By Kasada Research Team and Brad LaPorte, Chief Evangelist at Kasada
How good are you at spotting a fake? Would you bet a dollar? How about several hundred dollars? This is essentially what online shopping has become: a tricky bet determined by a roll of the dice.
Counterfeit goods cost the global economy over $300 Billion USD a year, and this cost is increasing as brick and mortar stores move to digital storefronts. What’s worse is that web scraping enables fraudulent online stores to look identical to the real thing. Enticed by last-minute fire sales and steep discounts, a hungry buyer just can’t resist adding these bargain items to their shopping cart.
Story Time: How Fraudsters Used Bots to Scrape Content and Deplete Inventory
~Time to pull up a chair and grab some popcorn because you are going to enjoy this one~
A high-end luxury brand was continually targeted by various fraudster groups for several years since their e-commerce website launched. They experienced persistent bot issues: 1) fraudsters from China were scraping their website to sell knock-offs of their product, and 2) bots were depleting inventory for this companies’ most in-demand special edition merchandise during their busiest season.
These web scraping fraudsters secured multiple website domain names that were similar to the real domain (e.g. domain.outlet.com) and presented the same exact merchandise as the real site. They were also running paid ads to the counterfeit websites so they appeared legitimate and ranked high on search engines.
To entice shoppers to swiftly purchase this fake merch, they significantly reduced the prices as part of a ‘big sale.’ Unsuspecting buyers purchased rip-offs from the fraudulent website and received counterfeit products.
Counterfeit goods hurt legitimate retailers on multiple fronts. First, retailers miss out on revenue from the initial purchase. Secondly, the reputation of their brand is negatively impacted and can lead to buyers not coming back or becoming fearful of making future purchases. In some cases, the legitimate retailer is forced to compensate the purchaser to maintain their business and make the situation ‘right.’
Below is a simplified workflow of how this process works from start to finish. The tools needed to leverage malicious automation to scrape a legitimate website require very little time and not much skill. While selling the fake merchandise as original is illegal, web scraping is still technically legal.
This counterfeit operation continued for many months before the retailer contacted Kasada. Kasada was able to immediately stop the web scrapers and inventory hoarders by accurately detecting and stopping the malicious bots. Without the ability to clone the retailers’ data, the fraudsters could no longer make their digital storefront appear legitimate. Since implementing Kasada, this customer has also addressed the inventory grabbing concerns caused by “sneakerbots” that rushed in to purchase limited-edition, in-demand merchandise.
Let’s Take A Closer Look
Web Scraping Evidence
During the first several weeks, Kasada blocked 8,153 Unique IPs over 21,489 requests originating from Chinanet and 2,221 Unique IPs over 4,838 requests originating from China Unicom.
The vast majority of all the requests from unique IPs belonging to these two Chinese telecommunications providers occur at the exact same hour every day (8:00pm EST, GMT-5), which indicates that a singular outfit was conducting the automated traffic.
Inventory Grabbing Evidence
Next, a large spiking of men’s products started on the 16th of December and ended abruptly on the 31st of December.
Spikes showing automated traffic increases in both men’s and women’s products (e.g. 2nd of December, 9th of December) represent bots attempting to scrape the retailer’s entire inventory catalog; whereas the spikes focusing only on mens’ products are likely targeted scraping attempts. A very popular and expensive item was targeted 69% of the time, which indicates inventory hoarding schemes, in addition to the counterfeit operation that was detected.
The cost of a dedicated server from Chinanet/China Unicom with 1 IP address is roughly ~$30 USD per month. This equates to roughly $150,000 a month in server hosting costs being used by this botting group. Their botting schemes must be hugely profitable to justify such high operating costs.
How to Stop Bots and Malicious Automation for Good
This example of a single, easy-to-access scraper bot (in this case, repurposing existing tools like Shellphish in Kali Linux) demonstrates the enormous challenge within security teams to keep up with the evolving bad bot landscape in retail and many other industries.
Web scraping is difficult to defend against, as it only takes 1-2 GET requests for bots to get the info they need. The current de facto approach by outdated bot mitigation requires letting legitimate requests through identifying suspicious behavior and only then stopping them from further action. By then, it’s typically too late to avert web scraping and other automated attacks.
This highlights the need to protect against bots on the very first web request, including those that have never been seen before. Kasada applies a zero trust philosophy to detecting bots, meaning sophisticated bots never have an opportunity to enter your infrastructure. This approach massively decreases your risk and provides the highest degree of accuracy and long-term efficacy in a simple to use manner with essentially no maintenance. All without having to constantly tune and add rules based on data from the past.
Request a Threat Briefing
Request a no-obligation threat briefing to learn how to accurately stop bot operators who use malicious automation to work around your existing web and mobile defenses. We will demonstrate our unique approach to stopping sophisticated bot attacks that others can’t.