Report Warns About the Growing Problem of E-Commerce Bots

• Imperva warns about the growing issue of bad bots, especially in e-commerce platforms. 
• The various types of bots are deployed from multiple actors, both malicious and not. 
• E-commerce platforms are hurt by the loads and activity, but so far, they ignore the problem. 

Imperva shared a report with us where they analyze the growing problem of malicious bots that are being deployed in the e-commerce field. As detailed in the report, this problem involves cyber-attacks, website overloading, malicious goods targeting, and various types of automated threats. As Imperva points out, most e-commerce companies do not consider the scale of the problem, nor its consequences, allowing it to grow into an ever-growing one. The report analyzed 16.4 billion requests from 231 e-commerce domains that took place during July 2019, finding out that 79.2% of them featured moderated or high level of sophistication.

The key findings of the report are the following:

• E-commerce traffic consists of 17.7 percent bad bots, 13.1 percent good bots and 69.2 percent humans. In some domains, the percentage of bad bots reached up to 99.15%, while 77 out of the 231 surpass the percentage of 30%.

• Bad bots on e-commerce sites are becoming more advanced and difficult to detect. Nearly four-fifths (79.2%) are classified as moderate or sophisticated, up from 75.8 percent in 2018, while those classified as simple decreased from 24.2 to 20.8 percent.
• The variety of bot attacks is more diverse in e-commerce than in many other industries. These attacks include unauthorized price and content scraping, denial of inventory, scraping by resellers. In addition to the above, there are investment companies looking to gather “alternative data” to determine whether a company is a good investment target. As for the cyber-crooks, those use bots for gift card fraud, account takeover, stealing of PII, and credit card abuse.
• The top five countries from which e-commerce bad bots originate are the United States (63.6%), Germany (10.1%), France (6.2%), Canada (5.5%) and China (4.9%). Each country contributes a higher proportion of bad bot traffic on e-commerce sites compared to other industries. As for the day of the week that sees the highest bad bot activity, Monday, Tuesday, and Wednesday take the lead, while Sunday is the most “silent” of them all.

• The top five browsers that e-commerce bad bots use to mask their identities are Chrome (66%), Firefox (13.6%), Safari (6.8%), SEMRush (4.9%) and Android Webkit (2.2%), illustrating that the majority of e-commerce bots are attempting to hide in plain sight by impersonating the most popular browsers.

One interesting case of bot deployment that comes from regular users are the “limited-product” bots. Imperva identified a prevalence of this type in sneaker selling platforms. There, the bots are quick to buy limited versions of sneakers in bulk, and then sell them for a higher price later on. Samples of such bots can be found for sale in “anothernikebot.com”, “hyperbots.com” and “aiobots.com”, for around three hundred dollars. These bots are not only after sneakers but anything “limited edition” they can find. Of course, these bots get smarter, so they can target a wider spectrum of products and e-commerce platforms.

As for the recommendations of Imperva on how e-commerce platforms can mitigate the problem, those can be summarized in the following points:

• Block outdated user agents/browsers, as most human users must have updated their browsers already. This lowers the risk of blocking legitimate traffic onto the platform.
• Block hosting providers and proxy services that are known and confirmed to be malicious.
• Identify and protect exposed APIs from all channels of access, including any mobile apps.
• Carefully evaluate traffic sources and closely monitor them for common signs of bot traffic.
• Investigate inexplicable or unexpected traffic spikes.
• Investigate even low numbers of failed login attempts that won’t trigger alerting systems.
• Monitor gift card number validation failures and look for traces of bots such as “GiftGhostBot”.
• Stay updated about the latest data breaches that become public and may lead to stuffing attacks.
• Deploy an advanced bot mitigation solution.

Do you have something to comment on the above? Let us know of your opinion in the comments down below, or on our socials, on Facebook and Twitter.