Fighting bad bots in retail

Tim Ayling at Imperva asks why the end of the year is such a busy time for cyber-criminals

 

The festive period really does see the stars align for cyber-criminals. Consumers desperate to find the perfect present and increased spikes in traffic on retail sites make nefarious behaviour harder to spot, enabling cyber-criminals to hide in plain sight. 

 

It’s important to note that what we used to think of as ‘Christmas shopping’ has now extended to more than a two-month period, from Black Friday, Cyber Monday and Travel Tuesday in late November, right through to Sunshine Saturday the end of January sales. This is a huge window for cyber-criminals to take advantage of.

 

What retailers must look out for 

The rise of bad bots is really the main concern – and the danger is twofold.

 

Firstly, the festive period is primed for ‘scalping’, a practice whereby cyber-criminals use bots to buy items from online retailers and sell them for a profit on resale sites. With so much shopping done online, the scale of this issue has boomed, and bots are able to scalp the most in-demand presents for a healthy profit. People are either forced to pay over the odds or buy an alternative gift, which could disappoint a loved one. In fact, 71% of UK consumers agree that these Grinch bots are ruining Christmas by snapping up all the best presents.

 

Cyber-criminals use bots to mimic real users, making them harder for companies to detect and block. These bots take advantage of how travel sites are designed to work, for example, rather than attacking technical weaknesses. Travel bookings require sensitive data such as passport information and payment details, making Travel Tuesday an alluring opportunity for cyber-criminals. By using bots, attackers can scrape information, steal data and break into accounts.

 

Loyalty programs are also targeted, with bots stealing users’ points and carrying out fraudulent transactions. When targeting airlines, bots also commit ‘seat spinning’, where they hold seats without making payments, leaving airlines with empty seats just before departure.

 

Account takeover (ATO) attacks also see a spike in the festive period. Instances of cyber-criminals gaining unauthorised access to a user’s account increased by 85% during Black Friday 2023. Once inside, cyber-criminals make purchases through stolen payment methods and steal sensitive data, eroding customer trust and loyalty. 

 

AI is making attacks worse

The rise of AI and Large Language Models (LLMs) has made cyber-attacks more sophisticated. Cyber-criminals are refining their tried-and-true methods, making them more advanced with AI. Cyber-criminals are now using use AI to quickly test huge batches of stolen login details and send increasingly realistic phishing messages to gain access to their accounts. 

 

AI has also lowered the barrier for entry to create malicious bots, leading to more severe bot proliferation. A recent 6-month analysis by our Threat Research team revealed that retail sites face 569,884 AI-driven attacks daily, originating from tools like ChatGPT, Claude, Gemini, and specialised bots designed to scrape data for LLM training.

 

With AI, threat actors can now create bots that convincingly act like a human, allowing them to cheat traditional security measures. Moreover, AI is able to help bots root the most in-demand gifts and flights more accurately and faster than ever before. 

 

As cyber-criminals become savvier with this new technology, their use of AI will only increase pressure on teams to strengthen cyber-defences.

 

Fighting back against bots

The key strategy for retailers in combating bots is effectively monitoring and identifying suspicious activity. The retail sector experiences an average of 101,950 bot-related incidents daily, so mitigating this threat should be a priority in fighting back.

 

As a first step, retailers should calculate a baseline for ‘normal’ activity on their website such as failed logins, and then monitor for anything unusual, like sudden surges in traffic.

 

Traffic analysis tools can also help differentiate between legitimate users and bad bots, ensuring retailers can be quick to respond to suspicious behaviour. To prevent bots accessing web apps and sensitive data, retailers must deploy strong authentication, encryption and rate limiting. 

 

Other tactics retailers can adopt include blocking outdated user agents. Lacking the latest security updates, many bots use outdated browser versions, meaning they are more likely to be associated with malicious automated traffic. Retailers should block user-agent strings from browsers outdated by over three years and use CAPTCHA for those outdated by two years. This ensures only updated, legitimate browsers access sites, reducing bot attacks.

 

Retailers should also look to limit traffic from proxy services often used by bots to hide their origins. Restricting access from bulk IP providers like Host Europe GmbH, Digital Ocean, and OVH SAS helps reduce bot traffic.

 

Many bots also use headless browsers like Puppeteer to mimic human behaviour. By monitoring for rapid clicks, fast navigation, or abnormal patterns, retailers can spot and block bots, ensuring a smooth experience for genuine users.  

 

---

 

Tim Ayling is VP EMEA at Imperva, a Thales Company

 

Main image courtesy of iStockPhoto.com and chepkoelena