Everything you need to know about preventing online shopping bots
Online shopping bots are moving from one ecommerce vertical to the next. And they're getting more sophisticated by the day. As an online retailer, you may ask, "What's the harm? Isn't a sale a sale?". But yes, bots do pose a major risk to your business. Read on to discover if you have an ecommerce bot problem, learn why preventing shopping bots matters, and get 4 steps to help you block bad bots.
Online retailers are in an arms race with shopping bots.
Ecommerce bots are no longer simple snippets of computer code that automate manual tasks. They’ve morphed into sophisticated, next-generation bots created by armies of bot makers seeking to make a fortune in the resale market.
Think it’s an exaggeration? Listen to this story.
One bot maker knew what some advanced bot mitigation software look for. The bot maker spent hundreds of hours assembling recordings of human interactions on the website: recording clicks, scrolling patterns, and typing behavior.
When the retailer’s product dropped, the bot inserted the pre-recorded actions from an actual human, zoomed through the checkout process, and cleared the digital shelves. All for the possibility of reselling limited-edition sneakers on the secondary market.
This is what we mean when we say there’s an arms race between online retailers and shopping bots.
But there’s not just one type of online shopping bot. There are many, each with their unique attack vectors. So-called “grinch bots” have swarmed everything from sneakers to graphics cards to hot tubs.
What are signs of a shopping bot problem, though? What business risks do they actually pose, if they result in products selling out, anyway? And what steps can you take to stop them? Read on to find out.
What is an online shopping bot?
An online shopping bot, also known as an "ecommerce bot" or "grinch bot", is software that's programmed to facilitate online purchases by performing automated tasks like checking for re-stocks and completing checkouts. Bots often imitate a human user's behavior, but with their speed and volume advantages they can unfairly find and buy products in ways that human customers could not.
Online shopping bots perform different malicious tasks. An individual bot may do one or more of these. For example, "grinch bot" usually refers to bots that purchase goods, also known as scalping. But there are other nefarious bots, too, such as bots that scrape pricing and inventory data, bots that create fake accounts, and bots that test out stolen login credentials.
How do online shopping bots work?
Online shopping bots work by using their software programs to execute automated tasks based on instructions bot makers provide.
What all shopping bots have in common is that they provide the person using the bot with an unfair advantage. If shoppers were athletes, using a shopping bot would be the equivalent of doping.
For example, imagine that shoppers want to see a re-stock of collectible toys as soon as they become available. One option would be to sit at their computer, manually refresh their browser, and stare at their screen 24/7 until that re-stock happens. Needless to say, this wouldn’t be fun, and would be impossible for more than a day or two.
A second option would be to use an online shopping bot to do that monitoring for them. The software program could be written to search for the text “In Stock” on a certain field of a web page. When that happens, the software code could instruct the bot to notify a certain email address. The shopper would have to specify the web page URL and the email address, and the bot will vigilantly check the web page on their behalf.
That’s just one example. It may seem innocent enough, but when added together with other nefarious bot types it adds up to an unfair advantage over others.
When you hear “online shopping bot”, you’ll probably think of a scraping bot like the one just mentioned, or a scalper bot that buys sought-after products. But there are many other types of online shopping bots. Here’s a list of the most common.
Like in the example above, scraping shopping bots work by monitoring web pages to facilitate online purchases. These bots could scrape pricing info, inventory stock, and similar information.
Footprinting is like scraping, but involves the bot probing and scanning the website. For example, a footprinting bot could search for live web URLs that haven’t yet been made public.
When the manager of a U.K.-based reseller group was asked how he bought so many PlayStation 5 consoles he answered: “We knew where to go before they announced it”. That’s footprinting in action.
Footprinting is also behind examples where bad actors ordered PlayStation 5 consoles a whole day before the sale was announced. By the time the retailer closed the loophole that gave the bad actors access, people had picked up their PS5s—all before the general public even knew about the new stock.
Account creation bots
For bad actors to complete purchases, they need to use an account. Bad actors can generate a list of free emails and then use an account creation bot to generate accounts in bulk, sometimes in the hundreds or thousands.
