Why scalper bots will be your worst security nightmare in 2022

Image via Freepik

This past holiday season, malicious bots created a lot of disappointed shoppers. Because retailers were outsmarted by bots targeting exclusive goods, online shoppers hoping to buy electronics and other premium items found stocks to be in short supply on legitimate vendor sites. Desperate users were then forced to redirect their trade to re-seller sites, where they faced exorbitant prices.

None of this is illegal, and the power of scalper bots that digitally jump the line to snap up bulk stock of in-demand products is on the rise. Today, 83% of U.S. enterprises can attribute the loss of business to competitors to bot attacks. On average, it takes enterprises three and a half months to identify that a bot attack has occurred. This failure to detect and stop attacks is due, at least in part, to the lack of a unified approach and shared language in the bot community. It's also due to a lack of understanding of bot attack methods and motivations.

Not only has the number of scalper bot incidences risen, so has the sophistication of the attacks. The scalper bot ecosystem has become increasingly professionalized, with some more advanced groups even registering themselves as formal companies. The barrier to entry is low as well. As a growing number of people are lured into using scalper bots by the promise of guaranteed returns, we're seeing a more significant investment of time and skill into bot tooling and techniques. Equally concerning is that this tactic is also becoming a strategy for organized crime. Even the U.S. government is exploring a bill to legislate against bots in purchasing electronics.

The use of scalper bots — a ploy that can reap millions and at the same time cost millions — isn't poised to slow down. In fact, it will rise exponentially in the next year, in part because of the following bot community trends.

1. Rise of scalper groups. Some groups require entry fees, some run a subscription model, others have a tiered system with a free entry-level, and others are like community support groups and are entirely free. These groups advise and equip members with the ability to scalp and resell items. They also identify profitable targets, provide tools and reports on the best resale pricing strategy. And it's not just criminals turning to scalper groups. Frustrated users who've been left empty-handed when it comes to purchasing hard-to-find items are joining these groups or paying for services to get their hands on limited edition or low stock items. According to a Reddit user, one group had more than 5,000 members, with over 70,000 Instagram followers. The number of bot groups continues to rise as well — professionalizing, recruiting employees and even offering skills training.

2. Bots will set their sights on new targets. Bot developers increasingly offer their skills to those who want to profit from other industry verticals. Today, targets are moving beyond just sneakers and electronics. During the recent holiday season, for example, we saw a rise in bots going after limited edition designer advent calendars. Now we're seeing bots snap up non-fungible tokens (NFTs) on auction sites. We'll continue to see criminals exploit new areas as user demand spikes. Bot users are very quick to react to changing market conditions, like when supply chain issues cause certain items to suddenly be in low supply. Bot users react to this by swooping in to buy up existing stock to resell at a marked-up price.

3. Bots will make more use of residential proxy networks. Many scalper bot attackers route traffic through home computers and mobile devices to make bot traffic look legitimate. Often, however, companies are reluctant to block large bands of I.P. addresses associated with private residences. They simply don't want to stop legitimate customers. For this reason, criminals will increase the use of this strategy to infiltrate sites.

The only effective way to combat scalper bots is server-side bot management. This technology creates a full picture of web traffic and can classify it as good or bad. It also allows businesses to analyze every possible data point. Every request made to a website, app or application programming interface (API) is recorded as a web log in the server, providing a live feed and historical view of who is visiting a site, by what means, and what they are doing. Bots may be able to spoof their identities to client-side detection tools, but they can never mimic the intent of their requests to the server in carrying out their attacks.

Combatting bots proactively to monitor and block even the most sophisticated attacks is the only way businesses can win the war and protect their inventory and livelihood. The scalper bot industry is moving at an impressive speed. It may not be fair or ethical, but it is legal (for now). Businesses need to step up their game and take notice. If they don't, they will continue to find themselves on the losing side of this battle.

Matthew Gracey-McMinn is an experienced Cyber Threat Intelligence professional with an MPhil from the University of Oxford. In his current role at Netacea, he researches and investigates the impact of malicious bots on online businesses and their users.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.