Denial of Inventory Attacks, Inventory Hoarding, & Shopping Bots—How to Prevent Them

How denial of inventory is executed:

To successfully prevent and defend against denial of inventory attacks, we have to first understand how the attack is executed and what an attacker needs to carry out this attack.

In general, executing a denial of inventory attack would require four major elements:

• Shopping Bots

The attacker can create their own bot or use ready-made bot tools that are made for specific websites. Examples include EasyCop, NikeSlayer, SupremeBot, and others. With the rise of e-commerce websites and online shopping in general, there are now various shopping bots available for purchase in the market that can be customized to attack a specific website or even a specific product/service across the internet.

• Infrastructure

The attacker will need sufficient computing power to allow the shopping bot to do its work, and other resources like proxies, rotating IP addresses, VPN, and so on. The infrastructure is needed to make sure the shopping bot can operate smoothly while also protecting the attacker from being detected by various bot detection and mitigation solutions.

• Payload

For items/products with limited availability, the attacker must know the exact date and time when the product is launched before it can run the shopping bot. Running these bots can eat a lot of resources, so they must know the right time to run them to avoid burning expensive resources before the items are available.

Typically another bot (spy bot or recon bot) is deployed to first crawl and index the e-commerce site to spy for information about the item release.

• Efficiency

Attackers will need a system to efficiently carry out the operation depending on the objective. If the attack’s objective is to scalp a product, then they need enough credit cards to make payments and locations to hold inventory. On the other hand, if the objective of the attack is just to ruin the site’s reputation, such measures might not be needed.

How to detect and prevent denial of inventory attacks:

As we can see, the main culprit in a denial of inventory attack is the shopping bot. If you can properly detect its presence and block its activities, then you can also prevent the incoming denial of inventory attack.

However, effective bot detection and mitigation can be easier said than done due to two major challenges:

1. We can’t simply block all traffic that is suspected as bots, because there are indeed good bots that can benefit our e-commerce site. For example, we wouldn’t want to accidentally block Googlebot from crawling and indexing our site, or else we won’t be ranked on Google.
2. Newer shopping bots are getting more sophisticated and are getting smarter in impersonating legitimate human buyers. So, without a proper bot detection solution, detecting their presence can be very difficult if not downright impossible.

Thus, when developing a strategy to prevent and manage denial of inventory attacks, we have to always pay attention to these two challenges. Below we will discuss some effective tips you can use in tackling these challenges:

1. Monitoring Your Traffic

Although this is not a one-size-fits-all answer to detect activities from shopping bots, monitoring and analyzing your traffic are still important as a prerequisite for the other defensive measures.

As discussed, malicious bots are getting more sophisticated, and we can no longer rely on detecting signatures/fingerprints and blocking IP addresses to deal with these shopping bots. Instead, we have to look for signs of underlying attacking behavior.

Running a shopping bot can eat a lot of resources, and nowadays there’s a very tight competition among bot operators. So, even if you can’t block these bots altogether, causing them to be inefficient by changing their behaviors can be considered effective mitigation.

In monitoring your traffic for shopping bots, we can detect some behavioral anomalies common with shopping bots, including:

• A sudden spike of requests targeting certain products (typically popular products) without a suitable number of browsing requests to get those pages and/or requests to other products. Normal buyers tend to browse several different products, so look for anomalies in patterns.
• The presence of recon/spy bots that are crawling your site to extract hidden information for sales and launch dates. A common sign for these bots is a continuous search for items that haven’t been released and requests for pages that may not exist yet.
• A change of the user’s IP address in one shopping session is a common pattern of a bot using rotational proxy services. There are, however, legitimate buyers that might use these rotating IP services for one reason or another, so look for other signs as well.

When you detect one or more of these behaviors (and others, depending on your site and what you sell), act accordingly, and manage this traffic.

Also, look for generic signs of bot activities including:

• Traffic Spikes: If you see an abnormal surge in traffic up to a week-long, it can be a sign of bot activity. For example, if there’s a sudden spike in traffic when there isn’t any product launch or sale, then it can be a sign of activities from recon bots.

• Traffic Sources: A “healthy”, legitimate traffic can come from a variety of channels according to your marketing activities (organic search, clicks from an ad, etc.). If there’s a lot of direct traffic from new users and sessions, it is a strong sign of bot traffic. Although it’s pretty uncommon nowadays, obvious hits from a single IP address is the most basic sign of bot attacks.

• Site Performance: A significant slowdown in your site’s performance might be a sign of stress due to bot traffic.

• Bounce Rate: Similar to traffic, an abnormal spike in bounce rate can be a sign of bot activities. Reckon bots, for example, might search for information about a product then bounce from your site without ever visiting other pages.

2. Implementing a Bot Detection and Mitigation Solution

The most effective way to prevent denial of inventory attacks is to mitigate the shopping bot’s activities. So, investing in the right bot mitigation solution is a must.

Bot mitigation software can use three different approaches in detecting and managing bot activities:

• Signature/Fingerprinting-Based: The bot management solution compares the signatures detected on a traffic source with a known ‘fingerprint’ like OS type, browser version/type, devices used, IP address, etc.

• Challenge-Based: We use tests like CAPTCHA to challenge the ‘user’. If it’s a legitimate human user, the challenge should be fairly easy to solve, but an automated program/bot will find it difficult if not impossible to solve the challenge.

• Behavioral-Based: The bot management solution analyzes the behavior of the traffic in real-time, for example, analyzing the mouse movements/clicks made by the user, whether the user makes any pattern resembling bot activities, etc.

Due to the sophistication of today’s shopping bots, a bot management solution that is capable of behavioral-based detection is recommended. DataDome, for example, is an affordable bot management solution that uses AI and machine learning technologies to analyze the traffic’s behavior and can mitigate malicious bot activities in real-time.

3. Block Known Bot Operators

Although more sophisticated bot operators will use rotating IP addresses and other means to mask their identity, we can prevent less-sophisticated shopping bots from accessing our resources by blocking IP addresses/known domains of bot operators.

You should CAPTCHA Amazon.com data center, and block Digital Ocean, GigeNet, and Choopa, LLC, among other data centers known hosting and proxy services commonly used in bot attacks.

You might also want to block outdated browsers (more than three years old) and CAPTCHA relatively old browsers (+- 2 years old) from accessing your store.

Conclusion

Denial of inventory is a very common cybersecurity threat on e-commerce websites, where automated shopping bots are programmed to take product items out of availability by adding them to the bot’s shopping cart/basket.

While denial of inventory is a serious threat for e-commerce sites, we can effectively prevent these attacks by detecting and managing activities from shopping bots. It’s important to have a bot detection and mitigation solution that can detect bot activities and block malicious traffic in real-time.