Credential stuffing & cracking bots
Sometimes instead of creating new accounts from scratch, bad actors use bots to access other shopper’s accounts. Both credential stuffing and credential cracking bots attempt multiple logins with (often illegally obtained) usernames and passwords.
In a credential stuffing attack, the shopping bot will test a list of usernames and passwords, perhaps stolen and bought on the dark web, to see if they allow access to the website.
A credential cracking bot will start with one value, like an email, and then test different password combinations until the login is successful.
Probably the most well-known type of ecommerce bot, scalping bots use unfair methods to get limited-availability and/or preferred goods or services.
For example, scalper bots can “sit” on the product web page, constantly refreshing to click “add to cart” the second the product becomes available. Then the scalper bot can click through the purchase journey, autofill billing and shipping information, and press “buy” in the time it takes a human visitor to enter his or her email address.
Denial of inventory bots
Ever wonder how you’ll see products listed on secondary markets like eBay before the products even go on sale? Denial of inventory bots are to blame.
Representing the sophisticated, next-generation bots, denial of inventory bots add products to online shopping carts and hold them there. They don’t buy them—at least not initially.
By holding products in the carts they deny other shoppers the chance to buy them. What often happens is that discouraged shoppers turn to resale sites and fork over double or triple the sale price to get what they couldn’t from the original seller.
Only when a shopper buys the product on the resale site will the bad actor have the bot execute the purchase.
Denial of inventory bots are especially harmful to online business’s sales because they could prevent retailers from selling all their inventory.
Cashing out bots
Bad actors don’t have bots stop at putting products in online shopping carts. They’ll use bots to validate stolen credit card information. Cashing out bots then buy the products reserved by scalping or denial of inventory bots.
What are examples of grinch bots in action?
You can find grinch bots wherever there are high-demand items, usually limited in stock. Bot operators secure the sought-after products by using their bots to gain an unfair advantage over other online shoppers.
But grinch bots truly thrive where there is a high resale potential for the products.
Then bot operators aren’t just buying one or two items for personal use. They’re buying dozens of products to resell at a profit. That’s why these scalper bots are also sometimes called “resale bots”.
Bot operators are agnostic when it comes to product. If there’s money to be made via resale, their bots will be there. To show you, here are some recent examples of shopping bots in action.
As streetwear and sneaker interest exploded, sneaker bots became the first major retail bots. Unfortunately, they’ve only grown more sophisticated with each year.
In early 2020, for example, a Strangelove Skateboards x Nike collaboration was met by “raging botbarians”. According to the company, these bots “broke in the back door…and circumstances spun way, way out of control in the span of just two short minutes. 💔” The company cancelled their online release altogether.
As another example, the high resale value of Adidas Yeezy sneakers make them a perennial favorite of grinch bots. The Yeezy 700 “Suns” dropped in January 2021 for $240. They were quickly reselling at triple that price. Alarming about these bots was how they plugged directly into the sneaker store’s API, speeding by shoppers as they manually entered information in the web interface.
Sneaker bot operators aren’t hiding in the shadows—they’re openly showing off their wins.
There are hundreds of YouTube videos like the one below that show sneakerheads using bots to scoop up product for resale.
And then there’s the story of West Coast Streetwear, which banked hundreds of thousands of dollars in profit on thousands of pairs of botted shoes, helping buy the founder some BMWs along the way. Seen below is the prime bot runner posing with the botted sneakers.
Image via Instagram
Ecommerce bots have quickly moved on from sneakers to infiltrate other verticals—recently, graphics cards.
In 2020 both Nvidia and AMD released their next generation of graphics cards in limited quantities. The graphics cards would deliver incredibly powerful visual effects for gaming, video editing, and more.
Nvidia launched first and reseller bots immediately plagued the sales.
A couple weeks later, the story repeated itself with the RTX 3090s, despite Nvidia promising to beef up their bot and abuse mitigation after the botted RTX 3080s launch.
The 3090s sales price was about $1,500, but they were often selling at $3,000-$6,000 on secondary marketplaces, with some as high as $70,000!
The bot-riddled Nvidia sales were a sign of warning to competitor AMD, who “strongly recommended” their partner retailers implement bot detection and management strategies.
