If the holiday classic “How the Grinch Stole Christmas” was remade in 2023, the mean green guy might be played by an Internet bot.
Sure, these bots may not come down your chimney and steal a tree or holiday dinner, but threat actors have designed them to help ruin retailer and consumer holiday shopping experiences.
Trustwave SpiderLabs exposed how the two primary bot variants, Grinchbots and Freebie Bots, operate in the team's recent report Trustwave Threat Intelligence Briefing: The 2023 Retail Services Sector Threat Landscape.
Due to their nasty nature and direct impact on consumers and retailers, we think a call out of their nefarious acts is necessary.
Bots Make It onto the Naughty List
SpiderLabs noted that the rise of automated bots in the online retail landscape has ushered in new threats, especially during critical periods like the holiday shopping season.
These bots are often malicious in nature and pose a substantial risk to online retailers and consumers. Automated bots encompass a diverse range of malicious activities, including scalping and freebie exploitation.
Our team has observed a significant increase in malicious bot traffic during the holiday shopping season, which poses a threat to online retailers. These bots engage in automated threats, including credential stuffing, account takeover, gift card cracking, web scraping, API scraping, fake account creation, and inventory scalping.
Bot attacks can potentially slow down or even disrupt online operations of retailers by simulating consumer actions, leading to an overwhelming increase in website traffic. These bots extract pricing information, exploit promotions, and carry out fraudulent transactions, impacting online retail significantly. This increased bot activity may raise operational costs, affecting website resources, marketing, and technical support, and even cause financial losses through fraud.
You're a Mean One, Mr. Grinchbot
Every shopper knows the difficulty of finding the hot item that sits at the top of everyone's gift lists. While it's hard enough to battle other consumers to be first, in reality or online, bots make the task much harder.
Grinchbots are basically repurposed scalping bots, the same type that makes Taylor Swift and Beyonce concert tickets impossible to buy, programmed instead to target hard-to-find holiday items, causing frustration among consumers by purchasing the limited stock available.
This activity is also known as inventory hoarding. For example, in September and October 2020, there was a massive increase in malicious bot activity on retail websites worldwide.
It was no coincidence that this surge of malicious bot activity came just as the major game console vendors rolled out the latest version of their gaming consoles in preparation for the holiday shopping season.
Consequently, consumers faced difficulties in buying consoles, GPUs, and CPUs because these bots had already bought up all available stock, leading to significant frustration among consumers.
Freebie Bots
Almost everyone has seen a customer complain to a cashier that the price that came up on the register does not match what was on the shelf or in the weekly ad. They then demand the price be changed to reflect what they believe to be the correct price, so if the store makes an error with the price tag or advertisement, they end up losing money.
So, it should be no surprise that threat actors have devised a way to exploit retailer mistakes.
These have been dubbed Freebie Bots, and they exploit errors on retail websites, especially those that appear during the holiday season.
Freebie Bots are automated scripts that allow someone to purchase incorrectly priced or inaccurately described items and then turn around and resell them for a profit.
In a study by Kasada, it was observed that in one well-known Dark Web community where people share freebies, members utilized Freebie Bots to buy nearly 100,000 products within a single month.
These products had a combined value of $3.4 million. Surprisingly, Freebie Bot users only spent $882, yes less than $1,000, to acquire these goods, resulting in some individuals making monthly profits of over $100,000.
Also, during the November 2022 Black Friday and Cyber Monday weekend, Freebie Bots successfully acquired products worth $500,000 from a single retailer, with a total expenditure of $85.36 across 610 users.
We should note that Freebie Bot attacks are dependent on mispriced items. Items can become mispriced on online retail platforms due to a variety of reasons, like data entry errors, algorithmic pricing, or technical glitches.
We expect the continued prevalence of bot attacks in the retail sector, with an especially higher volume over the holiday season. With that in mind:
- Invest in DDoS and advanced filtering tools to block malicious traffic and differentiate between legitimate and malicious requests.
- Ensure you have sufficient bandwidth and autoscaling resources to handle unexpected traffic spikes, reducing the risk of a DDoS attack overwhelming your site.
- Implement a multi-stage filtering process to differentiate between beneficial and malicious bots.
- Move beyond traditional CAPTCHA; adopt advanced rate limiting that can detect IP rotation and other evasion techniques.
- Implement cart session time limits to prevent bots from indefinitely holding merchandise.
- Use browser environment verification and mobile API hardening to differentiate between genuine shoppers and bots.
- Implement robust data entry procedures and conduct regular audits and price monitoring. Also automate with caution particularly in terms of product pricing.
- Utilize pricing management software and utilize error detection technologies when possible. Maintain protocols for corrective action to minimize harm.
