How Malicious Bots Are Targeting the Retail Industry

by Kasada on November 5, 2020

With many shoppers still stuck at home, online spending is on the rise. In fact, according to eMarketer, U.S. consumers are expected to spend nearly $710 billion on ecommerce in 2020 — an increase of 18.0% over last year — reaching 14.5% of total retail sales this year. Those figures represent not only an all-time high for online retail sales but also the single-largest annual increase to date.

But with good news comes some bad news. The problem is that this success has painted a target on online retail’s back in the form of malicious bots and an ever-increasing number of bot attacks. In fact, in 2018, there were 100 billion attempts, representing 10 billion bot attacks, to break into consumers’ online retail accounts, and that number continues to rise.

Sponsorships Available

That’s because wherever there is money to be made, in the form of stolen goods, stolen data, or actually monetary theft, there are sure to be hackers who are financially incentivized to carry out these nefarious acts. Unfortunately, hackers have invested in the same kind of machine learning/artificial intelligence and automation as the vendors who would seek to protect their customers’ web, mobile, and API channels against malicious bots. It’s become a sophisticated battle where only clever, invisible detection and deception will win. This blog post takes a look at some of the more popular types of bot attacks in the retail industry today and how online retailers can defend against them.

Account Takeover

If your traffic reveals a high number of failed login attempts, you might be experiencing a malicious bot attack in which bots inject breached or stolen username/password combinations to fraudulently gain access to online user accounts. Once they are able to break in, hackers then steal credit card numbers, personally identifiable information, and even use the account to order goods, change credentials, and make illegal transactions.

Credential Stuffing / Fraud

While credential abuse is key to account takeover attacks, it is also germain to account opening fraud in which malicious bots create new accounts with someone else’s username and password, and perform other forms of fraud, such as draining accounts of their contents, whether it be cash, loyalty points, or gift cards. For example, one of the world’s largest retailers, had to re-issue more than 600,000 of its loyalty Clubcards after a credential stuffing attack, according to the BBC.

Inventory Hoarding & Scalping

If you’ve heard of sneaker bots, you know exactly what we are talking about. These malicious bots will target new sneaker launches, buying up inventory in order to resell at a higher price (scalping) or simply automating the placement of inventory into shopping carts without checkout (inventory hoarding), in order to drive consumers to other websites to find what they are looking for. This kind of bot attack is an unfair commercial tactic designed to frustrate shoppers and undercut competitors, and unfortunately can be performed with any commercial good or service, not just sneakers, but also other merchandise, hotel rooms, ticketed events, and automated service quotes, for example.

Price & Content Scraping

Your price strategy is a competitive advantage, one that can be used against you if your prices are being scraped so they can be matched or undercut. The same thing is true of original content — the copy and assets on your website are unique to your organization, but competitors will use malicious bots to scrape it and reuse it to cut their costs and to kill your SEO, organic traffic, and competitive differentiation. Although it is not an illegal practice per se, scraped data is being taken and used for competitive or other motives without the scraped company benefiting in any way. Bot attacks performing scraping fraud hurt revenue, operating margins, impact company valuations, and skew traffic metrics for many companies.

Targeting Hidden APIs

While retailers know to defend their websites, they also need to protect their mobile apps and APIs — APIs now account for 83 percent of all web traffic. APIs are such a growing target that Gartner estimates that they will become the most-frequent attack vector by 2022. One of the reasons for that is because organizations may not be aware of all of their APIs, making them significantly under-defended.

Bot Mitigation to the Rescue? Not So Fast

Many bot mitigation vendors claim that they offer real-time defense, but unfortunately, that is not enough to block all bot attacks or stop them completely. For example, vendors that claim to stop 99.9% of bad bot requests might seem effective, but a 0.1% success rate equates to 2,400 successful account breaches a day for a bot operator launching 100,000 attacks an hour. With this in mind, it’s easy to see that such an approach does not adequately address the fundamental driver of malicious bots — financial gain.

Moreover, because bot operators constantly revise their methods and use new technology to evade detection, any approach that relies on rules based on historical data will always be outdated. Those are just some of the challenges bot mitigation vendors face in keeping up with evolving malicious bots and bot attacks.

What’s needed is a detection method that identifies and blocks bot attacks without relying on known behaviors or IP addresses, from the first request. An approach that spots the immutable evidence associated with malicious automation whenever bad bots interact with your applications. One that achieves low false positive rates, demonstrates long-term efficacy, inflicts financial damage to attackers, and has no impact to end user experience.

If you’d like to learn more, Kasada has created a checklist of the top 10 capabilities to look for in a bot management solution. Read “A Bot Management Checklist: 10 Must-Have Capabilities for Stopping Malicious Automation,” to learn what other providers aren’t telling you and how Kasada’s unique approach can help you defend your web, mobile, and API channels against malicious, automated bot attacks.

Would you like to see for yourself how the Kasada bot management solution stops bot attacks in their tracks? Please request a demo today.