The releases of the PlayStation 5 and Xbox Series X were bound to drive massive hype. It had been several years since either Sony or Microsoft had released a gaming console, and the products launched at a time when more people than ever were video gaming.
It’s no surprise they were prime bot targets from the start. And the shopping bots came out in force.
When Walmart.com released the PlayStation 5 on Black Friday, the company says it blocked more than 20 million bot attempts in the sale’s first 30 minutes. Every time the retailer updated stock, so many bots hit that the website of America’s largest retailer crashed several times throughout the day.
One U.K.-based reseller group snagged nearly 3,500 PlayStation 5 consoles. And such resellers can expect a healthy return. According to a sweet bit of data analysis by data engineer Michael Driscoll, scalpers made profits of over $10 million selling Xbox consoles and $16 million selling PlayStations—and that’s only on eBay. And it’s no wonder, given the consoles were going for 150-300% of retail price on these secondary marketplaces.
Image by Michael Driscoll
If you’d tried to think of a product least likely to attract bots, hot tubs could have been top of the list.
But not even hot tubs can avoid grinch bots!
With the pandemic affecting consumer shopping behavior in 2020, hot tubs apparently became a hot-ticket item in the U.K. Here’s what a leading bot operator told Business Insider:
“The focus shifted towards the most ridiculous things, like outdoor hot tubs. We noticed that these began selling out in stores, and reselling on eBay for a profit. So our developer wrote some site monitor software, and we tracked the stock of the sites selling hot tubs! Every time they pinged into stock, we would notify our members to buy it all.”
Do you have an ecommerce bot problem?
It might sound obvious, but if you don’t have clear monitoring and reporting tools in place, you might not know if bots are a problem.
As bots get more sophisticated, they also become harder to distinguish from legitimate human customers.
So what should you look for? Here’s a few red flags.
1. Increase in login failures
A spike in login failures could signal credential stuffing and cracking bots trying to take over existing customer accounts.
2. Spike in account creations
Increased account creations, especially leading up to a big launch, could indicate account creation bots at work. They’ll create fake accounts which bot makers will later use to place orders for scalped product.
3. Traffic from unfamiliar geographies
Seeing web traffic from locations where your customers don’t live or where you don’t ship your product? Then you may be under attack from bots. This traffic could be from overseas bot operators or from bots using proxies to mask their true IP address.
4. Increase in shopping cart abandonment
An increased cart abandonment rate could signal denial of inventory bot attacks. These bots hold product so others can’t buy. When the cart time expires, they snatch the products up again. They’ll only execute the purchase once a shopper buys for a marked-up price on a secondary marketplace. This behavior will reflect in your cart abandonment rate.
5. Visits to product pages that aren’t public-facing
Footprinting bots snoop around website infrastructure to find pages not available to the public. If a hidden page is receiving traffic, it’s not going to be from genuine visitors.
6. Increase in traffic from data center IP addresses
Genuine users rarely originate from data center IP addresses. Instead, bot makers typically host their scalper bots in data centers to obtain hundreds of IP addresses at relatively low cost. In fact, research shows 70% of bad bots come from data centers. A spike in data center traffic likely signals a bad bot problem.
Why does preventing ecommerce bots matter?
You may be wondering, do shopping bots pose business risks if they result in products selling out? A sale is a sale, right?
You wouldn’t be the only one asking these questions. But yes, bots pose major risks to your business as an online retailer. Here’s just a few reasons why.
1. Tarnished brand image
Simply put, genuine shoppers view shopping bots snapping up most or all available product as incredibly unfair.
Back in the day shoppers waited overnight for Black Friday doorbusters at brick and mortar stores. They understood if products sold out.
There was a cost to getting in line in the wee hours. Sacrificing sleep. Missed time relaxing at home with family. And so on.
Online shopping bots let bot operators hog massive amounts of product with no inconvenience—they just sit at their computer screen and let the grinch bots do their dirty work.
In the frustrated customer’s eyes, the fault lies with you as the retailer, not the grinchbot. It’s seen as your failure. Genuine customers feel lied to when you say you didn’t have enough inventory. They believe you don’t have their interests at heart, that you’re not vigilant enough to stop bad bots, or both.
