Bot is the New Black (Friday): How Retailers Can Fight Back

The global pandemic has changed so many aspects of our lives and forced industries to quickly adapt to survive. Today is the day traditionally known as Black Friday, when consumers typically line up for big door buster deals.

With the latest coronavirus surge, consumers instead will be “lining up” online. For the most popular items, however, they’ll be shoved aside by the new door busters -- shopping and scalper bots. The shopper looking to buy gifts for their children will be left empty-handed.

Take the hot new game consoles – the Xbox Series X and Sony PS5 – as examples. When they went on sale on November 10, they were instantly sold out from all the major retailers. Scalpers scarfed them up, aided by automated – and legal – bots.

Within hours, they were available on eBay for 2-3x the retail price (and rising). The same scenario repeated just two days ago when some U.S. retailers restocked their inventory. We also saw this with recent NVIDIA graphics card releases and with all of the hottest new sneaker drops.

Shopper Bots: Attacks or Not?

Utilizing purchasing bots to snap up consoles or sneaker inventory isn’t necessarily illegal. There are components of these transactions that border on fraud or are actual fraud but in standard bot purchasing, the bot simply enables the transaction. They do so by (1) mimicking (many) real users, (2) distributing their transaction attempts across many (compromised) residential IP addresses (3) constantly modifying their behavior to stay ahead of retailer defense mechanisms.

Since most retailers have built their environments for high-speed and high-volume transactions, the bots are supported by the environment that is trying to keep them out. The effort to build a retail store that delights customers and enables transactions plays right into the bot creators’ hands.

In effect, every hot product release is a form of DDoS attack. Shopping bots are now commercialized, purpose-built platforms built by advanced software development teams and supported by data scientists who analyze and easily bypass most bot defense platforms. When improvements are made to the bot defense platform, the bot managers quickly retool and bypass the mitigation efforts. 

To prepare for the exponential increase of traffic, retailers will significantly scale up computing resource (and staff to manage the infrastructure) both prior to the event and during the event adding operational costs. Prior to release, bots scrape sites for inventory and prices, which have similar, albeit smaller, impact on operations.

The huge volume of requests are targeted directly at the various shopping APIs (wish list, shopping cart, check out, payment APIs etc.) and can topple systems – perhaps taking down all retail operations if online and in-store sales systems are intertwined. Operations teams often respond by shutting down portions of the system – perhaps taking mobile apps completely offline to manage the influx of traffic or using web-only waiting rooms - which create massive user friction leading to dissatisfaction.

How Retailers Can Stay Ahead

It is not possible to permanently defeat these advanced persistent automated shopping bots. Defense requires ongoing surveillance and countermeasures to stay ahead of and thwart their efforts, and disrupt their business model.

In order to keep the bots at bay, organizations can utilize AI and machine learning-based mechanisms that analyze the credentials, tools and infrastructure in use, along with behavioral intent consistently across web, mobile, and API traffic. The result is the ability to discern between legitimate and malicious and then take an appropriate action based on policy.


Automated shopping bots need user accounts – either legitimate and compromised or fake – to carry out attacks. Detection should focus on how credentials are used to execute an automated purchase. This helps identify techniques and patterns used across requests that could indicate credential abuse or iteration using stolen credentials from well-known data breaches.

It also helps identify large-scale manual fake account creation to uncover patterns that may expose bad actors’ intent.


Tools represent the most basic component of an automated shopping bot. Detection should focus on identifying heuristics that deal with the immutable characteristics of the code launching the automated shopping effort or, increasingly, the attributes of an off-the-shelf tool (for example, OpenBullet, SNIPR and BlackBullet) that are difficult to change for novice bad actors.


Infrastructure represents the resources that bad actors need to distribute their transactions and anonymize themselves. This includes detecting the top offending organizations and networks used for abuse and identifying increasing usage of high reputation Residential IP Proxies (RESIPs) through services like Smart Proxy, ProxyWare, Luminati, StormProxies, and others.


Behavior represents the unique characteristics, or behavioral fingerprint, a bad actor creates when using tools, infrastructure, and credentials to launch their shopping effort. This deals with the human element of automated shopping bots and helps identify “low and slow” or, “fast and furious” characteristics. It also examines bad actors’ preferred tactics as they try to evade detection and sustain the offensive.

Black Friday isn’t only time retailers have to worry about automated shopping bots. The pandemic has permanently changed how consumers shop, which make bot defense a year-round challenge. Taking the key elements of an automated shopping bot together will put retailers in a position of strength to meet that challenge.

What’s Hot on Infosecurity Magazine?