Don’t let Grinch bots put coal in your stocking

From a cybersecurity perspective, there were two newsworthy events at the end of 2021: the Log4j zero-day exploit and the widespread use of Grinch bots. While the former is hopefully resolved, even if it is still being felt by security teams, the latter does not have an easy fix. To make matters even more difficult, we expect an increase in the number of bots impacting both the online shopping experience and retail organizations from the start of 2023. Ultimately, it will take an industry-wide effort to combat these bots and bring the fun back to virtual shopping. .

Like its namesake, a Grinch bot actively works to steal gifts from under the noses of Christmas shoppers. Grinch bots are designed to quickly buy products online as soon as they are available. These bots are often created to buy a product that is on sale and then sell it for a profit. The advantage of using a bot to make these purchases is that it can move faster than human customers, allowing full stocks of a product to be picked up in seconds.

However, these Grinch bots and other bot attacks don’t just harm consumers. Think about it: if a bot is programmed to select a product’s store inventory and choose the store pick-up option, and never actually picks up or pays for the product, the store inventory will be frozen. And when a bot makes fraudulent purchases, the brands still have to pay the credit card transaction fees, potentially resulting in the removal of a brand from point-of-sale platforms. Transaction costs and frozen inventories can both be crippling for brands and their ability to do business.

Bots aren’t going away any time soon

Ultimately, bots damage the customer experience and brand reputation. A recent study even showed that for 97% of organizations, bot attacks impacted customer satisfaction. In one particularly egregious example, a popular shoe brand found just that 97% of the traffic for an online sale was bots. Needless to say, the majority of human customers have likely had a negative shopping experience because of this. Consumers now expect a seamless, level playing field when it comes to online shopping. As supply chains continue to be under pressure, replenishing stocks that have fallen victim to bot attacks can become costly and time consuming.

This has become such an important issue that the US Congress even stepped in and issued a “Stop Grinch bots Actionto try and contain these bots. While the law is not yet passed, brands can still take steps to thwart the bots, improve the customer experience and protect inventory from cybercriminals. Bot traffic increased 106% year-over-year in 2021. It’s time for the retail industry to take action.

Application developers should consider bots during the development process. Retailers need to be aware of the threat of bots and protect their brand and their customers. Security professionals should limit access to their sites to real customers.

Defending against bot attacks is all about context

One way cybercriminals use bots to attack organizations is by targeting the APIs that power many online transactions. In a recent study, 60% of brands reported bots targeting their APIs in early 2022. That’s up from 46% in 2021. Often, adversaries use bots as part of their reconnaissance efforts to identify vulnerabilities, especially with APIs.

API weaknesses typically expose more business logic and therefore more data, including personally identifiable information (PII). Attackers use bots in this phase because they allow them to quickly explore, collect information, and test things while being less likely to be noticed.

As attackers increasingly try to outsmart security controls, defending against bot attacks can be difficult. For example, for organizations that only do business in certain regions, geo-blocking is a standard security check: you simply block all IP addresses that come from a location where you don’t do business. Today, however, attackers use botnets consisting of thousands of IP addresses. This can bypass geo-blocking. When they realize that certain countries, continents or regions are being blocked (i.e. user agents, payloads or geographic IPs), they simply edit their attack traffic.

Modern solutions for modern bots

Attempts to block bots can end up as a game of “whack-a-mole”. The result is to prevent real human customers from accessing the site, making purchases, or having a positive experience. This is obviously not sustainable business practice. So brands must look for modern solutions to today’s complex bot problems.

An important method to mitigate the bot threat is to get context. Not every bot attack is overt. Often attackers go “low and slow” to stay below the detection threshold and not trigger defense mechanisms that could block them. However, getting historical context helps security teams identify patterns and suspicious behavior to better protect against bots.

Regardless of your method of protection, if your organization has yet to do this, now is the time to get serious about preparing for the deluge of holiday shoppers. Taking action now can make the difference between ensuring your customer experience remains positive and making your customers feel like they have a lump of coal in their inventory.

Neil Weitzel is SOC manager at ThreatX