Scalper Bots: How To Stop Toy Scalping Attacks

Like many human parents, you are poised to buy an Alien Zombie Doll, the hottest holiday toy, when they go on sale in a moment, at select retail sites. Your children, like most kids worldwide, clamor for them. You order all mobile devices shut off, and plug into your router to ensure fast performance, ready to snare an Alien Zombie Doll. The sale goes live! You leap through the checkout process and click BUY, but then see the jarring message: “Out of Stock”!

The sale is only 30 seconds old. Did the retailer lure you in with false promises? Probably not. There was inventory, but it sold out to lightning-fast scalper bots in the first few seconds. It means no Alien Zombie for the kids, sad slow humans — except for those who buy them on eBay from a scalper, up to 10x list price.

Alien Zombies are fictitious; the real stars of Christmas 2017, according to Walmart and other sources, will be Fingerlings Bay Monkey and the latest Hatchimals.

Scalper Bots Proliferate and Squeeze Consumers

Here’s how the holidays, from pre-Black Friday to Post New Years, are shaping up. First, whatever is scarce will draw scalper bots, like sharks to blood.

The Dark Web professionals are ready. Scalpers (and their web scraping bots) are primed to snap up the hot toys this season, even before they are meant to be on sale. The amateurs are trying to be ready. Consumers — including passionate collectors of limited edition sneakers — have used bots since the dawn of eBay to bid on items. Now they buy bots to compete against professional scalper bots on ecommerce sites, to have a chance at snagging the most coveted items. This could be the future of retail shopping, with your customers vying for the best bots to get the best price on their favorite merchandise.

Scalpers Scalp to Make Profit.

Why do scalpers work so hard to make children and parents unhappy? In a word, money. The new $80 SNES Classic Edition sold for $165 on launch day, on average — not a bad profit. Back in June, in the UK, the Super NES Classic Edition was marked up from 80 pounds up to 200, pushing the profit margin to 150%. 2016 saw extremely profitable scalping, as the $60 NES Classic Edition sold for $240 on eBay — a 300% gross profit. Limited supply is a powerful price driver. Even today, that same NES Classic, used, can still fetch $150. The red-hot Hatchimals of 2016 may win the prize for outrageous scalper markups. With a retail list price of $60, scalpers were asking up to $2,500 on eBay. In all these cases, bots bought up the available supplies within seconds, leaving frustrated humans to complain on Twitter.

Who Gets Scalped: The Customers, and You

In these arbitrage situations, your would-be customers pay from 2x to 30x the list price, or more. Their children, poor things, get fewer toys, since the parents’ budget is blown apart by scalper demands.

You, the retailer, are also hit hard. Although ecommerce sites earn immediate revenue by selling out their limited inventory to bots, they lose all add-on sales that they’d expect from happy human customers. If a retailer has 2,000 units of a hot product, and they sell out within two minutes of going on sale, it’s almost certain that very few went to humans. 2,000 shoppers, thrilled to get an Alien Egg at list price, would probably yield significant add-on sales.

Your holiday season relationship with those customers? Blocked and gone. They’re not buying from you, and their shopping budget is crushed. Moreover, you look bad to consumers who believed your ‘We have it in stock’ ads. The experience of being scalped can damage relationships with existing customers you worked hard to acquire.

The volume of scalper bots can also crash a checkout page. It happened to Target in August when it couldn’t handle traffic loads during Super NES Classic Edition pre-order sales.

Bot Tricks: Why play fair if you don’t have to?

Scalpers plan meticulously, and their bots lie in wait, tirelessly pinging a checkout site to see if a sale begins a few seconds ahead of schedule. One trick that bot creators have mastered: they begin buying before the sales begin. They study the URLs for retail sites, and use data-scraping techniques to guess the product ID (which is usually short) for an unreleased product. Within minutes, they identify the not-yet-public product page. Merchants typically launch these pages hours before the product goes on sale, but may not realize — or care — that sales begin ‘before the sale.’

By subscribing to Twitter APIs, bot-masters learn about a sale milliseconds before everyone else — this translate into multiple purchase opportunities. They may even hack their way into the backend of an ecommerce site to place orders in the system in bulk. Using many IP addresses to confuse volume-limited defense is common.It’s instructive to see the features available to anyone in a bot, such as “AnotherNikeBot”.

Bots are also lightning fast, of course, able to complete multiple orders in a second. There is simply no competition between a bot and even the most organized human. The bot will poll the site hundreds of times per second, tirelessly waiting for the sale to start. It can complete a transaction in a fraction of a second, including choosing a size and entering payment details. The bot runs on servers located less than a millisecond away from the merchant servers, giving it the ability to finish a transaction before a human even sees the page load. Example for dedicated servers for Sneaker bots.

How to Keep Your Scalp

Retailers can block scalping with a technology that detects and mitigates bots in real time. PerimeterX developed a behavior based approach to detect and block all malicious bots, despite their rapid evolution and growing sophistication. This new approach exploits the one weakness all bots share: none of them exactly replicate human behavior. They come close, but always deviate in some respect.

PerimeterX uses AI and machine learning to understand how people interact with a site or web application across hundreds of millions — or billions — of site actions per month. Intelligent detection and filtering builds highly accurate models of which behavior is human.

This makes it possible to pick out behavior that does not fit the parameters of human activity and immediately block it. Our behavior based defense detects and mitigates bot attacks on a global scale in real time, even when the attack type is brand new in the wild. In lay terms, our defense system does not need to know what the latest bot “looks like.” Instead, it finds behavior it can’t call human.

Keep Your Scalp. Defeat the Bots.

Retailers will see immediate benefits from putting a stop to scalping. It takes a combination of the right policies, best practices, and bot-identification technology. Your customers and shareholders will thank you for making the effort. And, if you experience bot attacks on your website or mobile app during this holiday season, and need immediate help, please contact the PerimeterX Bot Hotline.

Originally published at www.perimeterx.com.