Online shopping bots are not new to the e-commerce world. Stores use bots to offer better customer service, but malicious bots can cause major harm to a business. These pose cybersecurity risks to e-commerce retailers and consumers alike.

Some customers use shopping bots to execute automated tasks based on a set of instructions, such as log onto website -> look for specific product -> add product to cart -> check out. Almost all shopping bots have an unfair advantage. For example, if a user wanted to manually wait for a restock of their favorite items, such as sought-after sporting event tickets or collectible trading cards, they would have to sit by their computer all day and refresh their browser by hand.

However, shopping bots do this work for them. They could program the software to search for a specific string on a certain website. When that happens, the bot runs a task to add the product into the shopping cart and check out or, in some cases, notify an email address. If shopping bots work correctly and in parallel with each other, the sought-after product usually sells out quickly.

How Shopping Bots Can Pose Cybersecurity Risks

The general impression of a shopping bot is that it makes sales. So, what could the problem be with shopping bots?

While good bots are welcome, some bots can be malicious, especially if they are in the wrong hands. One survey showed that businesses have lost more than $100,000 in revenue from a single bot attack.

E-commerce sites being attacked by bad shopping bots are not new. An Imperva report presented the following statistics:

  • Bots comprise 30.8% of traffic to e-commerce websites
  • Of all the traffic to e-commerce sites, 17.7% comes from bad bots
  • Nearly 23.5% of these bad bots qualify as sophisticated bots.

So, how can you tell a good bot from a bad one? Some types can pose more business and cybersecurity risks to online retailers and customers than others.

Credential Stuffing

These bots pretend to interact with the system as real customers by using customers’ real identities, obtained either from the internet or bought from the dark web. Such bots compromise vulnerable passwords to obtain user credentials. The stolen information can include email addresses, credit card numbers and other information. It enables these adversaries to launch cyberattacks like phishing, business email compromise and malware attacks. These bots affect the confidentiality, integrity and availability of data in systems and could have a negative impact on a firm’s reputation.

Inventory Denial

Sometimes, it becomes virtually impossible to purchase a product online because it is sold out. This could be the work of inventory denial bots. These mimic human traffic to access e-commerce websites and fill items in large volumes in checkout baskets. This act fools the system into thinking that the inventory has been sold out. As a result, it causes negative feedback from customers about the targeted brand on social media. Threat actors behind such malicious bots do not purchase the items right away. Instead, they offer them for sale on alternative websites at higher prices. Once the customer places the order, the bot completes the transactions by off-loading the carts, helping the malicious actors earn a profit in the bargain.

Scalping Bots

Scalping bots search the internet for limited-availability products, which could be out of stock when users look for them. These bots automatically add the items to the cart the moment they become available, autofill the purchase forms and perform checkout in a short time so that the real customers who are waiting for the items can’t purchase them. Besides causing financial loss to the business, scalping bots rob it of the chance to know who its real customers are. These bots prevent the business from cross-selling products and engaging with customers to promote other merchandise.

Scraper Bots

Scraper bots scan web pages and browse for items and vulnerabilities to scrape them into a dark web library. These bots use application programming interfaces to place orders and complete transactions without navigating an e-commerce website as humans do. Thus, they act like inventory denial bots to cause sell-outs or even website crashes. Malicious actors use such data to undercut deals from genuine retailers by lowering their prices.

Keeping Ahead of Shopping Bots

Shopping bots can harm business reputation by tarnishing brand image, crashing websites, increasing support costs, jeopardizing business deals, severing connections with customers and negatively affecting crucial decision-making processes. Besides, these bots contain valuable data that the adversaries behind them can exploit for profit.

This is another reason retailers should be sure to adopt the right cybersecurity measures. Stay updated on how threat actors work and how they can use these bots to infiltrate your information assets.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…