Here’s how bad bots attack e‑commerce sites on Black Friday and Cyber Monday

Reid Tatoris, vice president of product outreach and marketing, Distil Networks

The latest research on bad bots shows that e-commerce sites face more sophisticated bot attacks than any other industry. While the overall number of attacks is lower, the complexity is higher, meaning solving the bot problem is more difficult. Unfortunately, this difficulty becomes even more challenging on possibly the biggest day of the year for any retailer: Black Friday.

We all know that traffic to e-commerce sites spikes as a whole on Black Friday. This is exactly what these sites want. More traffic means more sales. But this increase in overall traffic also brings an increase in bot traffic coming from criminals or competitors.

E-commerce is a cutthroat, price-sensitive business. Every site wants to have the best price, especially on Black Friday when they know customers are more likely to be looking to buy, and specifically looking for deals. Black Friday shoppers tend to be more price-sensitive, so sites want to win the best price battle even more than usual. This means that competitive price scraping, which is always a problem for e-commerce sites, is at an all-time high. Rather than only checking prices daily, competitors ramp up their scraping efforts and increase the frequency of price checks.

To make matters worse, criminals know that on Black Friday, all of a retailer’s attention is laser-focused on driving sales. They pounce on this opportunity to conduct nefarious attacks, knowing that they are more able to fly under the radar on such an important day.

On top of this, all of the additional legitimate traffic makes it easier for bot attackers to hide their tracks. On an average day, a bot attack may cause a several percent spike in traffic that stands out. On Black Friday, with inflated numbers overall, that blip goes unseen. This can lead to increased success rates for fraud, account takeovers, and gift card theft.

Knowing that retailers are more likely to be under attack, on Black Friday 2017, the bot mitigation company Distil Networks closely monitored traffic on more than 300 e-commerce domains. The results confirmed all of the assumptions we know to logically be true.

Distil’s key findings were:

• E-commerce sites analyzed saw a 48 percent increase in overall traffic on Black Friday and Cyber Monday.
• These sites also saw a 20 percent increase in bot traffic compared to the prior weeks.
• Interestingly, there was a 23 percent increase in the number of simple, unsophisticated attacks that were easily detected. This is likely an indicator of amateur bot creators attempting to use bots to snag a deal. Rather than build a specific bot tailored to one site, they use open source automation tools, which are easily identifiable. These types of bots are certainly less nefarious than criminals looking to steal gift card dollars, but the increased flow of traffic may cause site slowdowns, and poorly tested bots could fail and lock out shopping carts for real customers.
• And lest you think you can simply block certain regions to protect yourself from Russian organized crime, attackers knew to stay local to avoid detection. Sixty-four percent of attacks came from the same region as the site, so simply blocking by location will not be effective.

2018 Online Peak Seasons Report

An online retailer’s peak season is the year’s high point of traffic and sales, and typically the merchant’s most important season, because it accounts for a disproportionate amount of yearly revenue. But not all retailers identify the November-December winter holiday sales period as their peak season. Consumer spending habits follow the calendar year cycle, and […]

View Details

Retailers should stay vigilant to ensure they aren’t exploited. Take time before Black Friday to review your bot security measures and make sure you are protected. Here are a few quick actions you can take:

• Change your alert thresholds to compensate for the larger than usual traffic.
• Consider having team members assigned to specifically look for fraud and bot attacks, knowing that most everyone else will be occupied elsewhere.
• Block outdated user agents and browsers. Many bot tools have default configurations that contain outdated user-agent string lists. Most modern browsers force auto-updates on users, so the risk of a real customer using an outdated version is very low.
• Monitor increases in failed validation of gift card numbers. This can be a signal that bots such as GiftGhostBot are attempting to steal gift card balances. Monitor these pages closely and set up alerts to notify you of any spike.
• Monitor for failed login attempts. Define your failed login attempt baseline, then monitor for anomalies or spikes. Set up alerts so you’re automatically notified if any occur.

While generating sales on Black Friday is obviously incredibly important for retailers, it’s also important to remember that your risk to automated attacks is larger than usual. Make sure that additional traffic is coming from your actual customers, that it doesn’t ruin the experience of those customers.

Distil Networks is a cybersecurity firm specializing in bot migitation.