Grinch bots are out to spoil the holidays

Imagine a $14.99 Fingerling — an innocent little monkey toy and one of the most in-demand gifts of 2017 — selling for hundreds of dollars on eBay due to basic supply and demand. It’s really happening, and not just because the toy is popular. Grinch bots are trying to ruin the holidays.

Grinch bots are automated computer programs that make many purchases online before real humans can even hit a site’s checkout button. Congress passed the Better Online Ticket Sales (BOTS) Act in 2016, making it illegal to use bots to buy up an inventory of events tickets and scalp them online. Online criminals have since expanded their aim beyond tickets, and just a few weeks ago, Senator Chuck Schumer, one of the BOTS Act co-sponsors, called out “Grinch bots” for buying up the most in-demand toys and reselling them at huge markups on online marketplaces.

Schumer demanded that retailers crack down on these bots. The National Retail Federation and the Retail Industry Leaders Association both pledged to work with Schumer and others to take precautions to mitigate fraud.

Stopping the bad bots is not trivial, of course.

Bots emulate the precise steps needed to buy products online, whether those products are tickets to a Coldplay concert or the most desired holiday gifts. In the physical world, this sort of scheme could never work. If someone went up to a ticket window and bought up all the inventory, everyone would be able to see what the scalper was up to. But the online world is different, and scammers are very sophisticated. They use thousands to tens of thousands of bots, all originating or appearing to originate from different locations, to blend in with legitimate traffic. This modus operandi makes them incredibly difficult to detect — and thus incredibly difficult to stop.

Grinch bots are just a seasonal manifestation of this problem. Online scammers use bots all year to do everything from stealing points or dollars from loyalty accounts to hijacking valuable digital content. But luckily, bots are not invincible.

Over the past decade, retailers and ecommerce companies have opened new storefronts in the form of mobile apps and digital ecosystem participation. These new shopping venues are powered by applications programming interfaces (APIs). This has led to more bot attacks on APIs — but it has also led to improved IT approaches that use APIs as a common layer over which to deploy security.

Hackers begin engineering a bot attack on an API by compromising an API key — usually from a partner or a mobile app. They reverse-engineer how the app works so they can emulate the necessary API call flows. This is analogous to the hackers figuring out how to disguise themselves as shoppers, enter stores, add products to their carts, check out, and leave, all undetected. Next, hackers run these bots at scale, producing thousands of ostensible “shoppers” trying to buy products or log into loyalty accounts.

This points to the obvious importance of properly managing API keys — but that’s only a start. Businesses must monitor not only API access but how traffic behaves. In many cases, the way to mitigate sophisticated bot attacks is to look at the behavior of all the customers coming in. It’s important to identify who they are, where they come from, and most importantly, what they do. In this scenario, a retailer can analyze a digital shoppers’ behavior as it occurs using rules and algorithms that understand and differentiate normal actions from nefarious ones. A shop can use anomalous behavior detected in near-real time to block the nefarious bots from completing a full transaction.

Anomalous shopper behavior might include skipping steps in the process or unnaturally reusing tokens or other information across shopping sessions. “Pickpocketing” attacks are typically characterized when the business detects similar shoppers from all across the country trying to log into their loyalty accounts, but all of them fail to properly enter their credentials, over and over again. Other odd behaviors include seeing shoppers coming from geographies where a retailer does not have any stores and does not advertise.

When done well, automated behavior detection leaves the evil-intentioned bot operator in the same position as Dr. Seuss’ Grinch when he heard the Whos singing merrily. When his plot was foiled, the Grinch stood, “puzzling and puzzling,” asking himself, “How could it be so?”

“And he puzzled and puzzled ’till his puzzler was sore.”

Let’s leave those hackers puzzling.

David Andrzejek is head of vertical solutions at Apigee, Google Cloud Platform.