Scalping is a common phenomenon in the e-commerce and ticketing industries, which often leads to denial of inventory. Online scalping is carried out using scalper bots. These are specialized bots that are deployed to outpace genuine consumers in securing fast-moving goods such as event tickets, gaming consoles, and limited-edition items. Since bots add the sought-after items to their carts, good users do not get a fair chance to score deals and discounts. Using scalper bots, fraudsters can check out in no time, allowing them to hoard these items in bulk. They can then resell these expensive or exclusive items at a premium. Alternatively, attackers may abandon the items added to the cart later, causing losses to the business.
Types of scalper bots
Scalper bots come in several versions. They are often used to fill up online forms, scrape APIs, auto-refresh web pages, and pre-botting among others. Let us take a closer look at these specialized scalper bots:
- Form fillers: Bots look out for web pages that request user information and harvest this data. Over a period of time, this data is used for financial transactions.
- API scrapers: These bots scrape data from APIs to facilitate automated actions such as disseminating spam, logging into accounts and even purchasing items off of websites.
- Pre-bot: These scripts are programmed to visit several sites simultaneously and create new accounts just before the online sale. As soon as the sale begins, these bots check out popular items in bulk.
- Auto refreshers: Bots auto refresh web pages to keep checking on the start of the online sale. Once the sale begins, they use the credit card details saved earlier by form fillers to checkout before regular users can.
The process of scalping begins with an attacker creating multiple fake new accounts or hacking into user accounts through account takeover attacks. Scalper bots and scripts are then used to search the internet for products that are popular and in high demand. They even search for new product SKUs so that these products can be secured as soon as they are put up on sale.
Scalper bots are positioned at the start of the queue and begin searching for products en masse as soon as the online sale goes live. This helps them to speed up the search process – thousand times faster than a human – and outpace good users in order to add maximum products to the carts. Using saved credit card details from the existing compromised accounts these bots are able to complete the checkout process in no time, which means products are no longer available for genuine users. Scalper bots also use freshly created fake new accounts to use a batch of credit card details for automated checkouts.
Attackers steal residential IP addresses and IoT device addresses to manipulate fraud defense systems. Using malware, they compromise IP addresses and route the bot traffic. This consumes significant amounts of bandwidth and infrastructure resources, which in turn slows down the websites and leads to outages and denial of inventory. Slow response and increased wait times can cause frustration to consumers.
Goal of scalper bots
The goal of scalper bots is straightforward – to add maximum products to the cart as quickly as possible such that genuine consumers do not get a chance to access them. Some of the bots are programmed to proceed straight to the checkout process, bypassing the cart flow. Compared to human users, these bots take a fraction of time to fill up consumer information such as credit card details and billing addresses to speed up the checkout process.
Scalper bots can impersonate good users to circumvent fraud defenses such as CAPTCHAs with ease.
In 2016, sale of tickets bought off websites using bots was made illegal. A similar bill called Stop Grinch Bots Act was introduced in 2019. However, scalping still continues to be a big challenge for online retailers.
To stop scalpers from disrupting their online sales events, many retailers have stopped making announcements in advance. It can, however, be a counterproductive measure as unaware customers may not shop at all.
One of the most common methods businesses employ to stop scalping is to limit the number of items a person can buy to one or two. They may not allow automatic checkout for popular items and even limit the time that a transaction must be completed within.
Many eCommerce platforms deploy bot detection tools such as CAPTCHAs to fight bot activity. However, leveraging the latest technologies such as machine vision, artificial intelligence, and machine learning, bots have evolved in their capabilities and can clear these outdated CAPTCHAs fairly easily. In the instances where businesses may have deployed fraud solutions that require more nuanced human interaction, these bots hand over the attack to human click farms. Attackers possess the knowledge about existing fraud solutions and have reverse engineered them to circumvent them.
This makes detecting scalper bots an onerous task.
Limitations of current bot detection approaches
Current bot detection tools such as CAPTCHAs are no match to today’s bots that have acquired advanced capabilities allowing attackers to execute complex attacks. These bots can impersonate humans fairly closely and have the intelligence to pass over the attack to human click farms that can interact with the more advanced fraud defense tools.
Even rule-based fraud solutions or wireless application firewalls are not too effective in stopping the scourge of scalper bots.
In a growing digital economy where the number of users accessing online channels using a variety of devices is increasing every day, businesses need an effective system to tell fraudsters from good users. This is not an easy task as advancements in bot technology have given human-like capabilities to bots.
To protect their users and revenues from the onslaught of scalper bots, businesses need to rethink their fraud strategies. Instead of still relying on mitigation, businesses must now consider a proactive approach that allows them to deter fraud across platforms and devices. They need a multi-layered approach that uses targeted friction to stop fraudsters while keeping user experience at the forefront.
