Overview: Find out if eCommerce bots are posing a threat to your website, business, and clients.
Large-scale shopping bot campaigns are being executed through the use of parking, monetization, and email forwarding. Learning how to analyze suspected fraudulent user accounts and associated orders is the first step that could help keep you and your clients safe.
“Bot attacks can result in poor website performance, site downtime, exposure of sensitive customer data, and lost revenue,” according to Data Dom. It is therefore imperative that online retailers implement and maintain robust security measures against malicious bots.
We’ll be considering the following:
Understanding chatbots vs. bots
Fraud & threats
First, an introduction to chatbots:
What exactly are chatbots?
You know those little conversations you have with Joe Schmo when you enter a website? Joe popped up out of nowhere, likely on the bottom right hand corner of your screen, and asked how you were doing, what brought you to the website, or if you need any help.
Keep in mind that when talking about malicious intent, we’re not really focusing on these type of bots.
How Ecommerce Bots are Being Used for Account Fraud :
At the end of last year Jason Kent, hacker-in-residence at Cequence Security, discussed sneaky shopping bot tactics (i.e., domain parking) seen in a mass campaign, and what retail security teams can do about them. Here’s the rundown:
Analysis of shopping-bot campaign data uncovered more than 850,000 fake accounts associated with a relatively small number of domains.
Clusters and common patterns point to domain-name registration and hosting services (like Namecheap); with parking, monetization and email forwarding being used to execute large-scale shopping bot campaigns.
Retailers should analyze historic data to uncover patterns emanating from suspicious domains using the same hosting infrastructure. Patterns observed include irregular domain names, domain resolving to an untrusted web app, SSL not enabled.
Send email account-creation verification or consider the use of multifactor authentication (MFA) when possible.
3 Common Bot Threats for the Online Retail Industry:
Data Dome, cited earlier, says that around 30 percent of all web traffic is made up of bad bots. To put this figure into perspective, this means that between 1 to 2 website “visitors” are bots.
Now we’re getting into the bots who appear to be customers, but aren’t. What are they doing and how can they ruin online businesses?
1) DENIAL OF INVENTORY:
In this type of attack, the bot selects items in the online store and adds them to the cart, but never completes the purchase. The result is that inventory gets tied up, and legitimate shoppers may get an “out of stock” message.
A “denial of inventory” bot will repeatedly add items to the cart on a periodic basis, so even if the cart automatically empties, the bot will return and put them in the cart again. This kind of activity can initiate from unscrupulous competitors trying to gain an unfair business advantage.
What To Do: As a defense, online retailers may set limits on how long shoppers can hold items in their carts, and on the number of times the same item can be added. However, more advanced bot attacks override these limits by using large numbers of different IP addresses, thus appearing to be many individual shoppers instead of a single item hoarder. A more effective countermeasure is a specialized bot detection solution which identifies and blocks malicious bots before they can even access the store.
Scalping is a technique that is most well-known in the ticketing and events industry, sneaker industry, or electronics industry, where tickets or limited items are purchased and resold later so scalpers can make a profit. However, scalper bots can be used in other industries as well.
This is done by the bot’s ability to fill in information that is required for the purchase process, such as credit card details and billing address, which would take a human user significantly more time than it takes for an attacker to complete the checkout process in a fraction of the time it would take any legitimate user.
More sophisticated scalper bots are able to bypass the CAPTCHA and other security measures that are in place.
Related: What Are Scalper Bots?
“Web Application Firewalls (WAFs) were once successful in preventing scalper bots,” says Kasada. “With artificial intelligence (AI), machine learning, and the sophistication of technology, WAFs are not a match for the bots we see today.”
What To Do: 1) Put limits on the number of and rates of incoming connections. 2) With machine learning, scalpers can be identified, and you can take measures to shield yourself from them. You can effectively filter out the scalpers and block them from accessing your site by using pattern recognition. 3) Consider preventing multiple orders to prevent items being scalped on your website (one delivery per customer) or ask users to register utilizing their social security number to ensure this is the case.
You can rad more about scalper bots in this article.
3) WEB SCRAPING:
Web scraping is the process of using bots to extract content and data from a website. Unlike screen scraping, which only copies pixels displayed onscreen, web scraping extracts underlying HTML code and, with it, data stored in a database. The scraper can then replicate entire website content elsewhere.
Web scraping is also used for illegal purposes, including the undercutting of prices and the theft of copyrighted content. An online entity targeted by a scraper can suffer severe financial losses, especially if it’s a business strongly relying on competitive pricing models or deals in content distribution.
You can read more about web scraping bots here.
What To Do: What To Do: “”Essentially, hindering scraping means that you need to make it difficult for scripts and machines to get the wanted data from your website, while not making it difficult for real users and search engines,” says GitHub. Some general methods to detect and deter scrapers:
Monitor your logs & traffic patterns
Limit access if you see unusual activity
Require registration & login
Block access from cloud hosting and scraping service IP addresses
Make your error message nondescript if you do block
Use Captchas if you suspect that your website is being accessed by a scraper
Serve your text content as an image
Don’t expose your complete dataset
Don’t expose your APIs, endpoints, and similar things.