Retailers, How Much of Your Holiday Traffic is Actually Human?

It’s the most wonderful time of the year… for bots. But which ones are naughty, which are nice? While the holiday season is the busiest for retailers, another group is also at its most active — bad bots. 

For the past few years, bots have been at their highest level and have surpassed human-generated internet traffic. Although some bots are good, such as search engine crawlers, many are malicious and break into apps, scrape unauthorized information and hoard popular or limited-edition items for resale at premium prices on secondary markets. Others takeover customer accounts, steal loyalty points, and commit gift card and credit card fraud. Today’s bots are more sophisticated at mimicking human behaviors, including bypassing CAPCHAs. 

Common Attacks

Here are a few of the more common bot attacks facing retailers:

• Credential Stuffing and Account Takeovers (ATO):  These happen when hackers obtain login credentials from third party breaches and use them to gain access to a user’s account.
• Web scraping: the practice of extracting data from websites (competitors and grey market resellers can use this practice to efficiently undercut pricing and inventory).
• Pricing scraping: Also by competitors who want to automatically adjust & match their offers.
• Credential theft: Stealing a victim’s proof of identity.
• Vulnerability identification:  Using bots to identify weaknesses in a website.
• Ad Fraud: Using bots to generate false click-through and impression data.
• Denial of Service (Dos/DDoS): Flooding a website with an overwhelming number of requests, to force it offline.

Our Findings

In order to better predict bot-behavior for the 2019 holiday season, we analyzed the 2018 November-December bot data from our network as well as current malicious bot intelligence to provide deeper insight as to what to expect for the 2019 holiday shopping season. 

Here’s what we found:

• While it appears that internet traffic is at its annual high during the prep days before Black Friday/Cyber Monday, 37% of that traffic is comprised of bots, not holiday shoppers. 
• Bad bots are at their highest level a few days prior to Black Friday/Cyber Monday, representing 96.6% of total traffic to retailers’ login pages. This indicates that bot masters are using this time as preparation days before the surge in customer shopping.

• During the prep days, Account Takeover (ATOs) and credential stuffing (bots using stolen credentials to hijack customer accounts) are the most common. Before stolen credentials can be used in other type of attacks, hackers need to verify credentials on retailers’ login pages.

• After Black Friday, there is an uptick in price scraping, denial of inventory, payment fraud, and marketing fraud bots.

• Normally, human-to-bad bot ratio on login pages tends to be about 2:1, but on prep days prior to Black Friday/Cyber Monday the ratio is more like 1:20.

• AdFraud begins to uptick the week prior to Black Friday and peaks on Cyber Monday, remaining above normal until the Christmas holiday.