The ongoing pandemic has had one major, obvious lifestyle outcome: we’re all online a lot more than we used to be. And the shift from IRL to online activities has put a lot of pressure on a number of aspects of our experience on the web – there’s a greater demand for tools and platforms that help facilitate those new activities, and with that increase in demand has come an increase in fraud.

We’ve seen spikes of fraudulent activities on all fronts, ranging from mobile, social media, online shopping, and everything in between.

Scalper bots run amok

On the retail front, scalping, or automated buying, is causing major concerns for both retailers and consumers alike. Fraudsters are leveraging scalper bots to purchase high-demand items before humans can even deposit desired items into their online shopping carts. In turn, this forces humans to venture into third-party resale sites like eBay to try their luck at acquiring these products. Bots are no longer used just for grabbing tickets or sneakers. Today, we’re seeing bots dispersed to amass just about anything that can be purchased online. Consider the recent new-generation video game console releases and how difficult it’s been for folks to get their hands on their own console. That’s not a coincidence.

The bots that carry out this particular form of fraud have become increasingly sophisticated, responding to the challenges that each retail site poses. Different bots target specific types of merchandise (like sneakers or video game consoles) or brands, and each of these has unique techniques up their sleeves to speed through checkout processes. The moment a sale is launched, bots immediately start the checkout process, using pre-logged information such as shipping address, credit card information, or website credentials to rapidly fill out checkout forms and finalize the purchase within seconds.

But there’s more to it than that.

In the mind of a bot

Fraudsters constantly monitor targeted websites, usually testing the waters before special events like Black Friday, to ensure that the bot is working as it should and that it’s successfully bypassing detection mechanisms, buying limitations and more. Along the way, fraudsters create a bunch of fake accounts or take over existing ones to tilt the odds even more in their favor. The bots they deploy rely on residential proxies to avoid detection: every transaction comes from a different,legitimate IP address. Some bot operators even have the ability to confuse detection methodologies by mimicking humans through “salting” the transaction time frame with additional milliseconds. The payment process comes from a prepared list of banking cards. Everything from profiles, credentials, and names to shipping addresses are scrambled to avoid detection and to mask the act, making it look as real as possible. 

Fraudsters can even go as far as to develop bots customized to a specific retailer, starting from their checkout process and bot detection techniques (like CAPTCHAs), to sales efforts (early access, best deals etc.). They also share exclusive intelligence with close communities, tipping off additional advantage points. Forecasts of huge price drops, insights on launch dates of the products, early bird links before official general public launches, and technical aspects of bot development and bypassing detection tools pass between members of these limited-access communities. Keeping communities restricted ensures the golden goose of exclusive information and bots is kept as limited as possible, preventing high competition among resellers.

Since bots are often designed for the particular platforms they’ll be operating on, these already know how to bypass bot detection processes, including defeating CAPTCHAs, using secure virtual credit cards, proxies (providing unique IP addresses), and living on servers (increasing the speed of the bot).

Fraudsters hunt for attractive deals, especially those where demand will outstrip supply, guaranteeing great resale value for the items they come away with. Consumers not only miss out on the best deal (and the goods, of course), but also have difficult shopping experiences, and are forced to purchase the same product at a much higher price from a reseller.

Retailers need to care

From a retailer’s point of view, the sale will be successful regardless of whether the items were purchased by humans or bots. However, having high bot traffic and purchases comes with reputational and technological implications: customers may instead purchase from competitors who have better security measures in place, retailers may get blasted on social media, and retailers will have to invest in new technology infrastructure to handle high demand. Such technology and infrastructure investments would be more affordable for retailers if humans, not bots, were executing the majority of purchase transactions.

It’s no surprise that high-profile product releases come with high web traffic figures. But bots have the power to overload servers with automated traffic, breaking systems and crashing retailers’ sites. Should the retailer choose to combat this by scaling and increasing server powers, bots will only be fed with more opportunities to attack.

And since the bot challenge is known to advanced consumers, those consumers might decide to fight fire with fire by buying bots for personal small batch purchases, exacerbating the overall problem.

So the next time you decide to purchase a hot item, keep in mind that you might end up fighting for it with a bot. 

Inna Vasilyeva is threat intelligence analyst at White Ops.