There is no question that the COVID-19 pandemic changed a lot of things, whether it be working remotely and spending more time on our phones and laptops or being afraid of shaking anyone’s hand ever again. Most everyone has been looking for some happiness amidst the chaos, and one of those sources is common — retail therapy. Last year, the demand for delivery services was higher than ever before, and this trend shows no sign of slowing down, with it seeming like at least three Amazon delivery trucks roll into neighborhoods each day carrying an abundance of packages.
Only adding to the rush are popular items like the latest Adidas Yeezy sneakers, which continue to sell out rapidly and are instantly being resold for many times the list price. As a result, consumers take to Twitter and Reddit to express their frustration at being unable to snatch the latest hot product — perhaps not fully understanding that their biggest enemies aren’t others on Twitter, but instead a newer class of automated shopping bots called Bots-as-a-Service (BaaS). BaaS is an emerging form of automated shopping that enables a small set of buyers to suck up all the inventory of these highly popular items, then resell them for exorbitant prices, also known as the consumerization of botting.
The Evolution of Bots
In their earliest stages, bots were scripts or simple programs that mostly targeted account take over (ATO) and fake account creation for financial gains. To hide their behavior, bots modified User-Agent strings from popular browsers and used rate limiting techniques to evade anti-bot tools.
Scripts evolved into more advanced tools, with SentryMBA, Sniper, BlackBullet and OpenBullet becoming popular. Originally built as quality assurance (QA) automation tools, users could customize these tools to target certain sites and applications. Initially customization was left to the botter, but the next phase of the evolution saw custom attack configurations built for popular sites being sold in the underground market. The process became so sophisticated that there were even callouts to CAPTCHA solving services, as CAPTCHAs were being adopted to stop or slow down the bots.
Advertisement
Anyone Can Bot
When thinking of tools like Quizlet or Chegg within the context of school, those are often students’ one-stop shop for studying and acing a test, often with all of the necessary tools needed to succeed. The same goes for bots — if someone wants to get their hands on the latest Yeezy sneakers, they can easily find everything they need to build a bot and execute an attack.
Numerous GitHub bot repositories can be found using simple search terms For example, OpenBullet has its own GitHub repo with multiple contributors around the world, and a user forum with marketplaces offering configurations, proxies and credentials. To mask identity and location one can easily find multiple Bulletproof Proxy vendors competing to sell high-quality residential proxies to make their malicious transactions appear legitimate. In short, anyone with a decent computer and enough money to buy these tools can become a botter, in theory.
Bot-as-a-Service (BaaS)
Inevitably, open-source collaboration has led to the next phase of botting: BaaS. BaaS solutions are specialized for certain sites, offer 24/7 support and some even offer guaranteed hit rates. The price ranges anywhere from $400 to over $5,000 — but if you want the hottest product bad enough, this seems like a small price to pay.
There are many different forms a bot can take and ways they can perform. For example, some BaaS solutions make the end-to-end experience of automated shopping easier. Other BaaS vendors are full service providers, offering re-addressing shipping services to send products to the buyer in another country, account generators to maximize chances of snagging a product in a raffle-based checkout, anonymous payments to hide your identity and cookbook monitors that scan Discord channels for drop announcements. Furthermore, plug-ins can be implemented, such as email harvesting to mask oneself as a legitimate email, cookie generators to pose as legitimate-looking HTTP cookies on retail sites and more.
The irony of buying bots is that it is not always a simple process. In fact, much like the products they snatch up, most BaaS solutions are almost always sold out. This has led to renting bots from bot brokers. When they are available for purchase, “restocking” is available to a limited number of people — typically between one to 100 at a given time while there are thousands of people in line. Restocking is typically announced on Twitter, and as you might’ve already guessed, bots do this, too. Much like there are bots on Twitter monitoring for the latest COVID vaccine appointments, they are also monitoring Twitter handles to provide an alert when restocking is available. Essentially, in this market you need a bot to get a bot!
Should Retailers Care?
One would think that because using bots is not illegal, and therefore result in a sale, that retailers would be all for them. However, the reality is quite different. The impact of automated bot purchasing is significant when high-demand items all end up in the hands of a botter. Bots adversely impact retailers in a number of ways, one of which is the negative impression of the retailer, created by consumers venting about their frustrations when they are unable to secure a product in their cart. To combat this, significant planning goes into choosing a time, often late at night, to conduct a successful drop and maintain website stability, which unfortunately requires more manpower, as does fraudulent order investigation, validation, cancelations and reacting to social media complaints.
The issue of allocation is also raised, because if manufacturers do not have confidence in a retailer’s ability to control shopping bots and avoid a negative reputation, they are going to provide them with less inventory and thus cause a loss in revenue. Believe it or not, shopping bots also inflate website infrastructure costs, caused by the dramatic spikes in traffic. This can also lead to outages as traffic increases. Finally, when it comes to reporting purposes, any statistics and KPIs are inaccurate when over 90% of traffic is generated by bots.
So the next time you want to snatch up the latest coveted product, consider taking the traditional and fair approach — the competition for bots mixed with the adverse impacts on retailers certainly makes bots less appealing and less worth the effort. Plus, there’s something to be said about the excitement of getting a product all on your own.
Ameya Talwalkar is Co-founder and Chief Product Officer of Cequence. Over the last 10 years, he has built strong engineering teams specializing in enterprise and consumer security in Silicon Valley, Los Angeles, Madrid, Pune, and Chengdu. Before co-founding Cequence Security, he was Director of Engineering at Symantec, where he was responsible for its anti-malware software stack that leverages network intrusion prevention, behavior and reputation technologies and anti-virus engines. Under his leadership, Symantec developed an advanced version of network intrusion prevention technology that blocks more than two billion threats a year. Talwalkar holds a Bachelor of Engineering in Electrical Engineering from the University of Mumbai’s Sardar Patel College of Engineering (SPCE).