Cybersecurity companies are being hired to help stop bots from getting in the way of real customers.
Shopping bots are now the biggest, and for some, most enraging impediment to shoppers looking for the hottest items online, beating out everyday people thanks to powerful technology that has been democratized by sites like Cybersole, Kodai, GaneshBot and more. Those using bots then resell the goods for double, and sometimes triple, the price.
Recently, the new Adidas Yeezy Boost 700 “Sun” shoes from Kanye West made their debut, raising concerns that bots were likely on a shopping spree as they traditionally are during weeks when a hot new brand is launched.
Researchers with cybersecurity company PerimeterX found evidence of “sneaker bots” dominating checkout pages. Attackers typically use monitoring tools to check a retailer’s inventory several days before the launch day and even try to add the proposed shoe to the cart, to shorten the purchase flow and to bypass innocent buyers, according to PerimeterX CMO Kim DeCarlis.
These bots are able to reach the proposed shoe during the first seconds of the launch, using a direct link to the checkout page. But using advanced detection methods, bots can be blocked at the beginning of the launch and prevented from buying the proposed shoe.
“Monitoring bots were indeed active both days while the checkout bots were active when the inventory was available to purchase. Using our advanced detection techniques, PerimeterX was able to block most of these sneaker bots at the beginning of the launch and prevent scalpers from buying the shoe in question,” DeCarlis said.
“Monitoring bots are constantly active and scanning for available inventory of their targeted products. Once they identify available inventory, a different bot is triggered to immediately buy the stock of limited edition items.”
SEE: Wellness at work: How to support your team’s mental health (free PDF) (TechRepublic)
While bots have angered average buyers for years, the situation came to a head in November and December, when furious parents and others expressed outrage that they were effectively shut out of accessing PS5s at the height of their popularity.
Some parents spent days refreshing store pages and watching websites like a hawk hoping to get in on restocks before bots could hoover up all the inventory.
The problem got so bad that some lawmakers in the United Kingdom proposed a law that would make bots illegal. The U.S. Congress passed the BOTS Act of 2016 to address purchasing and reselling concert or event tickets with bots, but coverage has not been extended to shoes or other limited edition flash sales, DeCarlis said.
But now the problem has shifted back to its traditional arena: Sneakers.
“Automated shopping bots that buy up e-commerce products online are called denial of inventory and scalping bots. In denial of inventory attacks, bad actors use malicious hoarder bots to add an item thousands of times to a shopping cart over the course of a few days until the item’s inventory is depleted,” DeCarlis explained.
“By hoarding a high-demand product, bots keep it out of stock, annoying customers, taxing a retailer’s infrastructure and reducing conversions and revenue. In scalping attacks, cybercriminals unleash automated scalping bots to buy sought-after products, such as limited editions of sneakers, concert tickets, designer clothing or hot toys. They set up fake accounts that browse product pages and execute checkouts to increase their chances of success. Then, after they’ve snapped up the best inventory, it is sold at inflated prices on third-party sites or the black market.”
Manufacturers demand action
The rise of affordable bots-as-a-service tools has made it even more difficult for buyers, and security companies to get around those seeking to hoard inventory for the black market.
With Kanye West’s Yeezy line unveiling a new slate of sneakers coming weekly in March, buyers have been eager to battle bots that will scoop up most of the inventory and then resell the shoes for double, and sometimes triple the price.
But the backlash to the problem has now prompted manufacturers to put pressure on retailers to do something about the bots.
Jason Kent, hacker in residence for cybersecurity firm Cequence, has been at the forefront of the effort to help retailers stop bots from buying up all of the inventory available.
“What we’re seeing now in the industry manufacturers are starting to put pressure on retailers because they don’t want negativity associated with this new shoe drop. They want it to be exciting, they want everybody to buy them and be happy with them,” Kent said.
“That secondary market is something that the retailers and the manufacturers are not really happy with. The manufacturers are saying ‘If you’re not going to get your stuff together, we’re going to have to start changing the way we allocate and people that are getting the bots under control are going to end up with more allocation.'”
