Fueled by Pandemic Realities, Grinchbots Aggressively Surge in Activity

E-commerce’s proverbial Who-ville is under siege, with a rise in bots bent on ruining gift cards and snapping up coveted gifts for outrageously priced resale.

The festive season is moving into full swing, and so is holiday shopping – including special product launches and sales. But just as we collectively look forward to leisurely browsing for deals from the couch, perhaps with a mug of hot cocoa, “grinchbots” have emerged to burn it all down.

According to Imperva Research Labs, advanced bot traffic sessions on retail sites in November spiked a shocking 73 percent over the previous month, and there’s no sign of the activity subsiding, even if Black Friday and Cyber Monday have come and gone.

In general, the proportion of bot traffic on retail sites this year is 13 percent higher than in 2020, the firm found, and the majority (57 percent) of attacks recorded on e-commerce websites this year were carried out by bots. In comparison, bots were to blame for just 33 percent of the total attacks on websites in all other industries in 2021.

Infosec Insiders Newsletter

As background, grinchbots are automated bots that query online inventories and purchase desired goods, looking to take advantage of sales events and special product launches. Just like the closely related sneakerbot phenomenon, their human operators (who presumably have three-sizes-too-small hearts) look to clean out online stores of hot items, so they can resell them at a steep upcharge later.

Grinchbots target the holidays for obvious reasons; more demand means more margin, plus there are more limited-edition goods to capitalize on, including toys, GPUs, gaming goods, apparel, jewelry and more.

It’s a type of fraud that has real-world consequences for any gifting plans consumers may have. For instance, last season, grinchbots were responsible for a nationwide shortage of PlayStation 5 gaming consoles – they were only available from third-party resellers for double or more their retail price, far out of the price range of most American families.

“Because the automation is faster and more efficient than a human, legitimate human users don’t stand a chance at getting their hands on the latest, most desired commodities,” explained researchers at Imperva, in a Wednesday posting.

Amid the data, Imperva found that bot traffic continued to spike the week after Cyber Monday this year, growing 8 percent from the prior week; and that’s after traffic had already spiked 48 percent between Thanksgiving Day and Black Friday.

“The 2021 holiday shopping season is shaping up to be a nightmare for both retailers and consumers,” Peter Klimek, director of technology at the office of the CTO at Imperva, said via email. “With the global supply-chain conditions worsening, retailers will not only struggle to get products to sell in Q4, but will face increased attacks from motivated cybercriminals who want to benefit from the chaos.”

Online retailers continue to implement controls to weed out Christmas-hating bot traffic, and the bot operators continue to find ways to evade them. Some take elaborate measures in service to their grinchy cause, starting with setting up fake email accounts.

“Once a threat actor has created enough email addresses and ‘farmed’ them to look like real people by sending emails, watching YouTube videos and in general, acting like a human, they then go set up accounts on the desired platforms for the purpose of making purchases of the next item to drop,” explained Jason Kent, hacker-in-residence at Cequence Security, in a recent Threatpost column. “This means these platforms have hundreds of accounts that are simply controlled by the threat actor.”

Saryu Nayyar also noted for Threatpost that mimicking human behavior during the shopping process itself allows grinchbots to evade static rules engines that perform behavioral analysis to identify bot transactions.

“One technique is to mimic a typical online shopping pattern, where someone scrolls through multiple product pages, and might even use a ‘compare these products’ tool or look at product reviews,” she explained. “Then, a big-ticket item is placed in the cart and purchased with the purloined payment information. By looking like a typical purchase process, the fraudster makes the behavior less suspicious and skirts rule-based detection.”

Gift Card Grinches

If shoppers can’t get coveted items at the MSRP, there are always gift cards to fall back on, right? Well, not really, researchers say.

Grinchbots are also branching out, taking not only the gifts from under people’s trees but also the Roast Beast, so to speak: Increasingly they’re turning their sights to gift cards, according to security firm Kasada.

This involves gift-card cracking, which involves bombarding online sites with millions of combinations of digits to identify active cards that hold value. Once the bots crack a valid gift card, the operators can transfer the stored value or use the cards to purchase goods, researchers explained.

“The gift cards are depleted (the money is gone) before the intended recipient of the card has a chance to use it,” according to the firm, in data shared with Threatpost.

In one of the key indicators that bad bots are hard at work on this front, Kasada has seen automated gift card balance lookups quadruple for their retail customers over the past two months.

The gift-card frenzy is driven by broader economic realities: “Gift cards are now even more desirable to shoppers and retailers struggling with supply-chain delays and labor shortages,” according to Kasada. “Shoppers plan to boost gift-card spending this holiday season, making them about 40 percent of their total gift purchases, according to a recent survey.”

Congress Takes on Grinch Bots

As grinchbots continue taking gifts up the side of their own personal Mt. Crumpet, Congress has introduced the “Stopping Grinch Bots Act” (PDF) to “prevent scalpers from sucking hard-working parents dry this holiday season,” according to bill sponsor Rep. Paul Tonko (D-N.Y.). But Imperva researchers noted that enforcing any resulting law on a borderless internet will be challenging.

“While the efforts of U.S. lawmakers are respectable and the industry should support them, the bot problem is complex and will be hard to stop altogether,” Klimek said. “Bot operators are motivated because their efforts are generating a substantial income and funding their lifestyles. Domestic legislation will not stop bot operators from finding loopholes – like deploying automated scripts from servers in other jurisdictions.”

He added that there are also legal ramifications that could impact the viability of the bill: “It will be challenging for third-party marketplaces to adequately determine when they should know if a product or service was acquired through inventory hoarding practices. Expect pushback from the trade groups that operate these marketplaces as this bill would make them liable for the behavior of their sellers.”

How to Fight the Grinchbots

For now, online merchants should invest in a multilayered security approach that spans applications and application programming interfaces (APIs) as well as back-end data and everything in-between, according to Imperva. APIs in particular should be a focus, researchers noted.

“[APIs] are essential for retailers as they improve the e-commerce experience for shoppers,” according to Imperva. “APIs connect consumers to data and information they need – like inventory availability, product search, order fulfillment tracking and more. However, APIs, like JavaScript services, are difficult to monitor and highly vulnerable to attack.”

Protecting the client side is critical as well, researchers said, which usually entails employing third-party services that operate outside of the security team’s control.

“Common website functionality like chatbots, payment services and web analytics are enabled by third-party JavaScript that executes on the client side,” explained the firm. “The functionality is a necessity for e-commerce, but is increasingly vulnerable to attack. If not properly secured, the compromise of third-party JavaScript code can lead to cross-site scripting (XSS), formjacking, cryptojacking, malicious ad injection, data skimming and more.”

Nayyar also recommended bringing in the big guns: machine learning and artificial intelligence.

“Today’s cloud-based advanced fraud analytics platforms utilize Big-Data architecture, machine learning, artificial intelligence and behavioral analytics to dig through millions of transactions and billions of data points from cross-channel sources to get a full contextual view of transactions and detect anomalous signals and activities in real time,” she said. “Such platforms can provide accurate, prioritized risk assessments that enable decision-making and allow mitigations to be triggered in time to prevent the losses.”

As for consumers, there could be difficult shopping times ahead, but perhaps the spirit of the season will prevail anyway. As the Grinch once noted, the holidays are about more than shopping: “It came without ribbons, it came without tags. It came without packages, boxes or bags.”

There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.

Register NOW for the LIVE event!

Suggested articles