Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Bah, Humbug! Grinchbots and Freebie Bots Attempt to Ruin Holiday Shopping for Consumers and Retailers

If the holiday classic “How the Grinch Stole Christmas” was remade in 2023, the mean green guy might be played by an Internet bot.


Sure, these bots may not come down your chimney and steal a tree or holiday dinner, but threat actors have designed them to help ruin retailer and consumer holiday shopping experiences.


Trustwave SpiderLabs exposed how the two primary bot variants, Grinchbots and Freebie Bots, operate in the team's recent report Trustwave Threat Intelligence Briefing: The 2023 Retail Services Sector Threat Landscape. 


Due to their nasty nature and direct impact on consumers and retailers, we think a call out of their nefarious acts is necessary.


Bots Make It onto the Naughty List


SpiderLabs noted that the rise of automated bots in the online retail landscape has ushered in new threats, especially during critical periods like the holiday shopping season.  


These bots are often malicious in nature and pose a substantial risk to online retailers and consumers. Automated bots encompass a diverse range of malicious activities, including scalping and freebie exploitation. 


Our team has observed a significant increase in malicious bot traffic during the holiday shopping season, which poses a threat to online retailers. These bots engage in automated threats, including credential stuffing, account takeover, gift card cracking, web scraping, API scraping, fake account creation, and inventory scalping. 


Bot attacks can potentially slow down or even disrupt online operations of retailers by simulating consumer actions, leading to an overwhelming increase in website traffic. These bots extract pricing information, exploit promotions, and carry out fraudulent transactions, impacting online retail significantly. This increased bot activity may raise operational costs, affecting website resources, marketing, and technical support, and even cause financial losses through fraud. 


You're a Mean One, Mr. Grinchbot 


Every shopper knows the difficulty of finding the hot item that sits at the top of everyone's gift lists. While it's hard enough to battle other consumers to be first, in reality or online, bots make the task much harder.


Grinchbots are basically repurposed scalping bots, the same type that makes Taylor Swift and Beyonce concert tickets impossible to buy, programmed instead to target hard-to-find holiday items, causing frustration among consumers by purchasing the limited stock available.


This activity is also known as inventory hoarding. For example, in September and October 2020, there was a massive increase in malicious bot activity on retail websites worldwide. 


It was no coincidence that this surge of malicious bot activity came just as the major game console vendors rolled out the latest version of their gaming consoles in preparation for the holiday shopping season. 


Consequently, consumers faced difficulties in buying consoles, GPUs, and CPUs because these bots had already bought up all available stock, leading to significant frustration among consumers. 


Freebie Bots 


Almost everyone has seen a customer complain to a cashier that the price that came up on the register does not match what was on the shelf or in the weekly ad. They then demand the price be changed to reflect what they believe to be the correct price, so if the store makes an error with the price tag or advertisement, they end up losing money.


So, it should be no surprise that threat actors have devised a way to exploit retailer mistakes. 


These have been dubbed Freebie Bots, and they exploit errors on retail websites, especially those that appear during the holiday season. 


Freebie Bots are automated scripts that allow someone to purchase incorrectly priced or inaccurately described items and then turn around and resell them for a profit. 


In a study by Kasada, it was observed that in one well-known Dark Web community where people share freebies, members utilized Freebie Bots to buy nearly 100,000 products within a single month. 


These products had a combined value of $3.4 million. Surprisingly, Freebie Bot users only spent $882, yes less than $1,000, to acquire these goods, resulting in some individuals making monthly profits of over $100,000.  


Also, during the November 2022 Black Friday and Cyber Monday weekend, Freebie Bots successfully acquired products worth $500,000 from a single retailer, with a total expenditure of $85.36 across 610 users.


We should note that Freebie Bot attacks are dependent on mispriced items. Items can become mispriced on online retail platforms due to a variety of reasons, like data entry errors, algorithmic pricing, or technical glitches.


We expect the continued prevalence of bot attacks in the retail sector, with an especially higher volume over the holiday season. With that in mind:

  • Invest in DDoS and advanced filtering tools to block malicious traffic and differentiate between legitimate and malicious requests.
  • Ensure you have sufficient bandwidth and autoscaling resources to handle unexpected traffic spikes, reducing the risk of a DDoS attack overwhelming your site.
  • Implement a multi-stage filtering process to differentiate between beneficial and malicious bots.
  • Move beyond traditional CAPTCHA; adopt advanced rate limiting that can detect IP rotation and other evasion techniques.
  • Implement cart session time limits to prevent bots from indefinitely holding merchandise.
  • Use browser environment verification and mobile API hardening to differentiate between genuine shoppers and bots.
  • Implement robust data entry procedures and conduct regular audits and price monitoring. Also automate with caution particularly in terms of product pricing.
  • Utilize pricing management software and utilize error detection technologies when possible. Maintain protocols for corrective action to minimize harm.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More