Have you ever tried to purchase a ticket to an event, only to miss out, despite being logged on at 10 am, just in time for the tickets to go on sale? It’s frustrating, right?
It’s even more annoying when you find that ticket marketplaces are reselling these tickets at 10x the face value. How did they purchase so many tickets when you couldn’t even get your hands on one?
Well, this is where scalper bots come in!
Scalper bots, also known as scalping bots, use automated methods to obtain goods or services, which they can buy in bulk and finish the checkout process a lot quicker than any legitimate customer would be able to do.
These types of bots utilize automated software so that they can sit at the front of the queue and purchase thousands of tickets, goods, or services from the moment they go on sale.
Scalping is a technique that is most well-known in the ticketing and events industry, sneaker industry, or electronics industry, where tickets or limited items are purchased and resold later so scalpers can make a profit. However, scalper bots can be used in other industries as well. Ultimately, it can result in denial of inventory, as the services or goods become unavailable.
In this guide, we will cover everything you need to know about scalper bots and how we can effectively detect and stop them.
What is scalping?
Scalping refers to the practice of reselling something that is in limited supply to profit. A scalper will purchase products on the Internet at retail price, and then quickly resell them for a higher price on a secondary marketplace. This profit could be relatively small or it could be 10 times or more than the original price.
Scalpers take advantage of the scarcity of a product, purchasing items that are in high demand yet have limited availability by using software to automate the scalping process to generate even larger profits.
What sort of products get scalped?
Scalping first became popular with concerts, sporting, or other event tickets. The practice of ticket scalping is something that goes back well before the Internet was around. Scalpers would stand outside of an event venue, looking for individuals without entry tickets in an attempt to sell them a ticket at a much higher price. This practice still occurs, but the majority of scalping today is conducted online because of the digitization of ticket sales.
Tickets for popular events can often sell out within minutes and sometimes even seconds. Scalpers will purchase as many tickets as they are able to, and then they will upload them to popular ticket reselling marketplaces of classified sites, such as Facebook Marketplace, StubHub, and Craigslist. Depending on the ticket price and the event itself, these entry passes can be sold at multiple times what they cost to begin with.
Limited edition sneakers have become the next huge market for scalpers. The sneaker resale market is now worth an estimated $10 billion, according to reports from Piper Sandler, a leading research firm. The top-five sneaker brands on StockX in 2020 were as follows:
- Jordan Brand
- New Balance
As of late, scalping has also emerged within luxury apparel and the electronics sector. For example, the chip shortage over the past year has resulted in a reduced supply of computer hardware, especially in regards to next-gen gaming consoles, like Xbox One and PS5, and graphic cards coveted by gamers requiring high-performance as well as crypto mining operations. NFTs (non-fungible tokens) have become the latest playground for bots to make a profit on buying and reselling scarce digital collectables.
There are several characteristics that tend to apply to virtually every product or service that gets scalped, and these are as follows:
- A limited supply
- A simultaneous “drop” or release of available stock
- High demand, even on the resale market
We can also see scalper bots in action during big retail sale events. For example, during Black Friday, scalper bots will often snap up deals before anyone can get their hands on items at the sale prices. Many deals will be on a limited number of items, meaning it is incredibly difficult for genuine customers to purchase products at the best price. This is something that happened in 2019 when Costco experienced problems with consumers shopping the Black Friday deals in advance. The issues resulted in Costco having to stop taking online orders, and it is possible they experienced millions of dollars in lost sales due to what appears to be hoarding bots.
The purpose of scalper bots
Automation is cheap, effective, and provides the means to generate profit at scale.
Scalper bots were created to automatically scan for product availability and fill out details during the checkout process, such as billing address and credit card details, which would take a human user a considerably longer amount of time than it would take for a malicious attacker using automation to complete the checkout process.
There have also been more sophisticated scalper bots that have been created to bypass the security measures in place, such as CAPTCHA. This is why Kasada does not recommend using CAPTCHA as a bot prevention method – it is outdated and ineffective while impacting the user experience for legitimate users.
Bots have also been programmed with software scripts to heighten their chances of success while buying merchandise, services, or tickets from online providers utilizing customized techniques that make the bot look and act as much like a human as possible.
