Around 30% of all web traffic is made up of consisting bad bots. E-commerce businesses are consistent targets of bad bot attacks like Inventory denial, scalping, scraping, credential stuffing, and Layer 7 DDoS attacks. Adding Cherry on top, bots are increasingly complex and sophisticated, making detection and deterrence way more challenging.
Bot attacks may result in poor website performance, site downtime, exposure of sensitive customer data, and lost revenue. It is therefore all important that online retailers implement and sustain robust security measures against spiteful bots.
In this blog, we shall examine five dangerous bot threats that online retailers are facing as of now — and how to mitigate them.
Denial of inventory
In this type of attack, the bot selects items in their online store and adds them to the cart, but never purchase them. The result is that inventory gets clogged, and legitimate shoppers will get an out-of-stock message.
An inventory denial bot will over and over again add items to the cart on a periodic basis, so even if the cart automatically evacuates, the bot will come again and put them in the cart once more. These kinds of activities can initiate from unethical competitors trying to win an unfair business advantage.
As a defense mechanism, online retailers may set some sort of limits on how long shoppers can hold items in carts, and also on the number of times the same item can be added. However, more advanced bot attacks override these limits by using large numbers of various IP addresses, thus appearing to be many individual shoppers rather than one item hoarder.
A more effective counter measure is a specialized bot detection solution which identifies and blocks malicious bots before they can even access the store.
Like real world event ticket scalpers, malicious scalper bots buy limited-edition items to sell them afterwards at a higher price.
Let’s say an eagerly foresee new game console is due to be released as soon as possible. On release date, scalper bots use the power of computer speed to buy as much stock as quickly as possible. Customers get an out-of-stock notification, which can occur within minutes of the product release, and customers have no choice but to pay the bot operators set-up resale price.
For instance, on release day, the $60 Super Nintendo Entertainment System Classic Edition sold for an average of $160 on eBay – more than double of the original price.
Scalper bots are tough to beat, but a specialized bot protection solution will detect and blocks them. Malicious attempts are being automatically detected 24/7, and can be mapped on a dashboard which enables retailers to monitor bot activity in real time. Also, when a replacement undesirable bot is identified on one retailer’s website, the simplest solutions will automatically protect all their users against it.
Bot-driven scraping are high-volume and fecund attempts to loot listings from online retailer websites. Without asking for end-user agreement, cheating competitors can then add the stolen content to their own listings, or the data can be sold on the Deep Web. In the end, the victim’s e-commerce portal receives very few genuine visitors, which cuts into revenue and damages brand value.
The Fork was experiencing mysterious traffic spikes that didn’t match their normal activity peaks (holidays, discounts, etc.). The company came to know these were malicious bots attempting to steal value-added content such as customer reviews and table availability.
Credential Stuffing and Credential Cracking
In credential stuffing attacks, spiteful bots use stolen credentials (usernames & passwords) from one site and attempt to log in to another site. Credentials are commonly obtained after a massive data breach, and the stolen data is either published online or sold. More sophisticated credential stuffing attacks recruit an outsized number of bots in order that login attempts appear to return from many various devices.
Credential cracking, also referred to as brute force attacks, use huge attempt volume to “guess” the proper combination of credentials. For example, in a dictionary-type attack, all the words in a dictionary are tried, one-by-one, to gain access. Cyber criminals use bots to be ready to run through such massive numbers of attempts.
Credential cracking and credential stuffing are two means to the same end: accessing and abusing customer accounts, also called account takeover.
With 40 million members, BlaBlaCar is the world’s biggest carpool community. The company’s gigantic database is an inviting target for those seeking personal data for criminal purposes. At certain point, BlaBlaCar detected huge abnormal load spikes recognized as brute force attacks. The criminals were trying to access user accounts so as to steal mastercard numbers and retrieve coupons which might be used or resold.
Advanced bot protection technology makes it happen for BlaBlaCar to block both known bots and unknown threats, so that their customers stay safe. Even better, this does not require any daily interposition by the company’s technical team.
Layer 7 DDoS
Layer 7 DDoS attacks are designed to target the application layer in the Open Systems Interconnection model. The intent is to swamp and crash a website with a flood of traffic.
Celio is a leading men’s store-bought brand, present in more than 40 countries with over 1200 stores. The Celio team wants to handle bot traffic on a case-by-case basis, monitoring traffic and manually blocking unwanted bots. This was very labor intensive, however, and it’s ineffective against attacks using large numbers of various IP addresses.
Surprisingly, the company experienced an enormous DDoS Layer 7 attack. The bot traffic broke through manual defense efforts, swamped the hard disk logs, and crashed the platform.