What is denial of inventory?
Denial of inventory, aka “inventory hoarding”, is a type of cybersecurity attack where an automated script, or “shopping bot” repeatedly places an e-commerce product or service in the shopping cart without ever completing the transaction. This tricks the e-commerce site to believe that the product or service is out of stock, so that legitimate buyers will see it as not being available.
Denial of inventory is typically performed by specialized automated programs/shopping bots, which can represent a very significant threat for e-commerce websites, causing not only direct revenue loss, but also long-term and even permanent damage to the targeted business’ reputation.
In this guide, we will discuss all you need to know about how to prevent denial of inventory attacks and stop the activities of shopping bots. We’ll begin by discussing denial of inventory in a bit more detail.
What is the purpose of a denial of inventory attack?
A denial of inventory attack, or inventory hoarding attack, happens when shopping bots select and hold an item that is limited in availability in the shopping cart/basket. Since the limited stock is being held in the bot’s shopping cart, it becomes unavailable for legitimate buyers to purchase.
The attacker might not have the intention to complete the checkout process, only to prevent legitimate buyers from purchasing the item. There can be various motivations for denial of inventory attacks, including but not limited to:
- Making Profits/Scalping: Fraudsters can use shopping bots to acquire and hoard valuable, high-demand items that are limited in stock. They can then sell them at a higher price, making this a lucrative opportunity to make some fast cash. For example, using shopper bots (also known as sneaker bots) to acquire limited edition sneakers is rapidly increasing.
- Competitive Reasons: the shopping bot might belong to your competitors or a professional hired by your competitors. In this case, the denial of inventory attack is launched to ruin your reputation and/or to drive your customers to your competitor’s website instead (that still has the product/service available).
- DDoS: the denial of inventory attack can be launched as a part of an application-layer denial of service (DoS) attack to make the whole e-commerce website unusable.
How denial of inventory is executed:
To successfully prevent and defend against denial of inventory attacks, we have to first understand how the attack is executed and what an attacker needs to carry out this attack.
In general, executing a denial of inventory attack would require four major elements:
- Shopping Bots
The attacker can create their own bot or use ready-made bot tools that are made for specific websites. Examples include EasyCop, NikeSlayer, SupremeBot, and others. With the rise of e-commerce websites and online shopping in general, there are now various shopping bots available for purchase in the market that can be customized to attack a specific website or even a specific product/service across the internet.
The attacker will need sufficient computing power to allow the shopping bot to do its work, and other resources like proxies, rotating IP addresses, VPN, and so on. The infrastructure is needed to make sure the shopping bot can operate smoothly while also protecting the attacker from being detected by various bot detection and mitigation solutions.
For items/products with limited availability, the attacker must know the exact date and time when the product is launched before it can run the shopping bot. Running these bots can eat a lot of resources, so they must know the right time to run them to avoid burning expensive resources before the items are available.
Typically another bot (spy bot or recon bot) is deployed to first crawl and index the e-commerce site to spy for information about the item release.
Attackers will need a system to efficiently carry out the operation depending on the objective. If the attack’s objective is to scalp a product, then they need enough credit cards to make payments and locations to hold inventory. On the other hand, if the objective of the attack is just to ruin the site’s reputation, such measures might not be needed.
How to detect and prevent denial of inventory attacks:
As we can see, the main culprit in a denial of inventory attack is the shopping bot. If you can properly detect its presence and block its activities, then you can also prevent the incoming denial of inventory attack.
However, effective bot detection and mitigation can be easier said than done due to two major challenges:
- We can’t simply block all traffic that is suspected as bots, because there are indeed good bots that can benefit our e-commerce site. For example, we wouldn’t want to accidentally block Googlebot from crawling and indexing our site, or else we won’t be ranked on Google.
- Newer shopping bots are getting more sophisticated and are getting smarter in impersonating legitimate human buyers. So, without a proper bot detection solution, detecting their presence can be very difficult if not downright impossible.
Thus, when developing a strategy to prevent and manage denial of inventory attacks, we have to always pay attention to these two challenges. Below we will discuss some effective tips you can use in tackling these challenges:
1. Monitoring Your Traffic
Although this is not a one-size-fits-all answer to detect activities from shopping bots, monitoring and analyzing your traffic are still important as a prerequisite for the other defensive measures.