Rise of easy-to-use bot tools
Kent said that while it is relatively easy to identify bots trying to buy goods off of websites, the widespread availability of bot tools has made it difficult to stop. Those behind the bots are also making them more and more sophisticated to get around the kind of tools that are used to prioritize real shoppers, Kent added.
He explained that many resellers create hundreds of Gmail accounts, which are then used to create hundreds of accounts on retailer websites like Foot Locker, Nike and others.
“They have all of these accounts all at once trying to add items into shopping carts. So when we see the attacks launched, we actually see scrapers first to see if the items are available. Then we start to see shopping carts get created and then the checkout process is attempted,” Kent explained.
Many retailers now use Google captcha services to check if it is actually a human buying the sneakers, but bots are increasingly finding ways around this, Kent said, adding that sites like Kodai offer bot creation tools for about $175.
The platform allows users to pick the store, pick the item, load in fake Gmail accounts and simply wait to click the captcha boxes. Over the past few years, the bot industry has become increasingly commercialized with tools like OpenBullet where users can write a configuration file to make it work and easily direct it toward any retailer.
The people behind these shoe bots call themselves “cook groups,” likening themselves to chefs. They have botting user forums where people discuss tactics and some, like Kodai, have full-on support channels that go with it.
There are even sites that help people farm Gmail accounts, and Kent said the software releases behind these tools are “extremely sophisticated, well-documented” and look like they are created by professional software writers.
Matt Keil, director of product marketing at Cequence, noted that these tools took off in 2018. Before then, he said people would have to search “the nether regions of the Dark Web to find these tools.”
“But now, a few quick searches and you’ll find marketplaces where you can buy configs. You’ll find it has a GitHub repo or support services and then community support. So it’s really the evolution and the commercialized version of it,” Keil said.
Kent explained that legislation would likely not work in stopping the proliferation of bots but that some retailers have had success by adding more steps to the checkout process. Manufacturers are also incentivizing retailers to address the problem by promising more allocation of goods if they do the right thing and allow real shoppers to purchase the highly sought-after sneakers.
Both Kent and Keil said that the bots were having a much larger impact on the sneaker industry than what is being portrayed.
“It’s not just the fact that you and I couldn’t get the sneakers for our brother, sister or daughter. They are making erroneous decisions based on fictitious or inflated statistics. We had customers that had to prescale their environment and add two or three times the number of servers as they got ready for the drop, and that was on top of auto-scaling in AWS. So there was an infrastructure cost,” Keil said.
“Then there’s the backend scheduling and additional work that is a burden. So it’s not just a security problem or a marketing problem. It’s really becoming a business problem. One particular customer of ours was told that the online division was not going to get the inventory that they requested and instead it was going to the physical stores where they had more control over it and could ensure that a human was actually buying it.”
Kent added that the extra traffic forced real costs on retailers.
“When we have a shoe drop and they have to spin up databases and spin up all this stuff to be ready for it, we’re not talking about a little bit of more traffic. For the Air Jordan Maka drop, our customer had 50,000 transactions a minute going against their infrastructure and there weren’t 50,000 pairs of shoes available,” Kent said.
“They have a very small inventory, like 200 pairs. So somebody’s sending 50,000 requests for 200 pairs of shoes, making every minute crazy.”
The bot market was also expanding beyond gaming consoles and sneakers. Kent said they had customers in cosmetics and luxury clothing who faced similar problems.
Kent explained that they even work with a pizza retailer that was hit with an attack featuring fraudulent gift card numbers.
The bots were guessing card numbers and managed to run up a $200,000 bill for a pizza parlor.
“There is so much money to be made. The sneaker resale market is roughly $2 to $3 billion annually right now and is slated to grow to a staggering $25 or $30 billion by 2030. When there’s money to be made, there will be significant investment,” Keil said.
“These aren’t just cobbled together scripts anymore. The bad guys will evolve as the protection mechanisms and the defense evolves.”