The Grinch bot that stole Christmas
Thu 12 Dec 2019 | Edward Roberts
This holiday season, e-commerce sites are contending with the rise of troublesome Grinch bots
We’ve all heard of the boogie man that steals children in the night-time. It’s been giving kids nightmares for years. Now, we have something that will give their parents a scare during the next few weeks. It’s the Grinch-bot and it’s quietly stealing presents in the build-up to Christmas.
During the golden quarter, the period encompassing Thanksgiving, Black Friday, Cyber Monday, Christmas and the New Year sales, the Grinch-= bot is proving to be a real party-pooper.
Like the real-life Grinch from the books by Dr Seuss, the Grinch bot is a thoroughly unpleasant individual. His job is to steal toys that everybody wants and hoard them to just before the big sales event of the season, driving up prices and making a killing on the profits.
Together with the Sneaker bot, which searches out the best sneaker (trainer) deals and secures them for resale on specialist markets, they can do serious damage to your purse strings.
The bot problem has become so bad that US Congress has proposed a new legislation called the Stopping Grinchbots Act 2018. It seeks to outlaw the use of bots entirely to prevent their misuse and the deliberate inflation of prices.
But e-commerce bots have been used for years, not just for hyping prices. Some e-commerce domains see over 90 percent of their traffic coming from bots. They perform constant scraping of product and pricing information that skew online retail analytics. Bots pollute key metrics such as the conversion rates and lifetime value of a customer.
Also, the volume of bots, particularly during peak times likes Black Friday, adversely affects website performance, which can lead to reputational loss, cart abandonment and lost revenue if the website goes down or transaction interrupted.
The variety of bot attacks is more diverse in e-commerce than in any other industry. The Grinch bot and Sneaker bot are also involved in unauthorised price and content scraping, denial of inventory, customer account takeover and gift-card fraud. They are pests for most retailers –not just for Christmas, but all year round.
It’s not loyalty
Even though the account holder is not physically robbed of money, a bot hack can destroy a huge amount of credibility and customer trust in a brand. Customers are spending more money year-round on limited edition or high-demand products, like the season’s hottest toys or the latest shoe release. Automated bots are the easiest method for attackers to get their hands on these goods. Because of their ability to rapidly repeat a specific task, bots are used to do things at speed that humans can’t or simply won’t do.
This demand is exactly the motivation malicious attackers need to exploit retailers and customers. But just how bad is the problem? This year, the Imperva Bot-Management threat research team conducted the first-industry specific study into the impact of bad bots on the e-commerce industry. Analysing 16.4 billion requests from 231 domains, the study found the sophistication of bots attacking e-commerce sites was on the rise.
Of the total e-commerce traffic analysed, 18 percent consisted of bad bots, 13 percent of good bots and 69 percent as humans. Of the bad bots, nearly four-fifths (79 percent) were classified as moderate or sophisticated risks, up from 76 percent in 2018. The rise in sophistication can be put down to the arms race at play between the bot operators and bot mitigation technology.
Stopping the Grinch
Most retailers have policies in place designed to block bots electronically and limit how many products any customer can buy. But that only does so much when malicious actors are using multiple bots.
The Stopping Grinch Bots Act would make it illegal to resell all products purchased by automated bots. Think of it like copyright laws and online privacy. That could give retailers a new weapon against online scammers.
But while we wait for a new law to come into effect – and then it will only cover the US – retailers need to protect themselves and their products from fraud. Almost all online retailers will have a fraud prevention team which uses a range of anti-fraud solutions to combat the various persistent threats.
It is paramount that a tool specifically designed to detect bots is used, as tools such as Web Application Firewall (WAF) struggle to detect sophisticated bots. A layered defence-in-depth approach is the way to go. This should include DDoS to detect volumetric bots, WAF to detect malicious activity and Bot Management to detect application layer bot abuse.
Like any cyber security measure, it’s a constant battle to outwit the fraudsters and hackers. Global legislation will help but until its introduction, we still need to catch and convict bot creators. So retailers still need to be vigilant in the golden quarter and constantly monitor their web traffic.
If we all stay vigilant, we can ensure we all have a bot-free trading period. It’s up to us all so ensure the Grinch bot or Sneaker bot doesn’t steal Christmas.