The eCommerce Manager's Guide to Bot Protection

Are you an eCommerce Manager who keeps being asked about bot visitors by security and fraud teams? You’re not alone, as the issue of bot attacks such as scalping, scraping and account takeover cross multiple business functions – everyone has their role in stopping bad bots.

It’s time to up your bot knowledge and do your part in mitigating these attacks. Here’s what you need to know.

What is a bot an how do they affect eCommerce?

A bot is an automated program that performs actions on the internet. In many cases, bots do what a human can do, but faster and in much greater volumes than would be possible by a person. Many bots can even adapt their behavior autonomously or use AI to adapt to different scenarios, appear more “human” and evade defenses.

Whether or not bots are “good” or “bad” depends on the intent of those who create and use them, and your business almost certainly benefits from bots in some way. Googlebot crawls your web pages and ensures they rank in search results, boosting organic traffic and sales. Chatbots reduce customer support call volumes and improve UX. Affiliate crawlers drive traffic to your site from partners and aggregators.

In contrast, bad bots are often seen as a security concern, as their actions can lead to data breaches and fraud. However, unlike typical security concerns like Magecart attacks, cross-site scripting or malware, bots don’t exploit your codebase. Bots instead target your business logic.

Using credential stuffing as an example, most eCommerce sites offer a customer account section which needs a login page. Attackers can easily obtain username and password combinations leaked from other sites and try these on any login page to check whether a user has recycled their password across multiple sites, using bots to automate the process thousands of times a second. When they get a hit, they can takeover that account.

Customers logging into accounts are unlikely to raise any alarms within traditional security tools as nothing has been “hacked”, but a highly damaging attack has still occurred.

Thankfully, specialist bot protection solutions exist to detect malicious automated behavior, distinguish it from real traffic and filter it out.

Why should bot protection be on the radar of eCommerce Managers?

An eCommerce Manager should care about bots because they can directly affect sales. Bots can cause customer frustration, drive up support call volume and damage brand. They can give your competitors an advantage over you and help undercut your prices, or drive customer traffic from your site to theirs. Bot traffic can even overload your webstore and cause outages.

Read on in our eCommerce Manager’s Guide to Bot Protection to find out how bots are impacting your operations and what you can do about it.

How do bots negatively impact eCommerce operations?

To get full definitions of each bot attack, we recommend exploring the BLADE Framework – a free online resource cataloguing the stages, techniques and tactics that make up business logic attacks. You can also visit the glossary on this website for more information.

Here are the main bot attack types that any eCommerce Manager needs to be aware of:

Price scraping

Scraping is the act of visiting a web resource and collecting data from it to store and use elsewhere. As the name suggests, price scraping specifically targets pricing information for products. Competitors use price scraping bots to constantly keep up to date with how you price similar or identical products they also sell and use this intelligence to set their own prices, often automatically undercutting you slightly. Customers who price check your site against competitors are likely to go with the cheapest option.

Price scraping is a constant drain on your server resources. During busy times price scraping traffic could be enough to tip your capacity over the edge and slow down or crash your site. You also don’t want to spend money scaling up your infrastructure just to serve traffic to unwanted scrapers.

Risks: Website crashes, lost revenue

Content scraping

Like price scraping, content scraping is a continual nuisance. Content such as product images and descriptions are collected to be reused elsewhere without your permission. This could infringe on your intellectual property and cause search engines to penalize the copied content. Scammers could even use content scraping to clone your listings and sell fake products or launch phishing attacks.

Scraping is also a precursor to other bot attacks, as bots do reconnaissance to facilitate scalping, sniping and many other threats.

Risks: Website crashes, weakened SEO, vulnerability to future attacks

Scalping

Scalper bots buy products from your website in high volumes automatically, typically targeting low supply, high demand items. They usually start by scraping product pages, then automatically add items to their cart and checkout as soon as the product becomes available. Scalpers aim to buy as much stock as possible, so the items become scarce, forcing consumers to buy from them at inflated prices on secondary markets.

Consumers are acutely aware that bots are snatching these items, with 47% saying bots have stopped them obtaining desired goods. Scalper bots cause brand damage to your site, frustrate suppliers who expect their products to go direct to consumers, and create a huge risk of website outages at the busiest times – when new items are released.

