soon

    July 17, 2019

  • Implementing a Dynamic Sampling Strategy in Spark Streaming

    July 16, 2019

  • Fake Account Creation: It’s Fraud by Any Other Name

    July 1, 2019

  • The Danger of Content Scraping – And How to Prevent It

    June 13, 2019

  • Application Security – Solving the Hardest Problem First

    June 5, 2019

  • What Sets Cequence Apart from Anyone Else

    May 20, 2019

  • WAFs Are Failing To Protect Hyper-Connected Organizations. But Help Is On Its Way

    May 14, 2019

  • Application Security in Kubernetes: Why We Joined CNCF

    April 9, 2019

  • Organizations Are Changing, Application Security Must Change Too

    March 21, 2019

  • Cequence Security Makes Its RSA Debut

    March 12, 2019

  • Application Discovery – Why It’s Critical for Bot Defense

    February 22, 2019

  • Bot Attacks – One Week in the Life of a Customer

    December 20, 2018

  • New Report: Big Breaches Breed Bad Bots

    December 8, 2018

  • The Sequence Within Cequence

    November 26, 2018

  • Working at Cequence Security

    November 10, 2018

  • Balancing Bot Detection With Customer Experience

    November 10, 2018

We’d love to hear from you.

Do you need help from sales, professional services, or just more information?

Contact Us

Footer

Cequence Security, Inc.
© 2018-2019 Cequence Security, Inc. All rights reserved.

Follow Us

  • About
  • Contact
  • Events
  • News
  • Blog
  • Privacy Policy