As well as dealing with global supply chain issues this holiday shopping season, retailers can expect their online businesses to be targeted by cyber criminals, especially those operating Grinchbots.
These bots – a software program designed to perform repetitive tasks – have plagued the internet for years, taking advantage of scant supplies of in-demand items by buying them up faster than any human and reselling them at a higher price to make a profit.
If you’re shopping online today for any coveted product, like a next generation gaming system, GPU, CPU or limited edition sneaker, you’ll likely be competing with a bot to get it. The most recent example of this was the release of the Nintendo Switch OLED in early October, when Imperva Research Labs saw an 88% increase in bad bot traffic to retail sites ahead of the launch.
You might ask “so what?” If products are constantly flying off the (digital) shelves, wouldn’t a retailer count that as a win? Not exactly. There’s more to it than just making a sale.
Firstly, the lifetime value of a Grinchbot is not as valuable as a satisfied customer who regularly returns to buy additional products. If you don’t have the product they want, a consumer will quickly go to a competitor’s site to get it. Grinchbots also slow down websites, creating a terrible online shopping experience for all your human customers, enticing them to switch to a competitor. Once they’ve made the switch, they may never return.
Running out of inventory can also damage a brand’s reputation, as consumers often blame the retailer. For example, when the launch of a new GPU sold out in just 1.2 seconds, consumers took to Twitter to express their outrage.
Finally, bots place extra load on a retailer’s servers and often tie up the maximum number of backend Database connections that service an application. This makes it impossible to actually service new human based connections to an e-commerce site. In order to maintain uptime and avoid degraded functionality, retailers are forced to spend extra on reinforcing their infrastructure. At the same time, these bad bots skew decision-making metrics.
So if you want to stop Grinchbots this shopping season, you should look at addressing these four areas.
- Block high-risk traffic
Start by blocking outdated user agents/browsers, or using CAPTCHA.The default configurations for many tools and scripts contain user-agent string lists that are largely outdated. The risk in blocking outdated user agents/browsers is very low; most modern browsers force auto-updates on users, making it more difficult to surf the web using an outdated version.
Also block known hosting providers and proxy services. Many less sophisticated perpetrators use easily accessible hosting and proxy services. Disallowing access from these sources might discourage attackers from coming after your site. Consider blocking traffic from these data centers: Host Europe GMBH, Dedibox SAS, Digital Ocean, OVH SAS & Choopa, LLC.
When blocking, be sure to protect all access points including exposed APIs and mobile apps, and share blocking information between systems wherever possible. Protecting your website does little good if backdoor paths remain open.
These tactics won’t stop the more advanced attackers, but it might catch and discourage some less sophisticated operators.
- Tweak your purchasing process
When it comes to limited stock items, some retailers limit the number of items a consumer can purchase, while others aren’t confirming orders until they’ve manually investigated and approved each one. Another common method is the use of a virtual queue or waiting room. However, it is worth noting that these processes can still be thwarted by bot operators, especially those that are using multiple bots and/or advanced bots.
- Monitor for signs of bot traffic
Monitor traffic sources carefully. Do any have high bounce rates? Do you see lower conversion rates from certain traffic sources? They can be signs of bot traffic.
Also investigate traffic spikes. While spikes appear to be a great win for your business, unexplained spikes can be a sign of bad bot activity. If you can’t find a clear, specific source for a spike, investigate further.
- Invest in a bot management solution
The bot problem will remain a persistent threat for retailers this peak shopping season and beyond. This year Imperva Research Labs found that over a half (57%) of all attacks recorded on online retail websites were carried out by bots, and that monthly bot attacks have increased by 13% compared to last year.
Like other cyber threats, the bot problem is an arms race. The tools bad actors use are constantly evolving, traffic patterns and sources shift, and advanced bots can even mimic human behavior. For this reason, it’s almost impossible to keep up with all of the threats on your own.
That is why a bot management solution is essential to ensure you only allow legitimate customers into your website. This mitigates not only the impact of Grinchbots, but other types of bots as well that can perform a wide array of malicious activities such as web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, denial of service, denial of inventory, spam, transaction fraud, and more.
Reinhart Hansen is director of technology for Imperva CTO Office.