In a generous gesture to healthcare workers battling the pandemic, the CEO of Crocs, a brand of shoes especially popular among healthcare workers, offered a free pair (with free shipping) to healthcare workers on the frontlines of COVID-19. The site offered “If you’re a healthcare professional in need of our easy to clean, comfortable Crocs shoes, we’ve got you taken care of.”
Crocs CEO Andrew Rees noted that healthcare workers have asked for the shoes “in an effort to provide ease on their feet, as well as ease of mind as they need the ability to easily clean up before they go home to their families.”
Workers using the site’s “get in line for a free pair” wait in line — and on a given day, may be contending with bad actors for the free gift. Here’s why.
Whether it’s the latest Nike Air Jordan shoe, a novel toy of the year, or a hot new on-trend clothing or home fashion item, on too many retail and direct-to-consumer sites the product customers want sells out almost immediately. They then turn up for resale on the secondary market, at high markups. This phenomenon happens during every holiday and back-to-school shopping season. Now, this same denial-of-inventory phenomenon is happening with personal protective equipment such as N95 masks as well as to generous offers by retailers intended for front line healthcare workers.
Advertisement
It’s not just frustrating and expensive. It’s dangerous and disheartening; as COVID-19 cases grew, profiteers snapped up the personal protective equipment inventories that healthcare institutions urgently needed to protect workers.
What motivates this bad behavior? It’s simple: money. When demand vastly outpaces the supply, as happens during busy shopping seasons or — tragically — when a pandemic is arising, any bad actor with computer skills and hustle can easily tap into the arbitrage that limited inventories and high demand creates.
Retailers face both the moral dilemma of failing to meet the needs of a truly worthy constituency, and the “soft” costs (bad press) that have arisen. Nevertheless, secondary market sites have grown enormously over the past few years, and in the current global health crisis, tales of nation state players compete with those of profiteers who amassed inventories of urgently needed goods for their own profit.
How Bad Actors Plan Their Attack
To analyze what a person needs to carry out one of these campaigns, it helps to understand the four elements required to execute a denial of inventory attack.
- Tools: many types of “botting” tools that can be used by almost anyone. AIO Bot, SupremeBot, EasyCop, NikeSlayer, etc. are all available for purchase on many marketplaces, and can be customized to attack specific targets. Terms such as such as “grails,” “cooking,” and “copping” typically describe this type of tool.
- Infrastructure: Once again, this component of the campaign offers many services specifically for attackers trying to abuse retail sites, by automating the entire purchase flow thousands of times and anonymizing themselves. One example is the popular “Rotating Residential Proxy” service offered by many providers, which was recently analyzed in the Bulletproof Proxies report. These proxy services allow attackers to blend in amongst the exact same type of IPs used by legitimate customers. Blocking these IP networks outright is functionally impossible from a detection perspective, and bad actors leverage this loophole and drive a truck through it, using services that take care of the IP rotation for them.
- Payload: Attackers need target brands and exact dates during which to run/use their bots. They must know which items they want to procure, and they must know when the items will “drop” so they aren’t burning through resources before the items are available. This frequently manifests itself in operators writing a “recon bot” that crawls and indexes sites and monitors for the first hints of a sale or item release.
- Behavior: Attackers need a mechanism to quickly and efficiently carry out the purchase process, have credit cards to make payments, locations to hold inventory, and most importantly — efficient markets to quickly resell their goods at a high margin.
How To Detect And Prevent Attacks
The markets for tools and infrastructure are so well developed that trying to develop signatures and block IPs will be a continuous and fruitless game of whack-a-mole. The focus, in this case, needs to be on the underlying attacker behavior. Fundamentally, these bots want to purchase hot brand items, lots of them, as fast as possible. There is an extremely competitive landscape among bot operators themselves, and they are resource constrained. They must be fast and efficient, and can’t waste time or money introducing human-like behavior that will send spurious requests. But forcing them to change their behavior can negatively impact the operators’ ability to earn a profit.
The most effective detection strategy is based on understanding the transaction flow for good humans, at large scale. Once those “good-at-scale” patterns are understood, they let retailers and wholesalers detect behavioral anomalies. These might include:
- An abnormal ratio of requests targeting exclusively popular brand items, without appropriate browsing requests to get to those pages or requests to other products that a normal user would at least have a high likelihood of visiting.
- IP-rotation patterns that are characteristic of using rotating residential proxy services, particularly the rotation of an IP address throughout one shopping session.
- The presence of the “recon bots” that are watching for drop dates and sales, and seem to
continually look for items and pages that may not exist yet.
These types of automated bot attacks are a problem that is not going away, and the current crisis underscores their troubling consequences. It is time to recognize that in times of crisis, retailers are often providers of necessary and invaluable services.
Retailers must deploy strategies and solutions to mitigate and reduce the damage these bots can do to their brand, their customers, their user experience, and to sometimes urgently needed continuity of service.
The next race for a cure, or even for a desired holiday season item, shouldn’t be a rush to an empty shelf.
Matt Keil is Director of Product Marketing for Cequence Security, and is an expert in retail sector cyber security issues and attack mitigations. Prior to joining Cequence Security, Keil was a member of the Palo Alto Networks launch team, and most recently served as Director of Product Marketing for Public Cloud. Cumulatively, Keil has approximately 20 years in enterprise network security, and was previously with NetScreen/Juniper Networks.