Omri Iluz, CEO, PerimeterX

E-commerce sales during the holiday season are expected to ring up healthy 18 to 21 percent gains over last year and could peak at $114 billion, according to Deloitte. That’s great news for companies poised to increase their online profits, but few online retailers have adequate anti-bot protection. When holiday season traffic ramps up, most are sitting ducks for heavy financial and reputational damage.

Malicious bots have already hit online retail hard. Taking just one area, the Association of National Advertisers estimates that digital advertising fraud by bots will surpass $6.5 billion this year. Losses stemming from e-gift card fraud, another favorite bot play zone, cost retailers nearly $1 billion in 2016.

Bots Mutate, and They Only Get Smarter

Bots have steadily upped their game, leveraging advances in artificial intelligence to impersonate legitimate users and human behaviors more convincingly. They’ve become better at “breaking into” websites, mobile apps, and customer accounts—by infecting millions of browsers with malware, for example, and then piggybacking on real customers to infiltrate user sessions where they can do economic harm. The most recent generations of bots, like Stealth bombers, don’t even show up on volumetric and signature-detection “radar”, which retailers use today.

Bot-Masters: Many Attacks, Many Sources

Bad actors are ingenious when it comes to finding malicious ways to use bots. Knowing their current favorite attacks will help e-commerce companies fight off threats to their brand and bottom line.

1. Account Takeover – If you forget your password, just ask an attacker.

Most inhabitants of planet Earth have had their user IDs and passwords compromised. Theft and resale of stolen account credentials is a major industry. Bots launch attacks through proxy networks or rotating IP addresses, trying the stolen username-password combo on many retail sites. Because most people use the same credentials on multiple accounts, the success rate can be very high—8%, in one documented attack. Once inside an account, attackers can rampage, placing fraudulent orders and stealing card information, among other crimes.

2. Web Scraping – When Competitor Ethics Scrape the Bottom of the Barrel

Price and content scraping differ from other bot attacks, because the activity is probably directed by a competitor, or their helpers. Price-scraping bots—which PerimeterX has traced back to major industry players—collect intelligence on competitor pricing, and pricing strategy, category management, inventory levels, and marketing information like keywords. Regardless of anyone’s opinion on the ethics of price scraping, it helps retailers out-price their competitors and outrank them on search engines. Scraping veers toward illegality when bots scrape copyrighted content and it is reposted elsewhere.

3. Carding – Gift cards and credit cards are ripe for the plucking.

There are two primary kinds of carding attacks: on gift cards and on credit cards. With gift card scams, criminals use bots to hack into gift card accounts and then generate fake cards—even down to their magnetic strips—that match a user’s authentic information. Credit card fraud works in a similar way, with attackers using bots to test stolen credit card data. Once a card’s information is known to work, they use it to steal funds or make purchases. Even if a gift card or credit card is protected by a PIN, brute-force hacking can quickly crack a four-digit code.

4. Checkout Abuse – Nothing for the Customer; Bots Take it All

Anyone who has purchased concert tickets online is aware of checkout abuse, when attackers use bots to snap up all “hot tickets” at high speed, leaving human customers with no chance. During the holiday season, bad actors target the hottest toys of the year, knowing that desperate parents will succumb to massive markups to avoid disappointing their children. Last holiday season, this happened with Nintendo’s Super NES Classic Edition release- and it’s recurring this year with the SNES Classic Edition.  In addition, the wildly popular Hatchimals toys were often monopolized by scalper bots in the 2016 holiday season, then marked up from $60 to as much as $1,000.

Another form of checkout abuse is hoarding, where bots paralyze inventory by placing sought-after products into a shopping cart with no intention of ever purchasing. A type of Application-Layer Denial of Service Attack, hoarding can confuse even the most highly organized merchant, leaving them unsure of sales and inventory levels. This sabotage can seriously damage the bottom line and brand of a business.

5. Marketing Fraud – A Traditional Web Crime, with a New Twist

Often run by professional crime rings, these prolonged attacks involve bots that impact pay-per-click advertising and affiliate marketing. For pay-per-click ads, the bots drive up false clicks, wasting a retailer’s marketing dollars. In another marketing-related scam, bots infect a real user’s browser, then tag that user with an affiliate network code, and claim credit when that user happens to visit—or buy from—sites that pay a bounty. The customer would have done so anyhow, but the affiliate fraudulently takes credit, gets paid, and may even win more business from the victimized ecommerce sites.

6. Mobile: Blocking My Bots on Your Site? Fine! I’ll Use Your Customers’ Smartphones.

Mobile commerce also has the attention of cybercriminals. Research by Nokia indicates there was a 400% increase in smartphone malware attacks in 2016, and a significant portion of that came from bots targeting mobile apps. The better websites are protected, the more motivation criminals have to shift to targeting mobile apps.

There are three primary vectors for mobile app attacks. First, attackers can call the apps’ APIs directly from any IP connection without using the app itself, nor even a mobile device. Attackers could also use the genuine app, or a hacked version of the app, running on mobile device emulators. Emulators are widely used for legitimate purposes, such as to measure the performance and test security of mobile apps. Automated emulators can spin up thousands or millions of them to perpetrate bot attacks that appear to be legitimate users on normal apps and actual smartphones. The third vector is to actually hack a device (or, more likely, an app on a device) and then take over the app to launch the attack. This involves a legitimate device and application, but ones that an attacker has taken control of.

Keeping Retailers Websites and Mobile Apps Safe, Despite Relentless Warfare

The common themes of all these attacks: they are relentless, often highly creative, increasingly sophisticated, and now—with next-generation bots—designed to evade detection.

The technology to catch them, paradoxically, doesn’t focus on identifying known bot behavior. Instead, it uses AI and machine learning to understand the behavior of humans in fine detail. Then, in real time, it picks out any user behavior that veers off human ways of moving a mouse, interacting with a page, or timing a sequence of actions.

Holiday Season Shopping: Behave Like a Human, or You’re Outta Here

Behavior-based detection can determine if online purchases are legitimate, or the work of an army of sneaky bots, and immediately block automated attacks. To “Grinch” the holiday season for cyber-criminals and bot-masters, while protecting their revenue, retailers need to prioritize bot security and implement technology that stops the most prevalent bot attacks—even if the stealthiest bots are used as soldiers.

PerimeterX specializes in preventing automated attacks on websites and mobile apps.