If you’re not the sole retailer selling a certain item, shoppers will move to retailers where they feel valued. If you are the sole retailer, shoppers can get so turned off that your brand becomes radioactive—they won’t shop with you again, and they’ll tell their friends and family not to either.
2. Missed connections with true customers
When a true customer is buying a PlayStation from a reseller in a parking lot instead of your business, you miss out on so much.
First, you miss a chance to create a connection with a valuable customer. Hyped product launches can be a fantastic way to reward loyal customers and bring new customers into the fold. Shopping bots sever the relationship between your potential customers and your brand.
Second, this ruptured relationship loses you sales in the future. The lifetime value of the grinch bot is not as valuable as a satisfied customer who regularly returns to buy additional products.
Grinch bots are in it to flip a couple select items.
They couldn’t care less about your product bundles.
They won’t evangelize your brand.
And they certainly won’t engage with customer nurture flows that reduce costs needed to acquire new customers.
Last, you lose purchase activity that forms invaluable business intelligence. Resellers get data on who the actual buyers are, not you. This leaves no chance for upselling and tailored marketing reachouts.
3. Jeopardized business contracts
In the ticketing world, many artists require ticketing companies to use strong bot mitigation. If the ticketing company doesn’t, they simply won’t get the contract.
The retail world is starting to see similar trends. For example, graphics card producer AMD sent a letter to all its retailers saying they “strongly recommend” the retailers take the following steps:
- Bot detection and management
- CAPTCHA implementation
- Purchase limits
- Manual order processing
- Limit reseller sales (B2B)
- Inventory-to-Cart allocation
What is now a strong recommendation could easily become a contractual obligation if the AMD graphics cards continue to be snapped up by bots. Retailers that don’t take serious steps to mitigate bots and abuse risk forfeiting their rights to sell hyped products.
4. Increased operational & support costs
Immediate sellouts will lead to higher support tickets and customer complaints on social media. This means more work for your customer service and marketing teams.
If a bot attack slows or crashes your site, the burden on your teams will be even worse.
5. Faulty analytics for decision-making
Bots can skew your data on several fronts, clouding up the reporting you need to make informed business decisions.
The fake accounts that bots generate en masse can give a false impression of your true customer base. Since some services like customer management or email marketing systems charge based on account volumes, this could also create additional costs.
Denial of inventory bots can wreak havoc on your cart abandonment metrics, as they dump product not bought on the secondary market.
Marketing spend and digital operations are just two of the many areas harmed by shopping bots.
6. Website crashes & slowdowns
By their nature, shopping bots use volume to their advantage. So it’s not difficult to see how they overwhelm web application infrastructure, leading to site crashes and slowdowns.
To get a sense of scale, consider data from Akamai that found one botnet sent more than 473 million requests to visit a website during a single sneaker release.
Data from Akamai found one botnet sent more than 473 million requests to visit a website during a single sneaker release.
Or think about a stat from GameStop’s former director of international ecommerce. “At times, more than 60% of our traffic - across hundreds of millions of visitors a day - was bots or scrapers,” he told the BBC. With recent hyped releases of the PlayStation 5, there’s reason to believe this was even higher.
When Walmart.com released the PlayStation 5 on Black Friday, the company says it blocked more than 20 million bot attempts in the sale’s first 30 minutes. Every time the retailer updated the stock, so many bots hit that the website of America’s largest retailer crashed several times throughout the day.
Bots will even take a website offline on purpose, just to create chaos so they can slip through undetected when the website comes back online.
Whether an intentional DDoS attack or a byproduct of massive bot traffic, website crashes and slowdowns are terrible for any retailer. They lose you sales, shake the trust of your customers, and expose your systems to security breaches.
Four steps to stop shopping bot attacks
If bots were easy to stop, someone would have done it by now. But as we covered earlier, there’s real business risk in throwing up your hands and doing nothing.
Bot operators use sophisticated methods of attack. Defenses need to be just as sophisticated. What this means in practice is a combination of tools and strategies tailored to bots’ diverse attack vectors.
Here’s a list of some actions to prevent shopping bots and grinch bots.
