In our last blog, we talked about sneaker bots--what they are and what drives them. In this blog, we will explore how they work, what tools and methods they use and what a real attack looks like. Last but not least, we will look at the damage they cause and how to protect your e-commerce website from them.
The Tools and Tricks of Sneaker Bots
In the early days, using tech to “cop kicks” required actually building a stack of tools. You needed a scraper to pull in the information, pricing and inventory, and then a bot for automating purchases. You didn’t have to worry about making multiple tries from the same IP address because retailers were only waking up to the bot problem. This has evolved considerably.
Today so called all-in-one (AIO) bots perform scraping, automated purchasing and scheduling. Their systems are designed not only to find inventory and click “buy,” but also to constantly evaluate shopping cart processes and update whenever those processes change. Increasingly, too, AIO tools incorporate steps to outsmart bot solutions and evade detection. The best AIO bots can target dozens or hundreds of stores, allowing a single user to literally scour the globe for sneaker deals. After purchasing the tool, sneaker bot operators usually can install a browser extension to activate the bot.
CyberAIO home page advertising its speed and showing it’s “sold out” status
The Tesla of sneaker bots is a tool called CyberAIO by Cybersole. Designed with a beautiful User Interface, CyberAIO is also a technically sophisticated product. Built ostensibly on top of a headless browser - a stripped-down version of a standard web browser - CyberAIO has loads of features that allow its operators to simultaneously target numerous sites and sneaker drops. CyberAIO users simply pick the sneakers they want to buy from a menu of upcoming drops, set a budget, and then sit back. CyberAIO covers over 170 sites, including not only sneaker retailers but also brand sites and streetwear companies like Supreme -another company that uses limited release items to drive awareness and brand perception. And CyberAIO just came out with Android and iOS versions of its software.
The bot acts autonomously. CyberAIO gets around the standard bot-blocking CAPTCHA tools by queueing up multiple CAPTCHA windows and allowing the human bot operator to quickly answer them, providing verification that allows the bot to complete the transaction. CyberAIO has a reputation for being incredibly fast. This is crucial because, in reality, it is competing more against other types of bots than against humans.
Just like most popular SaaS tools, CyberAIO has a community of thousands of users in Slack and its own Discord channel where users can share tips and expert users provide support. Getting CyberAIO is almost as hard as buying a pair of Travis Scott AJ OGs. The bot’s shadowy creator sells no more than 100 licenses per month at a price of over $300 apiece plus bi-annual subscription fees. Ironically, there is a hot secondary market for CyberAIO licenses which can be sold for nearly $3,000.
Oculus AIO tool marketing page advertising automatic CAPTCHA solver
Another popular AIO sneaker bot, OculusAIO, actually provides artificial intelligence features to help its bots navigate security measures. It can automatically solve simple CAPTCHAs, circumventing that security measure. A quick Google search turns up dozens of sneaker bots and the major ones, like Cybersole and OculusAIO have tens of thousands of public Twitter followers. They are not afraid to poke fun at those who try to block them and their users like to publicly celebrate their kicks conquests.
Tweet from a CyberAIO user showing hot shoes bought with the bots
Another technology tool that smarter bot operators frequently pair with bots is advanced proxies. A proxy is basically an intermediary that sneaker bot operators use to hide their identity. Proxies supply sneaker sites with a variety of different IP addresses. A commonly used one is AU Proxies. These proxy services are also not technically illegal even though they are often used for malicious hacking attempts. Note that proxies are also a key tool for protecting privacy in countries with repressive governments.
Twitter page of popular proxy provider AU Proxies
More advanced proxies today not only act as intermediaries but they also use IP addresses assigned to residential Internet connections to trick bot mitigation tools into allowing multiple connections from the same bot operator behind the proxy. Because a residential IP is more likely to be a real shopper rather than a bot, sneaker sellers are reluctant to introduce friction into the sales process and so are less likely to require a CAPTCHA solution or to block traffic from this IP. Residential proxies sell for two to three times the price per month of non-residential proxies that use cloud server IP addresses from public compute clouds and hosting services. For both residential and data center proxies, CyberAIO, OculusAIO and other AIO bots can help a user test and configure proxies, and will check to make sure they are working well.
Pricing plans for residential proxies on AU Proxies page
Anatomy of a Sneaker Bot Attack
Attackers receive early guidance on which targets might be the most valuable from online exchange websites that post prices for upcoming sneakers not yet released. Once their targets are clear, a bot operator begins testing out a target site a few days before a major sneaker drop to make sure they can solve any challenges directed at them by the site operator trying to prevent bots from buying up the limited inventory. Unfortunately, this early testing is difficult to detect; it represents a minute amount of traffic and is hard to distinguish.