By continually automating until the website receives a positive response, scalper bots tend to circumvent any limit on purchase quantity the vendor has set. They can fill out hundreds of debit and credit card numbers at the same time.
They can also generate or purchase legitimate user accounts and let them age before using them. Creating many new accounts at once is a tell-tale sign of a bot, enabling the accounts to mature to bypass triggering such an alert.
What are the different kinds of scalper bots?
Now that you have an understanding of what scalper bots are and how they work, let’s delve deeper into the different kinds of bots that can be used to carry out scalping:
- Optimized to score a certain type of product, these bots will actively update their methods to deal with ever-changing anti-bot detection methods and websites.
- Providing a gateway into botting, these extensions are easy to use and install. They can even be free. However, they are limited in regards to the number of websites you can access and the inventory you can cop.
- Scan sites and look for any information to figure out when items are going to be dropped. They set an alert and feed information from these scanners into other bots, such as AIO bots.
- Designed for “all-in-one,” these bots work across bulk checkouts and numerous websites. They get passed log-in checks, CAPTCHAs, and can utilize Discord to inform of successful checkouts.
Bots as a service
- Why buy a bot when you are able to rent one? All you need to do is wait for a drop and create tasks for the products you want to purchase. In fact, you can even automate the entire process.
- DIY by leveraging the collective knowledge of open-source. With a huge range of proxy networks, stealth plugins, scripts, and GitHub repos, there is a bot for that to leverage.
The true victims of scalping
Both the customer and the retailer end up being hit hard. Despite the fact that online retailers generate immediate revenue by selling their limited inventory to bots, they miss out on all of the extra sales they would expect if they could delight happy legitimate customers. Plus, the cost of processing all of the bot traffic is quite expensive, eating directly into profit margins.
Not only this, but when customers miss out on products due to scalper bots, they end up frustrated, which tends to be directed at the online provider. Customers may leave negative reviews about the company online, and this can reflect badly on brand image and reputation.
If someone has tried to get a ticket to your event and then notice that hundreds if not thousands of items are being resold at much higher rates, they will feel like they have been cheated. You only need to do a quick search on a social media website like Twitter to see the frustration expressed by those who feel they have missed out on items due to scalper bots. You will see that a lot of the comments are aimed at those putting on the retailer, rather than the scalpers themselves.
Is scalping legal?
Maybe. Generally, bots fall into a grey area of U.S. and international law.
There are different rules and regulations in place all around the world regarding scalping. However, approximately five years ago, the US took an important legislative action towards the use of bots for scalping.
Known as the BOTS Act, the Better Online Sales Act was approved as part of federal law on December 14, 2016, by President Barack Obama. This act was implemented to prevent attempts by organizations and individuals to automate the process of buying tickets en masse utilizing ticket bots.
These tickets are then typically resold via third-party websites for a profit, i.e. ticket scalping. The BOTS Act outlawed the reselling ot tickets bought via bot technology, with a $16,000 fine enforced for violations. The U.S. Federal Trade Commission implements the BOTS Act.
Note this legislative act only applies to tickets, and not other items such as sneakers and electronics. And given bot operators are good at disguising their efforts online, it is very difficult to enforce.
How can we stop scalper bots and scalping?
Web Application Firewalls (WAFs) were once successful in preventing scalper bots. With artificial intelligence (AI), machine learning, and the sophistication of technology, WAFs are not a match for the bots we see today.
Because bots mimic human behaviors more convincingly than ever before, detection has become much more complex. Attackers hide behind residential proxy networks making techniques, such as IP blocking based on reputation, ineffective. As a result, scalping bots are able to remain stealthy, evade detection by most anti-bot solutions, and can successfully buy in-demand items.
Let’s take a look at some of the different strategies that can be used to deter scalping:
One place to begin is with legislation. As we have mentioned above, the laws in place at the moment are grey and only apply to the scalping of tickets within the US, not other items or jurisdictions. Therefore, further laws being implemented to prohibit online and offline scalping would help to make a difference.