Risks: Website crashes, customer complaints, damaged brand, frustrated suppliers

Inventory hoarding & spinning

Like scalper bots, spinner bots place items in their basket automatically – but they don’t check out. Sometimes they automatically place a listing for the item on a secondary marketplace, wait until they receive an order, then complete the original purchase. Other times they will indefinitely “spin” the item – keep it active in their basket – to prevent other customers from adding it to their own baskets, in a process called inventory hoarding.

Inventory hoarding pushes customers to competitors and causes unnecessary restocks once spinner bots eventually release the items from their baskets.

Risks: Website crashes, unnecessary restocks, customer complaints, damaged brand

Sniping

Another variant of a scalper bot, sniper bots take advantage of time-sensitive events to beat humans to the punch. A bot can be programmed to react at a millisecond’s notice to an auction ending and put just the right bid in to win the sale, for example.

This is an unfair advantage when securing limited stock items and is likely to frustrate your customers and discourage them from coming back to you for future sales.

Risks: Customer complaints, damaged brand

Fake account creation

Bots automatically create new user accounts, either using stolen or randomly generated personal information. These accounts may lie dormant or be “warmed up” by doing basic actions to appear as legitimate, before being used for another attack later. Fake account signups can also be misinterpreted as authentic by your eCommerce and marketing teams within campaign reporting data, leading to a misspent marketing budget.

Fake accounts could be used to bypass “one per customer” buying limits on specific products, test stolen card details or undertake card cracking attacks, perform refund fraud, or amass welcome offers (free trial, 10% off, free shipping, free gifts etc.) that are then sold cheaply on the dark web in bulk.

Risks: Skewed reporting, fraud, vulnerability to future attacks

Raffle bots

To combat the bots that are dominating hype sale events, many sneaker retailers and ticketing sites now operate raffle systems to fairly distribute opportunities to buy limited stock items. But this isn’t a silver bullet to stopping bots accessing your sales.

In response, some scalper bots have added raffle modules. Raffle bots operate in the same way as fake account creation bots to obtain lots of virtual raffle tickets, maximizing their chances of winning opportunities to buy as much stock as possible. These items or tickets are then resold for profit.

Risks: Damaged brand, skewed reporting, fraud, customer complaints, frustrated suppliers

Freebie bots

Freebie bots operate in the same way as scalper bots, except they target discounted or mispriced items. Rather than buying limited edition stock to resale at an inflated price, freebie bots look to buy something that's already discounted, and sell that for its normal retail price to make a profit.

Freebie bots scrape web stores looking for sudden reductions in price, or items with abnormally low prices caused by errors. For example, you might accidentally publish a product page with a placeholder price, at which point a freebie bot could automatically add this to their cart, checkout and have it fulfilled by your delivery partner before you even realize what happened.

Risks: Lost inventory, lost profit margins

Credential stuffing

The volume of leaked credentials available for criminals to download, paired with the common propensity for users to recycle passwords across different websites, makes credential stuffing a simple but very effective attack. Bots simply feed enormous lists of known credentials leaked from other sites into your login page to validate which password combinations work.

From there they can sell validated credentials to other criminals or takeover accounts for themselves, exfiltrating sensitive data, stealing loyalty points or using the accounts for other attacks.

Multifactor authentication (MFA or 2FA) can help slow attackers down but is not infallible against determined threat actors.

Risks: Fraud, customer complaints, damaged brand, vulnerability to future attacks

Account takeover

Commonly achieved by credential stuffing, as well as means like phishing or man-in-the-middle attacks, account takeover (ATO) is an extremely harmful attack affecting both your customers and your eCommerce business.

With access to a customer’s account, an attacker can exfiltrate personal information and potentially steal their identity. They can act upon external services linked to the account. Attackers can access digital content stored within the account and resell these elsewhere. They can use the account to test stolen credit cards by adding them as payment options. They could even make purchases with saved payment details or loyalty points and divert deliveries at a later stage to obtain goods.

Risks: GDPR fines, fraud, customer complaints, damaged brand, vulnerability to future attacks

Loyalty point abuse

Another consequence of account takeover is criminals gain access to accrued loyalty points. These are often transferred to another account and sold on the dark web, or used to purchase products that are easy to shift for a quick profit.

Customers are also unlikely to check their loyalty points balance often but will be upset if they later find their points have been stolen. Ironically this type of incident could cause a drop in customer loyalty if not dealt with delicately, which uses up customer service call time and resource. Your business might also lose out twice on the cost of an item bought with stolen points – once for the cost of the item, and again to restore the legitimate customer’s points balance.

