They were scouring retail websites, and continue to do so through the holiday season, seeking price information and site vulnerabilities.

Colin Murray, IT security analyst at Distil Networks, contributed to this article.

On Dec. 1, the Senate passed the Better Online Ticket Sales (BOTS) Act, which aims to criminalize the use of bots to buy tickets and resell them at hugely inflated prices. While the BOTS Act has also gained support from show business personalities decrying the abuse of ticket prices at Adele and Bruce Springsteen concerts, it’s important to understand that the bot problem is not just about ticket scalping at expensive shows. Any business with a website, especially in e-commerce, is constantly under attack from bots. Show business may have the glamour, but the e-commerce world is suffering just as badly.

Unlike humans, bad bots don’t take time off. Over the Thanksgiving holiday and Cyber Monday, almost 25 percent of requests made on e-commerce sites came from a bad bot. On average, bad bot traffic made up 22 percent of e-commerce traffic, which is a five percent increase from last year’s average percentage of bad bot traffic to e-commerce sites (bad bots accounted for 17 percent of e-commerce traffic in 2015).

Interestingly, there was a spike in bot traffic just before midnight on Cyber Monday, which indicates that bots were preparing for their assault on the day when most sales prices change to lure in online shoppers.

In order to better understand the threat to e-commerce businesses during Thanksgiving through Cyber Monday, Distil Networks analyzed traffic going to roughly 600 e-commerce sites as well as a sample of 2,600 non-e-commerce sites. The data was pulled over a six-day period, from Tuesday, Nov. 22, through Monday, Nov. 28 (Cyber Monday).


This time span presented an interesting opportunity because of the high volume of online transactions, limited time offers, sales, and promotions that attract fraud.

How Do Bots Impact E-commerce?

Bad bots are automated programs or scripts that are programmed to perform very specific tasks at the behest of their creator. E-commerce sites, particularly during the Thanksgiving holiday, are prime targets for these programs. Bad bots were likely deployed for one or more of these reasons over the holiday:

  • Scrape sale prices so competitors can match deals in near real-time
  • Flood a competitor’s site with more requests than it can handle (Denial of Service/DoS) to impact their sales
  • Skew analytics to impact conversion rates or performance metrics
  • Click on ads to drive up cost of digital ad spend
  • Obtain limited-availability or temporarily lowered goods and services to resell at higher cost later
  • Populate forums (likely the customer review section of the site) with ads for a competitor

Bots have a very diverse set of uses, all of which cause harm to the targeted site. All the threats are describedin a guidebook on automated threats published by the web security consortium OWASP.

Bots Don’t Take Days Off


Bad bot traffic was surprisingly static during the Nov. 22-28 timeframe. If we overlay bad bot traffic on e-commerce sites with human traffic on those same sites, and compare that to bad bot traffic and human traffic on all other sites, some distinct traffic patterns arise.

Figure 1.1 Bad Bots v Human Traffic

The top chart represents e-commerce traffic and the bottom chart represents traffic to all other sites. The sampled websites are mostly for US-based companies and the time zone is EST.

It is clear from Figure 1.1 that humans follow a predictable trend—the traffic is consistently at its lowest point during the late evening through early morning, when most people are asleep. Similarly, bot traffic is mostly static.

Another way to look at the data is by comparing human traffic on all other sites to human traffic on e-commerce sites and bad bot traffic on all other sites to bad bot traffic on e-commerce sites. We demonstrate these data in Figures 1.2 and 1.3 below.


Figure 1.2 Human Requests

It is necessary to point out that Figure 1.3 is approximately one-fourth of the scale of Figure 1.2, in order to reflect peaks and valleys in bad bot traffic.

Interestingly, in contrast to bad bot traffic on all other sites, bad bot traffic on e-commerce sites does appear to follow a similar trend to humans. There are subtle dips in bad bot traffic during the late evening through early morning as well. The bad bot traffic on all other sites is less consistent with its peaks and valleys and does not appear to be following a similar pattern to humans.

Are Advanced Persistent Bots (APBs) Active During the Holiday?

Bad bot traffic on e-commerce sites is more static than human traffic. However, some interesting trends were identified when bad bot traffic on e-commerce sites is examined at an even smaller scale (roughly 1/9 the scale of Figure 1.2):


Figure 1.3 Bad Bot Requests

At this scale, it becomes clear that bot traffic on e-commerce sites does appear to follow a pattern matching human traffic.

More APB Evidence

Another interesting pattern emerged in Figure 1.4: The highest spike in bad bot traffic targeting e-commerce sites was from 10:00 to 11:00 pm EST the Sunday before Cyber Monday. The spike appears to be an anomaly.

Figure 1.4 Bad Bot Requests on e-commerce Sites


Further analysis may ascertain the exact cause of the spike, but the timing is interesting. It could be the result of pre-Cyber Monday testing by bots. Once a target or a group of target sites has been identified, the individual(s) programming the bots will analyze the site’s HTML to identify specific markers or tags that can be used to pull down specific files. Activating the bot enables the attacker to test before carrying out the campaign.

This traffic could be a competitor making sure they knew the pricing of products that they wanted to match during Cyber Monday.

Another possibility is that an attacker identified a specific site that listed the information he or she was after pre-Cyber Monday or perhaps they identified a live staging environment that hosted the data.

Ultimately, what this data shows is that bots are constantly attacking sites and up to 25 percent of all web traffic consists of bad bots. While ticket scalping is gaining legal protection from the BOTS Act and much attention from well-known advocates like Hamilton’s Lin-Manuel Miranda, what about all the other nefarious threats that bots pose to other businesses and industries every day? It will take more than the hashtag #BotsBeGone to solve this problem. And ticket scalping is just the tip of the iceberg.

Distil Networks provides technology designed to protect websites against malicious bots, API abuse and fraud.