A previous post explained why online retailers should expect to incur record losses from malicious bot activity this holiday shopping season. This post reveals the five types of bot attacks likely to cause the majority of the damage.
Account Takeover: A Bot Takes Over a Real User’s Account
E-commerce criminals frequently use account takeover (ATO) attacks as the first step in a wave of attacks utilizing the login credentials of unsuspecting customers. This type of attack costs retailers billions of dollars of losses yearly.
Credential harvesting is, by far, the most significant type of ATO attack. On the dark web, cybercriminals can purchase 100,000 account credentials for as little as $10. They write a script to test usernames and passwords against many sites to verify and validate credentials and then sell this information for $1-$5 each. With a success rate of just one percent, a bad actor can make up to $5,000 per campaign.
Today, the criminal ecosystem is highly evolved, with barriers to entry that are extremely low and it is easy for cybercriminals to get creative. For example, a criminal doesn’t even have to write a script: they can rent hours on a botnet, ask for any number of nodes, and provide the payload to run the campaign to validate accounts. The resulting information can be sold for profit or used directly to place false orders and commit other illegal acts – all under the cover of a legitimate user account.
Carding: Bots Use Stolen Credit Cards to Ring Up Charges
For markets where there is a high percentage of credit card usage, like the United States, carding – a form of credit card fraud – remains a significant issue. Here’s how it works.
Carders use bots to test lists of recently stolen credit or debit card information, obtained from other hackers or from the dark web, against merchant sites. The carders then use the proven credit card data to directly retrieve funds from associated accounts or to purchase gift cards which can easily be converted into high-value goods, such as cell phones, televisions, and computers. These goods are then resold – often via websites offering a degree of anonymity – for a nifty profit.
It is interesting to note that many carding attacks are very similar to ATO attacks. The big difference is that while ATO attacks focus on defeating the login page and process for a merchant’s site using lists of stolen usernames and passwords, carding targets the checkout page and process with stolen card details.
Checkout Abuse: Bots Scalp or Hoard Products That Are in Tight Supply
With a scalping attack, bots are used to rapidly purchase all the inventory of a high-demand product. The scalpers know the products can be resold for a quick profit on the secondary market. Prime examples are hot toys as well as limited release apparel and footwear items.
These types of attacks are typically sporadic, as they are associated with the release dates of new products. Just prior to release, bots prepare to pounce by constantly checking product URLs to see if they have gone live. As much as 90 percent of website traffic may be generated by bots waiting for the new products to begin to sell. Once the item is available, the bots will continue to buy it until the product is depleted, or until they purchase the quantity they want.
This kind of bot activity burdens a retailer’s infrastructure - often to the point of crashing the associated site. More importantly, this activity prevents the retailer from selling to its real, human customers. The retailer’s brand, credibility, and reputation are damaged.
Web Scraping: Bots Spy on Your Prices and Steal Your Content
Price scraping by bots enables competitors, or their hired intelligence-gathering scrapers, to spy on your pricing tactics and keep up with your pricing moves. While not technically illegal, it harms retailers by giving away their pricing strategies, category management, inventory levels, and even SEO and keyword tactics.
To stop price scraping, many companies hide prices for hot products on their sites. The price appears only after the item is selected for purchase. In some cases, the final price is only arrived at once the shopper or bot fills out a user profile. However, attackers have responded with bots that mimic real shoppers by putting the products into shopping carts. At that point, the price becomes visible and the bot scrapes it.
The graph below shows a typical scraping pattern -- in this case with over 31,000 different IP addresses and over a thousand different devices and browsers targeting more than 117,000 different paths on the website -- which is atypical behavior for real users and a clear indication of malicious activity.
Content Scraping, in comparison, is where Web scrapers are used to steal product descriptions, reviews, and inventory data. The theft and republishing of product reviews make a competitor look more established and reputable, and degrades the value of exclusive, copyrighted content on your website. Product reviews help competitors gauge product popularity.
The Bot Wars Go Mobile
According to Forbes, 2019 will mark the first time that the number of mobile e-commerce transactions exceeds the number of traditional e-commerce transactions globally. Mobile transactions are those conducted from a smartphone or laptop whereas traditional ones are conducted from a desktop or laptop.
Ever alert to growth opportunities, cybercriminals and the bots they create are following shoppers from the desktop to the mobile device. This is creating an entirely new set of problems for online retailers, as people behave differently on their mobile devices. Traditional techniques used to determine whether the user is a human or a bot – such as IP addresses affiliated with home broadband accounts – no longer apply.
It also doesn’t help that bot creators have a variety of potential attack techniques at their disposal. For example:
- Attackers can call applications' APIs directly from any IP connection – without having to use the actual application or even a mobile device. In other words, a mobile attack can happen without using a smartphone or tablet.
- Attackers can use the genuine application, or a hacked version, running on mobile device emulators. They can even automate the process, spinning up thousands of emulators to perpetrate bot attacks that appear to be legitimate users on normal applications and actual smartphones.
- A third approach is to hack an application on a device or the device itself and then use the compromised asset to launch the attack.
The bottom line: to properly defend their business interests, online retailers must prepare not only for several different types of bot attacks but also for increasing degrees of sophistication.
If you’d like to learn more about the threat that malicious bots pose to online retail and mobile e-commerce, download our white paper, Five Major Bot Threats to Holiday E-commerce and How To Stop Them. Or, register for a Bot Defender demo for a look at PerimeterX behavior-based bot management solution that protects your modern web and mobile applications, and APIs, safeguarding your online revenue, competitive edge and brand reputation from automated attacks.