Home » Scalper Bots: What They Are and How to Fight Them

Scalper Bots: What They Are and How to Fight Them

What are scalper bots?

Scalping is a common phenomenon in the e-commerce and ticketing industries, which often leads to denial of inventory. Online scalping is carried out using scalper bots. These are specialized bots that are deployed to outpace genuine consumers in securing fast-moving goods such as event tickets, gaming consoles, and limited-edition items. Since bots add the sought-after items to their carts, good users do not get a fair chance to score deals and discounts. Using scalper bots, fraudsters can check out in no time, allowing them to hoard these items in bulk. They can then resell these expensive or exclusive items at a premium. Alternatively, attackers may abandon the items added to the cart later, causing losses to the business.

Types of scalper bots

Scalper bots come in several versions. They are often used to fill up online forms, scrape APIs, auto-refresh web pages, and pre-botting among others. Let us take a closer look at these specialized scalper bots:

  • Form fillers: Bots look out for web pages that request user information and harvest this data. Over a period of time, this data is used for financial transactions.
  • API scrapers: These bots scrape data from APIs to facilitate automated actions such as disseminating spam, logging into accounts and even purchasing items off of websites.
  • Pre-bot: These scripts are programmed to visit several sites simultaneously and create new accounts just before the online sale. As soon as the sale begins, these bots check out popular items in bulk.
  • Auto refreshers: Bots auto refresh web pages to keep checking on the start of the online sale. Once the sale begins, they use the credit card details saved earlier by form fillers to checkout before regular users can.

How scalper bots work

The process of scalping begins with an attacker creating multiple fake new accounts or hacking into user accounts through account takeover attacks. Scalper bots and scripts are then used to search the internet for products that are popular and in high demand. They even search for new product SKUs so that these products can be secured as soon as they are put up on sale.

Scalper bots are positioned at the start of the queue and begin searching for products en masse as soon as the online sale goes live. This helps them to speed up the search process – thousand times faster than a human – and outpace good users in order to add maximum products to the carts. Using saved credit card details from the existing compromised accounts these bots are able to complete the checkout process in no time, which means products are no longer available for genuine users. Scalper bots also use freshly created fake new accounts to use a batch of credit card details for automated checkouts.

Attackers steal residential IP addresses and IoT device addresses to manipulate fraud defense systems. Using malware, they compromise IP addresses and route the bot traffic. This consumes significant amounts of bandwidth and infrastructure resources, which in turn slows down the websites and leads to outages and denial of inventory. Slow response and increased wait times can cause frustration to consumers.  

Goal of scalper bots

The goal of scalper bots is straightforward – to add maximum products to the cart as quickly as possible such that genuine consumers do not get a chance to access them. Some of the bots are programmed to proceed straight to the checkout process, bypassing the cart flow. Compared to human users, these bots take a fraction of time to fill up consumer information such as credit card details and billing addresses to speed up the checkout process.

Scalper bots can impersonate good users to circumvent fraud defenses such as CAPTCHAs with ease.

How to stop scalper bots

In 2016, sale of tickets bought off websites using bots was made illegal. A similar bill called Stop Grinch Bots Act was introduced in 2019. However, scalping still continues to be a big challenge for online retailers.

To stop scalpers from disrupting their online sales events, many retailers have stopped making announcements in advance. It can, however, be a counterproductive measure as unaware customers may not shop at all.

One of the most common methods businesses employ to stop scalping is to limit the number of items a person can buy to one or two. They may not allow automatic checkout for popular items and even limit the time that a transaction must be completed within.

Many eCommerce platforms deploy bot detection tools such as CAPTCHAs to fight bot activity. However, leveraging the latest technologies such as machine vision, artificial intelligence, and machine learning, bots have evolved in their capabilities and can clear these outdated CAPTCHAs fairly easily. In the instances where businesses may have deployed fraud solutions that require more nuanced human interaction, these bots hand over the attack to human click farms. Attackers possess the knowledge about existing fraud solutions and have reverse engineered them to circumvent them.

This makes detecting scalper bots an onerous task.

Limitations of current bot detection approaches

Current bot detection tools such as CAPTCHAs are no match to today’s bots that have acquired advanced capabilities allowing attackers to execute complex attacks. These bots can impersonate humans fairly closely and have the intelligence to pass over the attack to human click farms that can interact with the more advanced fraud defense tools.

Even rule-based fraud solutions or wireless application firewalls are not too effective in stopping the scourge of scalper bots.

Need for a fresh approach to fight scalping bots

In a growing digital economy where the number of users accessing online channels using a variety of devices is increasing every day, businesses need an effective system to tell fraudsters from good users. This is not an easy task as advancements in bot technology have given human-like capabilities to bots.

To protect their users and revenues from the onslaught of scalper bots, businesses need to rethink their fraud strategies. Instead of still relying on mitigation, businesses must now consider a proactive approach that allows them to deter fraud across platforms and devices. They need a multi-layered approach that uses targeted friction to stop fraudsters while keeping user experience at the forefront.

FAQ

Scalper bots are software scripts that are programmed to purchase popular, expensive, or limited-edition items as soon as an online sales event begins. They hoard these items to resell later at a premium.

The cost of scalper bots varies according to the activity they need to perform. Depending on the efficiency and role of these bots, they can cost thousands of dollars. That said, with botnets-as-a-service readily available now, the cost of scalper bots is declining.

Common methods to stop scalper bots include the use of CAPTCHA, enabling cookies in the browser, and using server-side bot management.

The basic difference between a scalper bot and a regular bot is the kind of activity they are deployed for. Scalper bots are used to attack online retailers to snag items on sale before genuine users can access them. Regular bots on the other hand disrupts network operations.

Bot management software help businesses detect scalper bot activity on their websites. Using these solutions businesses can gain insights into visitor activity on their websites.

With a focus on fraud deterrence, Arkose Labs uses targeted friction to eliminate scalper bots. The Arkose Labs platform does not block any incoming user; instead,on the basis of their real-time risk assessment, it presents adaptive step-up enforcement challenges. Bots trying to clear these challenges at scale fail instantly as the proprietary 3D puzzles are trained against the most advanced vision technology which makes them insurmountable by bots and scripts.

In the event when human click farms take over from bots, the enforcement challenges increase in volume and complexity. This prevents persistent human attackers from solving the puzzles at scale and wastes their time, efforts, and resources. Additional investments to clear the puzzles reduce the returns from the attack and make it progressively less attractive. The business model of fraud gets bankrupt, forcing the attackers to give up and move on.

Good users may not encounter the challenges at all; and even if they do, they are able to solve them quickly and continue with their digital interactions without any disruption.

This provides long-term protection to businesses against scalper bots while maintaining superlative user experience to consumers using diverse device types.