As discussed, malicious bots are getting more sophisticated, and we can no longer rely on detecting signatures/fingerprints and blocking IP addresses to deal with these shopping bots. Instead, we have to look for signs of underlying attacking behavior.
Running a shopping bot can eat a lot of resources, and nowadays there’s a very tight competition among bot operators. So, even if you can’t block these bots altogether, causing them to be inefficient by changing their behaviors can be considered effective mitigation.
In monitoring your traffic for shopping bots, we can detect some behavioral anomalies common with shopping bots, including:
- A sudden spike of requests targeting certain products (typically popular products) without a suitable number of browsing requests to get those pages and/or requests to other products. Normal buyers tend to browse several different products, so look for anomalies in patterns.
- The presence of recon/spy bots that are crawling your site to extract hidden information for sales and launch dates. A common sign for these bots is a continuous search for items that haven’t been released and requests for pages that may not exist yet.
- A change of the user’s IP address in one shopping session is a common pattern of a bot using rotational proxy services. There are, however, legitimate buyers that might use these rotating IP services for one reason or another, so look for other signs as well.
When you detect one or more of these behaviors (and others, depending on your site and what you sell), act accordingly, and manage this traffic.
Also, look for generic signs of bot activities including:
- Traffic Spikes: If you see an abnormal surge in traffic up to a week-long, it can be a sign of bot activity. For example, if there’s a sudden spike in traffic when there isn’t any product launch or sale, then it can be a sign of activities from recon bots.
- Traffic Sources: A “healthy”, legitimate traffic can come from a variety of channels according to your marketing activities (organic search, clicks from an ad, etc.). If there’s a lot of direct traffic from new users and sessions, it is a strong sign of bot traffic. Although it’s pretty uncommon nowadays, obvious hits from a single IP address is the most basic sign of bot attacks.
- Site Performance: A significant slowdown in your site’s performance might be a sign of stress due to bot traffic.
- Bounce Rate: Similar to traffic, an abnormal spike in bounce rate can be a sign of bot activities. Reckon bots, for example, might search for information about a product then bounce from your site without ever visiting other pages.
2. Implementing a Bot Detection and Mitigation Solution
The most effective way to prevent denial of inventory attacks is to mitigate the shopping bot’s activities. So, investing in the right bot mitigation solution is a must.
Bot mitigation software can use three different approaches in detecting and managing bot activities:
- Signature/Fingerprinting-Based: The bot management solution compares the signatures detected on a traffic source with a known ‘fingerprint’ like OS type, browser version/type, devices used, IP address, etc.
- Challenge-Based: We use tests like CAPTCHA to challenge the ‘user’. If it’s a legitimate human user, the challenge should be fairly easy to solve, but an automated program/bot will find it difficult if not impossible to solve the challenge.
- Behavioral-Based: The bot management solution analyzes the behavior of the traffic in real-time, for example, analyzing the mouse movements/clicks made by the user, whether the user makes any pattern resembling bot activities, etc.
Due to the sophistication of today’s shopping bots, a bot management solution that is capable of behavioral-based detection is recommended. DataDome, for example, is an affordable bot management solution that uses AI and machine learning technologies to analyze the traffic’s behavior and can mitigate malicious bot activities in real-time.
3. Block Known Bot Operators
Although more sophisticated bot operators will use rotating IP addresses and other means to mask their identity, we can prevent less-sophisticated shopping bots from accessing our resources by blocking IP addresses/known domains of bot operators.
You should CAPTCHA Amazon.com data center, and block Digital Ocean, GigeNet, and Choopa, LLC, among other data centers known hosting and proxy services commonly used in bot attacks.
You might also want to block outdated browsers (more than three years old) and CAPTCHA relatively old browsers (+- 2 years old) from accessing your store.
Denial of inventory is a very common cybersecurity threat on e-commerce websites, where automated shopping bots are programmed to take product items out of availability by adding them to the bot’s shopping cart/basket.
While denial of inventory is a serious threat for e-commerce sites, we can effectively prevent these attacks by detecting and managing activities from shopping bots. It’s important to have a bot detection and mitigation solution that can detect bot activities and block malicious traffic in real-time.
*** This is a Security Bloggers Network syndicated blog from Blog – DataDome authored by DataDome. Read the original post at: https://datadome.co/learning-center/prevent-shopping-bots-denial-of-inventory-attacks/