Retailers, How Much of Your Holiday Traffic is Actually Human?


It’s the most wonderful time of the year… for bots. But which ones are naughty, which are nice? While the holiday season is the busiest for retailers, another group is also at its most active — bad bots. 

For the past few years, bots have been at their highest level and have surpassed human-generated internet traffic. Although some bots are good, such as search engine crawlers, many are malicious and break into apps, scrape unauthorized information and hoard popular or limited-edition items for resale at premium prices on secondary markets. Others takeover customer accounts, steal loyalty points, and commit gift card and credit card fraud. Today’s bots are more sophisticated at mimicking human behaviors, including bypassing CAPCHAs. 

Common Attacks

Here are a few of the more common bot attacks facing retailers:

  • Credential Stuffing and Account Takeovers (ATO):  These happen when hackers obtain login credentials from third party breaches and use them to gain access to a user’s account.
  • Web scraping: the practice of extracting data from websites (competitors and grey market resellers can use this practice to efficiently undercut pricing and inventory).
  • Pricing scraping: Also by competitors who want to automatically adjust & match their offers.
  • Credential theft: Stealing a victim’s proof of identity.
  • Vulnerability identification:  Using bots to identify weaknesses in a website.
  • Ad Fraud: Using bots to generate false click-through and impression data.
  • Denial of Service (Dos/DDoS): Flooding a website with an overwhelming number of requests, to force it offline.

Our Findings

In order to better predict bot-behavior for the 2019 holiday season, we analyzed the 2018 November-December bot data from our network as well as current malicious bot intelligence to provide deeper insight as to what to expect for the 2019 holiday shopping season. 

Here’s what we found:

  • While it appears that internet traffic is at its annual high during the prep days before Black Friday/Cyber Monday, 37% of that traffic is comprised of bots, not holiday shoppers. 
  • Bad bots are at their highest level a few days prior to Black Friday/Cyber Monday, representing 96.6% of total traffic to retailers’ login pages. This indicates that bot masters are using this time as preparation days before the surge in customer shopping.
2018 Comparison Between Total Hits and Bot Hits
  • During the prep days, Account Takeover (ATOs) and credential stuffing (bots using stolen credentials to hijack customer accounts) are the most common. Before stolen credentials can be used in other type of attacks, hackers need to verify credentials on retailers’ login pages.
Account Takeover (attack on login pages before the event)
  • After Black Friday, there is an uptick in price scraping, denial of inventory, payment fraud, and marketing fraud bots.
Scraping on Product & Category Pages – Black Friday
  • Normally, human-to-bad bot ratio on login pages tends to be about 2:1, but on prep days prior to Black Friday/Cyber Monday the ratio is more like 1:20.
Overall Traffic Variation During November
  • AdFraud begins to uptick the week prior to Black Friday and peaks on Cyber Monday, remaining above normal until the Christmas holiday.
Ad Fraud trends during November 2018

Read “The Ultimate Guide to Bot Management” to learn more.

Download Now

Radware

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center