Uncovered: Little-known scalper tactics beyond bots
By Alex McConnell / 26th May 2021
Scalpers are becoming increasingly sophisticated, not just in their use of advanced bots, but also in less obvious ways to get a hold of their desired goods.
Here at Netacea we are dedicated to preventing fraud by monitoring, identifying and stopping malicious bots in their tracks.
We are so steadfast in this goal that we have even created a MITRE ATT&CK style framework that defines automated attack kill chains – NetBLADE (Netacea Business Logic Attack Definition).
However, within our framework there are tactics used by adversaries, bad actors and criminals which extend beyond bots and even traditional cybercrime.
In this blog post, we lift the lid on some of the most brazen and surprising strategies.
Lesser-known scalper tactics: All for one, none for all
We have previously written about the “modus operandi” of scalpers: using automated scripts to buy up all the stock on a retail site before human users get the chance, allowing for profitable resales on secondary markets.
A common defence employed by retailers against scalpers is to enforce “one per customer” rules, especially on limited edition stock like PS5s.
Scalpers, however, are not so easily deterred, and have found sneaky ways around such restrictions.
An obvious workaround for “one per customer” policies is to fabricate fake identities and order the desired item repeatedly, each under a new alias.
This can be as simple as making up fake names, or as sophisticated as verifying an identity with single-use email addresses (using services like Temp Mail and Guerrilla Mail), or even using pay-as-you-go so-called burner phones as per the baddies from popular BBC series Line of Duty.
In some cases, a retailer will not accept duplicate orders to the same address and will verify this using regular expression (regex) matching of previous orders for particular items. GAME promised to scrutinize PS5 orders before dispatch, to prevent duplicate orders made by scalpers.
Jigging is one way around such policies. We’re not talking about an Irish dance; this sub-technique was developed by the sneakerbot community and involves making subtle changes to the address in ways that will fool automated systems into thinking they are unique whilst still being deliverable to their intended destination.
For example, alternate or incorrect spellings of street names, adding additional and sometimes nonsensical address lines, or even adding randomized codes into the address will bypass “one per address” rules. A human delivery driver will simply ignore these or assume they are errors and deliver them as normal to the scalper.
This scalper sub-technique is not as sinister as it sounds – most scalpers are not hijacking delivery vans for PS5s to resell. Instead, they are bypassing “one per address” rules by entering different addresses from their real intended destination at the checkout stage. Once they receive confirmation that their order is out for delivery, they contact the courier (usually a separate company to the retailer) and amend the delivery address back to their actual location.
PO box obfuscation
PO boxes might seem “old fashioned,” but they are actually growing in popularity, especially with scalpers.
Amazon lockers, DPD drop boxes and other safe delivery locations allow scalpers to order multiple copies of a restricted quantity item without jigging or creating fake addresses. They also provide a “safety net” for adversaries who get caught out, as the drop box is unconnected to their own address.
DDoS plus API exploitation
There’s nothing new about DDoS (dedicated denial of service) attacks, but this tactic can be exploited by scalpers as a way to prevent even other scalpers from getting hold of inventory.
If an adversary can access a checkout API that sits in a different system to the website’s front end, all they need to do is DDoS that front-end website before making their purchases via the checkout API. By locking others out of the buying process, they will have easy pickings of limited availability stock, although the retailer might find these purchases suspicious if they are paying close enough attention.
Gain visibility of malicious activity
Netacea’s industry-leading bot management technology is augmented by our cutting-edge Threat Research team, who infiltrate adversary groups and stay up to speed with the latest tactics and tools of this illegitimate trade.
Find out about NetBLADE, our MITRE ATT&CK style framework capturing all automated bot threats and their life cycle, in a live webinar featuring Forrester Principal Analyst Sandy Carielli on Wednesday 16th June at 4pm (BST).