Prior to the shoe launch, malicious traffic by bots is generally well below legitimate traffic. Once a hot sneaker drops and the bot armies swing into full gear, that ratio reverses; malicious traffic can be twice or three times the volume of legitimate site traffic. This traffic quickly drops off after inventory is exhausted and the bots move on to other targets.
Let’s look into a sneaker bot activity from a traffic standpoint. In the graph below we see the traffic from two shoe releases on November 2nd from multiple well-known shoe retailer websites. The first shoe was the Adidas soft version of Yeezy 500’s, and the second one was the Nike Air Jordan 1 Retro High OG “Fearless.” The red line shows the unwanted sneaker bot traffic, while the blue line represents the human traffic.
As can be seen on the graph, the Nike Air Jordan 1’s that were launched at 7:00am were much more popular, getting 3X of the traffic that the Yeezy 500’s saw at the peak. During the launch time of both shoes the sneaker bot traffic ranged between ~55-68% of the total traffic.
For both shoes, resell items appeared online quickly and at much higher prices.
Adidas Yeezy’s 500’s resale example: https://www.stadiumgoods.com/adidas-yeezy-boost-500-soft-vision-fw2656
Nike AJ1 Fearless resale example: https://www.stadiumgoods.com/air-jordan-1-retro-high-fearless-unc-chicago-ck5666-100
Looking carefully, one can also recognize third and fourth spikes in traffic. These are the result of a restock notification from various different monitors. Here is the third spike trigger, at 8:58 am:
And this one triggered the fourth and smaller one at 1:42 pm:
These later spikes, are harder to see and not as pronounced as the first two. The reason is that those restocks were unexpected, so the larger bot operators did not have enough time to prepare, as it takes time for a singular computer to spin up a network of proxies and co-locations.
Another thing we can see when taking a closer look at the traffic is the clear difference in the traffic pattern between bot traffic and human traffic. In the graphs below, we see the traffic a day before the launch, just before it starts to spike up. As we usually see when comparing automated traffic to human traffic, it is pretty clear that while human traffic tends to grow during daytime hours and drop at night, the unwanted automated bot traffic doesn’t show this pattern.
This is typical of this type of automated traffic - sneaker bots don’t go to sleep.
The Real Costs of Sneaker Bots
We discussed above how sneaker bots harm regular online shoppers and sneaker lovers by jacking up the prices. They also hurt the brands which dislike seeing their shoes go for such high prices on secondary markets. The bots harm the independent sneaker shops as well, because it forces them to take extreme steps to protect their online inventory.
Launch Day Failures, Jacked Up Bandwidth, Lost Sales
More broadly, sneaker bots can cost large and mid-sized internet retailers and shoe brands big money in a variety of ways. To start with, bots suck up huge amounts of bandwidth and can actually take a site down on sneaker launch day. This could cost a large retailer millions of dollars per day because the bot operators may make an entire site unavailable, shutting out buyers not only of the hot sneaker but also of any other item on the site. This forces retailers and brands to spend big money for CDNs, extra server capacity and extra bandwidth to handle the crush.
Wasted Employee Time
Security, web operations and site reliability teams of retailers and brands often spend hours combatting the effects of rampant sneaker bots. This can mean reconfiguring cloud services, dialing up and down bandwidth, tweaking firewall configurations and server capacity, creating special scripts to lock out bots and more. In reality, maintaining and tuning all the tools and infrastructure required to stop bots would also require multiple full-time employees, and retailers would still struggle to keep up with rapidly improving sneaker bots. In addition, support teams often waste time dealing with angry legitimate customers on social platforms complaining that they couldn’t buy the shoes they wanted. All told, bots can suck up dozens of hours of staff time per sale. That’s time which could be spent on other more impactful and less reactive activities.
The Benefits of Outsourcing Sneaker Bot Protection
There are numerous benefits to using a specialized bot mitigation service to monitor and block sneaker bots. Rather than struggling to keep up with all the rapid advances in bot technology in-house, relying on a specialized bot mitigation firm will afford retailers and brands more comprehensive protection because the firm’s dedicated team will be better able to keep up with bot developments. The firm, too, can share that requirement across a wide variety of customers, all of whom will benefit from the collective intelligence gathering; any new capabilities showing up in sneaker bots will be detected sooner and mitigation improvements can be implemented more quickly.
At PerimeterX, we have a long history of working with retailers facing sneaker bot attacks and we are constantly watching developments in bot technology. With the holiday season upon us, and the sneaker market growing both more liquid and more lucrative just as bots are getting faster and ever-more sophisticated, the winter sneaker drops could cause a botpocalypse for unprepared retailers and brands - unless they get ahead of the curve on sneaker bots and make sure their Travis Scott Air Jordans don’t get the rapid-fire CyberAIO treatment.