1. Monitor & identify bot traffic
As the saying goes, if you can’t measure it, you can’t improve it. If you don’t have tools in place to monitor and identify bot traffic, you’ll never be able to stop it.
Sometimes even basic information like browser version can be enough to identify suspicious traffic.
Once scripts are made, they aren’t always updated with the latest browser version. Human users, on the other hand, are constantly prompted by their computers and phones to update to the latest version. It’s highly unlikely a real shopper is using a 3-year-old browser version, for instance.
Based on browser version alone, bot mitigation provider Imperva recommends the following:
End of life over 2 years ago
End of life over 3 years ago
Professional bot mitigation platforms often include this type of digital fingerprinting. They look at known information like browser type, IP address, cookies, browser extensions, and so on to create a profile of users.
They’ll also analyze behavioral indicators like mouse movements, frequency of requests, and time-on-page to identify suspicious traffic. For example, if a user visits several pages without moving the mouse, that’s highly suspicious.
Look for bot mitigation solutions that monitor traffic across all channels—website, mobile apps, and APIs. Remember the Yeezy sneaker bots? They plugged into the retailer’s APIs to get quicker access to products. You need to cover all entry points.
Finally, the best bot mitigation platforms will use machine learning to constantly adapt to the bot threats on your specific web application. In the cat-and-mouse game of bot mitigation, your playbook can’t be based on last week’s attack.
2. Take action against suspicious traffic
It’s one thing to identify suspicious traffic. It’s another to respond.
Your bot mitigation solutions should let you test suspicious traffic. Common tests include Google’s CAPTCHA and PerimeterX’s Human Challenge.
Google’s CAPTCHA has grown more advanced over time, from initially typing in blurry words to Google analyzing browsing history and similar behavior to judge whether users are legitimate. The tool isn’t perfect—studies have shown how machine learning algorithms can defeat audio, image, and text-based CAPTCHAs at over 90% success rates—but it is one more hurdle malicious traffic would need to overcome.
PerimeterX’s Human Challenge also uses behavioral data to flag suspicious users, who are then met with a “press and hold” challenge that’s easier for humans and harder for bots to solve.
For users flagged as bots, you need to tag and mitigate them. Options range from blocking the bots completely, rate-limiting them, or redirecting them to decoy sites. Logging information about these blocked bots can also help prevent future attacks.
3. Filter bots with web traffic management
A security checkpoint in an airport screens passengers before they can board their flight.
Similarly, a virtual waiting room acts as a checkpoint inserted between a web page on your website and the purchase path.
A virtual waiting room is uniquely positioned to filter out bots by allowing you to run visitor identification checks before visitors can proceed with their purchase.
It has the added benefit of providing a fair shopping experience during hyped product releases, by randomizing anyone who comes early and placing latecomers in the waiting room in a first-come, first-served order.
4. Leave time for after-sale audits
Some shopping bots will get through even the best bot mitigation strategy. But just because the bot made a purchase doesn’t mean the battle is lost.
If you’re selling limited-inventory products, dedicate resources to review the order confirmations before shipping the products.
Review the orders and ask:
- Are there multiple orders shipping to the same address?
- Were several orders made using the same IP address?
- Was the same credit card used by different customers?
- Is there social media chatter from customers bragging about how they used bots to buy your product?
The most advanced bot operators work to cover their tracks. They use proxies to obscure IP addresses and tweak shipping addresses—an industry practice known as “address jigging”—to fly under the radar of these checks.
But if you take a critical eye to the full details of each order you increase your chances of identifying illegitimate purchases.
If anything’s certain it’s that shopping bots are only going to spread within online retail. We’ve seen them hit sneaker drops, gaming console launches, even hot tub sales.
Shopping bots have great potential to harm online retailers.
They tarnish brand image, sever connections with valuable customers, crash websites, jeopardize business contracts, increase support costs, and muddle analytics crucial to decision making.
As online sales make up larger shares of retailers’ sales, filtering out shopping bots from genuine customers will become even more important.
In the cat-and-mouse game with today’s next-gen bots, you need every tool in your arsenal. This means a platform to monitor bots, a mitigation solution to block identified bots, an order review process, and a web traffic management solution.