Skip to main content

The rise of bad bots in retail ecommerce

(Image credit: Image Credit: WNDJ / Pixabay)

Consumers headed online in their droves to snap up deals over the Black Friday and Cyber Monday weekend. Shoppers ramped up their spending and capitalised on bargain offerings, sending US Black Friday online sales soaring to $7.4bn, an increase of 20 per cent over 2018, beating all previous records.

Cyber Monday also set new sales records for many retailers, with Amazon announcing that Monday was its biggest shopping day in the company's history. Amazon announced that customers bought more items around the world on Cyber Monday than on any other day in the company’s 25-year history.

The rise in fake shoppers

The run up to Christmas is key for retailers and a peak selling period on the retail calendar. The trend in online sales continues to increase year on year and savvy retailers have responded in kind by investing in their e-commerce offerings. Many traditional as well as online retailers have bulked up their online presence, increased delivery options and introduced fast in-store pickups to attract sales.

Consumers, keen to beat the crowds and get the best deals in the run up to Christmas, continue to head online in increasing numbers. However recent research we’ve done at Radware reveals it could be in vain thanks to so called ‘Jingle Bots’ wreaking havoc. An in-depth look at internet traffic on Black Friday and Cyber Monday showed that only a third of shoppers were actual real people. The remainder were automated bots designed to disrupt the smooth running and revenues of eCommerce sites. The bots jammed sites with fake shoppers, with the intent of frustrating genuine shoppers into giving up or taking their custom elsewhere.

Ecommerce gremlins

Nick-named ‘Jingle bots’, these internet bots made up 90 per cent of shopping carts over the Black Friday/Cyber Monday time period. Stealthily operating under the radar and disguised as bone-fide shoppers, the internet bots mimicked the behaviour of real online shoppers. The intent was to put thousands of items into shopping baskets making the stock unavailable to genuine shoppers. As a result, cart abandonments were much higher this year, caused by bots with no intention of checking out. In addition to frustrating online shoppers from securing their bargains, some of the bots had the goal of redirecting customers to the sites of competitors.

Bots – the good, the bad and the ugly

For the past few years, bots have been at their highest level and have surpassed human-generated internet traffic. Although some bots are good, such as search engine crawlers and automated web chat, many are malicious.

There are many reasons why bots are used in this way. Some are nation state attacks intended to disrupt an economy. Unthinkable but true. Then there are those bad bots designed to beat the competition by breaking into apps to scrape sensitive price information and those with the intent of hoarding popular or limited-edition items for resale at premium prices on secondary markets.

It’s clear from the volume of transactions that these bots are downright ugly and the intent to wreak havoc for consumers and retailers alike shows no sign of abating. In fact, of the millions of transactions studied, 45 per cent of the traffic to product pages was made up of bots used for corporate espionage. The snooping tactic ensures competitors can automatically put in place price sensitive deals at 15 per cent less than others to win customers. It’s becoming more common as retailers vie for the attention of shoppers at one of the busiest times of the year.

There are also the bots that cause headaches for consumers by taking over customer accounts, stealing loyalty points, and committing credit card and gift card fraud. It’s evidence that today’s bots are more sophisticated than ever before at mimicking human behaviours to get what they want, including bypassing CAPCHAs.

However, there is another dimension to the attacks that retailers need to be aware of, namely click bots committing Ad Fraud. These bots take advantage of the adverts marketing teams run online and deliberately use the links in adverts to access a website. This not only floods the site with fake customers, but also increases the cost of online ad campaigns without the corresponding bounce in sales.

The increased traffic from bad bots not only uses up click ad budgets but ruins the customer buying experience as sites often slow under the load. Marketing teams should work closely with their security teams to analyse figures and spot rogue spikes. This not only ensures marketing budget is utilised effectively to drive sales but it’s also a good indicator of a retailer that is taking proactive steps to thwart the activity of bad bots.

Retailers under attack

So, as rogue bots gear up for the busy holiday season, these are the attacks retailers are most likely to face:

  • Credential Stuffing and Account Takeovers (ATO):  These happen when hackers obtain login credentials from third party breaches and use them to gain access to a user’s account.
  • Web scraping: the practice of extracting data from websites by competitors and grey market resellers to efficiently undercut pricing and inventory.
  • Price scraping: Likely to be conducted by competitors who want to automatically adjust & price match offers.
  • Credential theft: Stealing a victim’s proof of identity.
  • Vulnerability identification:  Using bots to identify weaknesses in a website.
  • Ad Fraud: Using bots to generate false click-through and impression data.
  • Denial of Service (Dos/DDoS): Flooding a website with an overwhelming number of requests, to force it offline.

Proactive steps for retailers

Being able to spot a bad bot isn’t easy for retailers and the high number of abandoned carts illustrates how difficult it is. We know that some 80 per cent of companies say they can’t differentiate between good and bad bots. This is an acute problem for online retailers, especially as some sites can experience as many as 2,000 bot hits on their website per minute. It highlights just how important it is to put bot detection measures in place to prevent the infiltration of sales platforms.

There are tell-tale signs of bad bot attacks and retailers would benefit from actively examining web performance and paying particular attention to the warning signs. These include abnormal spikes in traffic, high bounce rates, IP addresses with suspicious origins, and slower performance of the site overall all. These indicators are a clear sign of unwanted bad bot traffic.

Being aware of the risks at this time of year is a good first step in fighting back. No one can predict where the attacks will come from for a given business, but being able to spot the signs and having a plan to mitigate everything detected will stand any firm in good stead this holiday season.

Pascal Geenens, EMEA Security Evangelist, Radware

Pascal Geenens
Pascal Geenens is the EMEA Security Evangelist at Radware.