Risks: Fraud, customer complaints, damaged brand, point chargebacks

Card cracking

Your payment portal is the perfect place for criminals to test out batches of stolen full or partial credit card details. Using bots to automate the process, they will add cards to accounts or make small purchases to validate card details so they can sell these on or use them themselves.

Once the rightful card owner realizes what’s happened and the charge reversed, your store will lose out on chargeback fees. A sudden high volume of invalid payment attempts on your checkout is also likely to flag your store with the payment gateway provider, who may block your store, disrupting legitimate payments. You may also incur charges per transaction, even if the card details were incorrect.

Card cracking gangs are highly organized and often operate outside of the jurisdiction of their targets, for example in Russia. They use advanced tools to evade detection and bypass defenses. Read our four-part series on Russian card cracking gangs for more information.

Risks: Fraud, transaction costs, damaged payment gateway relationships, chargebacks, customer complaints, damaged brand

Gift card fraud

Few eCommerce sites protect their gift card payment portals as stringently as their bank card payments. Yet consumers rarely check their gift card balances, and bots can easily use automation to brute force gift card balance checker services and find working codes.

Once a working gift card code has been discovered, the attacker can either use it themselves or sell the balance at a discount to others on the dark web. This attack has a double impact when the legitimate owner of the gift card attempts to spend their balance, which will be long gone – leading to frustration and customer service calls.

Risks: Fraud, customer complaints, damaged brand

Skewed analytics

Data is king to any eCommerce Manager, but the reality is we can only make good decisions if we have good data. Web logs infected with artificial traffic from bots carrying out any of the above attacks is not good data.

How can you make the right decisions on marketing, merchandising or UX with bot traffic in the mix? Your data is likely to be skewed by bots acting as though human.

Risks: Misspent PPC budget, misinformed campaign planning, misled UX decisions, incorrect forecasting

What can eCommerce Managers do to influence bot protection?

Given the wide-reaching serious impact of bots on eCommerce performance, it’s only right that you as eCommerce Manager make your voice heard across the business about bot attack prevention. You should find support for the cause within your security, fraud and infrastructure teams, who have their own bot-induced headaches.

When assessing solutions, it’s important to set your requirements, as not all bot protection tools operate in the same way. Differences in implementation, technologies and approach can have a huge impact on your eCommerce team and operations.

Client-side bot protection vs. server-side bot protection for eCommerce

Consider the impact the tool will have on your platform and development roadmap. Many bot management tools are agent based, meaning they rely on client-side JavaScript and SDKs to detect bots. The bad news is that this adds complexity when deploying bot protection to multiple sites and when re-platforming, so this is worth keeping in mind if you operate across different countries or have major development on your roadmap.

Client-side bot protection is also vulnerable to being bypassed by sophisticated bots, as its code is visible for all to see and easy for motivated bot developers to decipher.

By contrast, Netacea Bot Management integrates on the server side, with no reliance on agents or client-side code. This makes our bot protection invisible to attackers, so they can’t reverse engineer our defenses.

Server-side bot protection is also much less complex to deploy across multiple websites, mobile apps and APIs, and doesn’t get in the way of any code or platform changes you make. In most cases Netacea links directly with our customer’s CDN, or even their Magento or Salesforce Commerce Cloud platform.

Protecting your UX

As important as it is to block bad bots from accessing your sites, it’s equally important to not block genuine customers. Any interference with UX not only affects conversion rates and revenue, but also wastes time and resources spent optimizing user experience.

Some bot protection tools are either too aggressive or not accurate enough to prevent high false positive rates, meaning they will mitigate real customers as well as bots to prevent potential attacks.

This could mean a hard block, leading to customer frustration reflected in social media complaints and calls to customer service, or unnecessary CAPTCHA challenges, which should only be relied upon as validation if the bot protection solution is confident the user is a bot. Netacea can adapt mitigation techniques to your preferences and boasts a 0.001% false positive rate.

Take your next step to effective bot protection

Do you have a bot protection solution in place to cover all the threats that apply to your eCommerce operations?

Get yourself into the bot protection conversation within your business by reading the Bot Management Buyer’s Guide for Retailers or talking to us about starting a free trial of Netacea. We offer offline proof of value engagements to quickly assess how many bots you’re missing and the impact blocking them will have.