Unfair ticketing and hoarding of different products to generate artificial shortages have devastating consequences on the wider public. Scalpers will sell the products at a price that is way above the producer’s price. Therefore, a lot of the general public is priced out of the market.
By putting regulations in place, we can ensure that customers and businesses are both protected from this unfair practice.
Address the fundamental financial driver of these attacks
Simply blocking an attack is not going to make the attacker disappear. Financially motivated bot operators know that they simply need to retool and adjust their techniques until they evade your defenses and then they will be able to achieve their objectives.
This is why we need to address the fundamental economic driver of these attacks, which is exactly what Kasada does. Kasada provides increasingly difficult cryptographic, proof-of-work challenges to turn the tables on the attackers, exhausting all of their CPU resources, and consequently, their wallets. This means that pursuing attacks would be financially unviable, and so they will take their bad intentions elsewhere.
Be vigilant during the launch
Manufacturers and retailers need to be prepared for bots when they launch new items onto the market. One of the ideas here is to not notice customers in advance. This is something we are seeing at the moment with the Pokemon Celebrations launch.
Pokemon has launched a special Celebrations set for their 25th anniversary, which is proving to be incredibly popular. However, suppliers have only been assigned limited allocations, with some companies only getting one Ultra Premium Collection Box to put up for sale. For other products, the allocations seem to be in the very low double figures, and dedicated fans have been concerned that scalpers will get their hands on these items.
You only need to do a quick search on eBay to see that Celebrations products will be sold at way higher than the RRP.
Therefore, many businesses have decided not to provide advance notice regarding when their products are going to go on sale because they want to make sure that the items end up in the hands of genuine collectors, rather than scalpers.
Another option is for businesses to come up with a workaround. To confuse scalper bots, you can put a fake price up only for bots that differ from the one for legitimate consumers.
Any bot action, whether scrapping or scalping, has a considerable number of requests to the web server in question. By putting limits on the number of and rates of incoming connections, you can inhibit the activity of the scalper bots.
You can set this on mobile applications, websites, and APIs. However, sophisticated bot operators will then come in “low and slow” across many IP addresses and attempt to fly beneath the rate controls that have been set.
Behavioral analysis and machine learning
Human users follow a pattern of behavior that is predictable. Conversely, the patterns of the bot will be programmed and run step-by-step, depending on how they were created by the developer.
With machine learning, scalpers can be identified, and you can take measures to shield yourself from them. You can effectively filter out the scalpers and block them from accessing your site by using pattern recognition.
Of course, machine learning is not enough to detect malicious automation on its own. The problem with this is that it relies on historical data, and so it won’t respond fast enough to prevent the first bot attacks. Additionally, bot operators have learned to trick machine learning models into creating faulty outputs by feeding models with bogus data and spoofing request headers.
As the bots that carry out scalping attacks must operate at a large scale, it is not possible to change the device. However, by searching for similar signatures, you can identify a scalping bot and stop or block it from scalping your website.
This technique is helpful in identifying a set of device parameters and browsers that remain the same in between sessions. It likely means that your site is repeatedly connected to the same entity. However, device fingerprinting is becoming an increasingly outdated method for identifying humans. One reason is that adversaries harvest digital fingerprints utilizing device or browser malware, driving the need for other client-side data to be collected.
Restricting multiple orders
In addition to the ideas that we have mentioned so far, another option to consider is preventing multiple orders to prevent items being scalped on your website.
You can do this by making sure that you only permit one delivery per customer, and you can ask users to register utilizing their social security number to ensure this is the case.
With order limits, you make sure that the scalper is not able to purchase the bulk of your products. This too has its limits as aged accounts, with slightly different addresses, can be used to bypass such restrictions
Use a specialized bot protection solution
We have already determined that bots are the chief agents that are used in online scalping, and so it makes sense to subscribe or install an anti-bot service to help effectively detect and stop bots.
Advanced bot protection software makes the most of dynamic technologies for real-time detection and analysis to identify and stop malicious bots.
If a scalper is looking through your website, the solution you use should be able to identify this and stop it before it is even allowed to enter an online provider’s infrastructure. Modern solutions are able to detect the presence of automation itself while leveraging data analytics to stop the bad bots and allow the good bots to continue to do their work.
