Guest Column | July 28, 2021

Scalper Bots On The Rise: How Retailers Can Win The Battle

By Thomas Platt, Netacea

Automating Compliance Operations Using Motor, Sensor, & Decider Bots

The pandemic put a temporary hold on live events. From sporting events to concerts, they disappeared from our lives in a flash. Now the world is finally reopening, and most of us can’t wait to get tickets to our favorite experiences. But not so fast. Chances are there won’t be any available. Why? Scalper bots.

Scalper bots penetrate the internet at every turn. Limited edition sneakers that sell out in seconds? Bots. New console releases, like last year’s PlayStation 5? Also bots. Even a new limited-edition pair of Doc Martens was a recent target. And those hard-to-find graphics cards? Bots snatch up inventory at record-breaking speed and then sell it at inflated prices.

Scalper bots use automation to get the goods, complete the checkout process by sitting at the front of the line and buy as much inventory as they can the moment it goes on sale. These bots fill in the information required for the purchase, such as credit card details or billing address, in a fraction of the time it would take a human. They also can be programmed to bypass CAPTCHA and other security measures.

Scalper bots are every retailer’s problem, and they aren’t going away anytime soon. Google estimates that bots account for over half of all automated web traffic and nearly a quarter of total online traffic.

Types Of Scalper Bots

We typically observe four types of scalpers:

  • Monitor bots. Monitor bots check sites continuously for the release of new products and the restocking of high-demand items. The bots are programmed to alert the bot operators that the item is in stock, and the purchase is made also using bots.

  • Sneaker bots. Sneaker bots also monitor inventory, but they complete the checkout purchase, and yes, they are used to buy up hard-to-find limited edition sneakers. Sometimes they are managed and paid for by a customer to complete the transaction.

  • Account creator bots. Today, account creators are really on the rise. These bots create hundreds, sometimes thousands of accounts each day by automating the sign-up process and using proxies to carry out registrations from different geographies and IP addresses. The aim is to rig the odds in favor of the bot operator.

  • Spinner bots. Spinner bots are custom built and automate all of the processes. The catch is that they add the product to the cart, hold it there, and then simultaneously advertise it on a second site.

Retail Awareness And Prevention Is Key

Prevention starts by limiting purchases to one or two per person. Sites also can put time limits on transactions, something most of us are familiar with when we buy a concert or sporting ticket. Retailers with high-demand products should also consider prohibiting automatic checkout systems that allow for speedy purchases with credit cards. Two additional options are halting communication on any upcoming sales far in advance and blocking the checkout process with security filters.

Some retailers have implemented processes that also include setting up verified customer accounts, so loyal customers can get early, exclusive access to sales by following a set of instructions in advance of a purchase.

To remain undetected, bot operators utilize several data centers, making it difficult for most retailers to monitor for them and detect activity. However, retailers can stay alert to certain red flags that indicate the presence of a bot problem, such as customer complaints about long wait times to complete transactions or issues in speed after clicking checkout.

Retailers should also be familiar with the six stages of scalper bot attacks and how to mitigate them. Right now, businesses are slow to detect attacks, so they need to utilize systems that combat the threats quickly and effectively. Opensource frameworks like Business Logic Attack Definition Framework (BLADE) can help businesses identify the stages and provide a guideline for helping retailers detect and defend against bot attacks.

Of course, the most effective solution is to stop bots in their tracks before they wreak havoc. Server-side bot management software, that can detect human vs. non-human user behavior, prevents bots from accessing your website, and provides advanced analytics to identify legitimate vs. non-human users who interact with the site. This ensures that real customers and good bots are still able to access web properties.

Even if retailers are not in the business of selling tickets, high-end sneakers, or consumer electronics, they need to pay close attention to the bot trend. PlayStations won’t be in high demand forever, and graphics cards may lose value if the crypto mining craze settles down. When this happens, scalpers will start to look elsewhere to make a profit. From high-end cars to toilet seats, no consumer good is too big or too small for the scalper bot to buy up and sell on, and retailers need to put measures in place to protect their businesses sooner rather than later.

About The Author

Thomas Platt is the head of eCommerce at Netacea, Platt works with leading retailers to identify, understand, and manage sophisticated and targeted Bot Attacks. His team drives industry research, thought leadership, and knowledge sharing alongside the product and threat research teams to keep customers and the wider community ahead of emerging bot threats.