Bot Protection

Holiday Ecommerce: The New Bot Threat, the New Defense


As originally published in MultiChannel Merchant

Istock hacker

This year, holiday ecommerce activity and revenue will rise dramatically – for cyber criminals.

Santa, a master at large-scale behavior analysis, used to know who’s good and “who’s bad.” That’s much more difficult this year, as more professional cybercriminal organizations use sophisticated bots to get their Christmas bonus. It may look like Mom or Dad shopping – it may even BE Mom or Dad – but they could carry a significant threat.

Attacks have become more sophisticated. The latest (4th Generation) automated bots sneak past security by piggybacking on a legitimate user, and do their damage quietly while the human user is just handling his or her business. Moreover, with the rise of IoT botnets, even the basic, easier-to-detect attacks are faster and more aggressive.

Account takeover; how the burglar picks the lock

Account takeover is a common way that e-commerce crimes begin. With automated bots, and curated lists of username-password combinations, attackers can compromise thousands of accounts very quickly. E-tailers struggle to detect both the account takeover attacks, which are cleverly disguised through proxy networks and minimal repetition of IP addresses, and the fraudulent activity after a criminal “gets in.” The average user has just over six passwords, and uses each password on four sites. The hacker who cracks one account can usually find other accounts that accept the same credentials.

Attackers with access to legitimate accounts will abuse them, in several ways, by placing fraudulent orders. Most techniques used by online retailers today to detect unauthorized entry fail to identify these advanced attacks, so the business is damaged before anyone knows.

Strong password policies are part of the solution, but only a start. A behavior-based approach adds another layer of defense to stop damage before a criminal can gain entry.

Stealing the balance from your customers’ gift cards

For nine consecutive years, the most requested holiday gift has been…a gift card. Gift cards are an ideal holiday target for attackers. Ninety-three percent of US consumers buy or receive a gift card every year. Attackers can guess when that average balance peaks: between the purchase of the card, and when the recipient first uses the card (think: December 24 and 25). Attackers understand the structure of gift card numbers, and past experience tells us they’re already at work with large botnets to make millions of attempts during the season. When they “crack a card” and find it has a sizable balance, they steal the stored value.

For retailers, gift card fraud impacts revenue, damages customer loyalty and their brand reputation. As a starting point, retailers should examine the security measures of any third-party gift card provider they use. Further, it is crucial to identify whether a user is bot or human at the moment they check the balance on a gift card.

Your Limited Edition Products: snatched up and resold at sharply higher prices

Retailers often promote limited editions in popular holiday categories like toys or consumer electronics to attract shoppers. Demand for the hottest products can create shortages, allowing attackers to deny inventory to regular consumers. Despite the best efforts of online retailers to block malicious bots, advanced bots succeed in quickly snapping up entire inventories of hot items. Consumers are shut out, and their only option is to buy the hot product from scalpers at drastically higher prices on sites like eBay, CraigsList, and StubHub.

A recent example: the NES Classic Editions video game console, at $60 MSRP, was quickly bought out and is – at the moment this is written – offered on eBay for anywhere from $288 to $4,100.

Scraping your Inventory data, customer reviews and prices

Online retailers display prices, inventory availability, product reviews, custom photography, and product descriptions carefully crafted for online search and marketing impact. It’s all for educating the consumer and getting them to buy, but it’s also valuable intellectual property. No ecommerce site wants to help competitors by letting them vacuum up this content and use it to fine-tune their pricing and merchandising strategy.

E-tailers need to block “bad crawlers” and automated activity, while permitting “good crawling” from search engines.

Self-Defense: Is This Shopper Behaving Like a Human Today?

A shopper logs in to an e-commerce site, using valid credentials on the first try. He browses products and reviews, and reads the terms of gift cards. He looks like a legitimate human. But something’s wrong: he clicks without zeroing in on the selection button. That’s not typical of humans. A behavior-based approach to security would allow the site to immediately challenge this customer. When ecommerce sites cannot trust passwords and legitimate email addresses, nor historical signatures, a web behavior based approach offers a method to stop automated attacks early, before they ring up damage.

There is an ongoing intellectual arms race: criminals hunt vulnerabilities, and new ways to trick the protectors, while Web behavior Analytics experts find new ways to correctly identify whether the user is (today) a human or not.

Today, the frontier for defense against automated bot attacks is understanding how human customers behave on specific pages of specific websites. In other words, on a key shopping page at, how do humans behave? That knowledge is difficult for criminals to come by, and harder still for them to duplicate.

Prediction: Automated Attacks will Peak – at the Peak

Malicious bot activity makes up 20% to 50% or more of traffic on ecommerce and media sites. Hackers must be anticipating the holidays – what better time to come in with the tide, targeting gift cards, scalping hot items to play on heightened demand, and steal valuable content. In addition, 4th Generation bot traffic will grow organically because it hides among real web and mobile users.

If you can stop bots [earlier, faster] then bot-enabled fraud will have much less impact on your business and your customers over the holidays. More of your capacity, limited-inventory bestsellers, and marketing budget will go to legitimate customers. Content scrapers will find it harder to get at your intellectual property and pricing consistently. And your analytics will be more reflective of what your prospects and customers are really doing, rather than being skewed by bot traffic.

Ecommerce Security Needs to Evolve Constantly, or the Hackers Win

Password policies that are strong but do not frustrate consumers are crucial, behavior analysis is needed to complement existing security. Still, every ecommerce operator should face three truths:

  • Bots will frequently gain access to legitimate accounts and gift cards.
  • Their presence is often very difficult to detect.
  • The best web behavior analysis must be constantly upgraded, because criminals are relentlessly upping their game.

E-tailers want to emulate Santa and reward site visitors who are “good” — that is, who are human, legitimate customers. At the same time, they need advanced tools to separate the website traffic that is malicious, especially over the peak holiday season.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.