Inventory hoarding or denial is when a user selects and holds an item in a basket that is usually, limited in availability. Because that stock is held in a basket, it becomes unavailable for others to purchase.
Denial of inventory is a common practice on eCommerce websites, where automated bots are programmed to take items out of circulation by adding them to the user’s basket. Often, the threat actor has no intention of completing the checkout process but, is actively preventing legitimate customers from purchasing the item.
What motivates denial of inventory attacks?
There are a variety of motivating factors for denial of inventory attacks, including:
- Making money – threat actors are commonly driven by the profitability of an action, and acquiring inventory is a fairly low risk, high yield opportunity to make some hard and fast cash
- Defeating the competition – denial of inventory can be used to send customers from a competitor website directly to your own. And, if they believe you are the only vendor with availability, it’s an opportunity to charge a premium for in-demand items
- Disrupting availability – denial of inventory attacks can be used to make an application unusable as part of an application-layer denial of service attack
Denial of inventory in practice
Bots are used to hoard inventory in various areas of the travel industry. For instance, bots are programmed to carry out a flight reservation up until the point of payment. At this point, the seat is reserved for up to 20 minutes and real customers perceive there to be no availability. While the seat is being “hoarded”, the threat actor is attempting to sell the seat for a profit.
If they don’t get a buyer, the seat drops out of their basket and becomes available once again. At which point a new bot can pick up that available stock and repeat the process until the inventory is successfully sold.
How to prevent denial of inventory
Netacea’s revolutionary approach to bot management empowers businesses with control over automated bot traffic, with the ability to detect bots and block malicious traffic in real-time.
Collaborating with an expert bot management vendor that specialises in analysing intent and identifying patterns in user behaviour, ensures you understand what constitutes normal in the unique context of your traffic environment to quickly detect and block bad bots.