Grinch bots hijack all kinds of holiday shopping, from gift cards to hype drop sales

Kasada research finds that all-in-one bots are fooling cyberdefenses and automating the checkout process to snap up in-demand goods.

shutterstock-2078616394.jpg

Image: Shutterstock/Wooly the Creative Sheep

All-in-one Grinch bots are working over time this holiday season and using automation to steal gift cards and scoop up limited quantities of in-demand products. The Kasada Threat Intelligence Team identified these bad bot trends during the online holiday shopping season, based on data from the company's e-commerce customers.

Bot operators make a profit by stealing gift cards or by purchasing and reselling in-demand items like sneakers or electronics.

"The bot operators use techniques that mimic humans and attempt to exploit and bypass the anti-bot code executed on the client-side on public devices," said  Sam Crowther, founder and CEO of Kasada.

 The analysis identified these activity patterns: 

  • 4x increase in automated online gift card lookup attempts
  • 10x increase in malicious login attempts via credential stuffing
  • Discovery of a new and more efficient all-in-one bot often used during hype drop sales  

Hype drops are special sales of high-demand and limited-edition goods released at a specific time and day. The all-in-one Grinch bots automate the scanning and checkout process for these items.

SEE: The best tech news and headlines of 2021

Bad actors are also using all-in-one bots to snap up non-fungible tokens NFTs as well, based on Kasada's threat intelligence.

"By using these bots, buyers are increasing their likelihood of obtaining digital collectables where the resale markup often is extraordinarily higher than sneakers," Crowther said.

Using a zero-trust strategy

Crowther said his company's use of a zero-trust approach to bot detection is one reason the Kasada platform has been successful. 

"Each request Kasada processes is assumed guilty until it can prove its innocence," he said. "This is in sharp contrast to the first generation of anti-bot systems that apply rules and risk scores while allowing bots to infiltrate a customer's infrastructure in search of bad behavior."

The zero-day exploits Sunburst and Log4j highlight the need for zero trust architectures, he said. Crowther expects to see the adoption of zero trust architectures accelerate in 2022.

"Most large enterprises now understand the benefits of a zero-trust architecture, but have a journey ahead of them to apply the principles across their attack surface," he said.

Defeating bots with client-side detection 

Kasada's defense strategy aims to recognize fake data from request bots and take away the ability to make a quick profit, as Crowther describes it.

"Kasada defenses strike back by making automated attacks too expensive to conduct while frustrating the attacker by making it very difficult for them to understand the advanced detection methods in use," he said.

Defending online retailers against these bots is similar for gift card theft and hype drop sales, but the latter requires scale and instantaneous response.

"It requires being able to scale-up by more than 100x while the entire sale usually takes no more than a couple of minutes," he said. "A company's defenses must be able to respond instantly, whereas some of the other acts of fraud aren't as time sensitive."

The only way to detect bad bots from the first request, including new ones never seen before, is by identifying them client-side before bots are ever allowed to enter an online merchant's infrastructure, according to Crowther. This requires expertise in detecting automated interactions with websites, mobile apps and APIs. 

"Many of Kasada's detections are based on our understanding of the out-of-the-box and customized tools that bot operators use for their bots,"  he said.

Kasada collects data from billions of bot interactions on customer sites to understand bot tactics and combines that intelligence with machine learning algorithms to implement new detections within seconds.

"Companies need both to be most effective — client-side detections combined with server-side learning," he said. 

Also see

By Veronica Combs

Veronica Combs is a senior writer at TechRepublic. For more than 10 years, she has covered technology, healthcare, and business strategy. In addition to her writing and editing expertise, she has managed small and large teams at startups and establis...