Finding a bot mitigation solution that works for you
One of the most important steps to take when it comes to fighting back against scalper bots is to find a reputable and effective bot mitigation solution. These software tools are designed to prevent sophisticated bots in a manner that is easy to deploy and requires little maintenance. At Kasada, we have developed the best tool for detecting and preventing bots in real-time.
With that being said, let’s take a look at some of the different things you need when it comes to bot detection:
Real-time detection is critical
There is only one place to begin, and this is by looking for a solution that is going to offer real-time detection. Malicious automation needs to be spotted on the very first request before it can enter your infrastructure, otherwise, it is going to be too late as the scalper bots will already get what they were looking for.
The majority of the solutions on the market today will not detect automated attacks prior to the page loading due to the way in which the software is architected. This is why we designed Kasda to be architected differently.
Whenever a bot imitates a human user interacting with your application, they will leave traces of automation within your environment. We implement an invisible client interrogation process to find these traces, using the telemetry in our decision engine to find and prevent attacks. We look for immutable evidence of automation from the first-ever request with long-term efficacy and very low false-positive rates. We can also detect and stop scraping attempts before any damage is inflicted.
Ease of deployment and use
Next, you will want to make sure that the software you select is easy to use. A lot of the solutions available today are complicated to deploy, configure, and manage, demanding you to update rules and policies continually. However, this is not something you need to worry about with Kasada, as our platform doesn’t rely on rules or heuristics. In fact, you will start seeing the value of our dynamic solution within just 30 minutes.
Kasada offers a scalable cloud service, which can be integrated into your current CDN and infrastructure with ease. This means you don’t have to worry about friction, such as CAPTCHAs,or any ongoing maintenance. Instead, the solution can be integrated with ease, which is what you want when you are looking for the ideal bot mitigation solution. Kasada is effective from the very first request, with long-lasting efficacy and little to zero maintenance.
The impact on customers
It is also important to consider how your bot detection solution will impact your customer and user experience. Anti-bot solutions that are based on contextual and historical data, such as analysis of known behaviors and static IP addresses, tend to blacklist and block IP addresses with poor results. This yields unacceptable amount of false positives and negatives, which will have a negative impact on the user experience.
Kasada is a cloud-based service, which can be implemented in minutes and does not require extensive maintenance. Our service makes bots do the hard work, rather than human users, and so you do not need to worry about user experience being negatively impacted as all defenses are invisible to humans.
Analytics and insights
Aside from the points mentioned so far, it also makes sense to look for a platform that has powerful analytical capabilities. You should be able to view, drill down, and assess all of the different areas of your traffic, including humans, bad bots, and good bots. Clean analytics are essential for online businesses to interpret their metrics and marketing campaigns. Plus, the only way you are going to be able to effectively protect your company from scalper bots is if you understand customers, reconnaissance, and the sort of attacks that are happening. Understand your online business performance and stop flying blind with an effective solution in place. Reporting only the bots that have been blocked is inadequate to truly understand your data in order to make business decisions.
It also makes sense to find out what level of support is going to be available if you choose to leverage the service in question. Will there be someone on hand to answer your queries if you run into any sort of trouble when using the software? Can they work with you as you see fit, i.e. via phone calls, Slack, or Microsoft Team? It’s important that the provider seamlessly integrates into your business’ way of working. Kasada provides 24/7/365 support, and we pride ourselves in being an extension of your team, collaborating in any way that makes the most sense for your organization.
Final words on scalper bots and how to prevent scalping
So there you have it: everything that you need to know about scalping and the use of scalper bots. (At least for now, as this space is moving fast!) We hope that this has helped you to get a better understanding of the different types of scalper bots that are used and the methods companies are implementing to try and prevent scalping.
One of the best things to do is to team with an experienced and reputable anti-bot solution and team that can protect your business from scalping and other forms of malicious automation.
To find out whether your website can effectively detect and stop bad bots, run our free, instant test today! Your customized results will tell you whether your site can detect automation from a range of methods, including headless browsers and fake Google bots, as well as an analysis of what the results mean for your site’s security.