Scalper bots – also known as scalping bots – use automated methods to secure goods, such as event tickets that are bought in bulk, and complete the checkout process in a fraction of the time it would take any legitimate user.
Attackers, scalpers, use automated software to ‘sit’ at the front of the queue and buy thousands of tickets from the moment they go on sale.
Scalping is a well-known technique in the ticketing industry, where the purchased tickets are resold later at a profit by the scalpers/touts. This can also lead to a type of user denial of inventory, since the goods or services become unavailable.
Scalpers purchasing limited availability goods or tickets for resale elsewhere, can result in negative public opinion becoming associated with the targeted brands.
Types of Scalper Bots
There are a number of different types of bots that can be used to carry out online scalping. These include pre-botting, form-filling, auto-refreshers and API scrapers:
- A pre-bot is a script that can be run automatically to visit multiple sites at the same time, and it is used to set up an account before the official on sale date for a popular event. Then when the tickets go on sale, the pre-bot will be ready and waiting with valid credit card information in order to get as many tickets as possible.
- Form fillers are scripts that “harvest” web pages (usually registration forms) which ask users for information such as names, addresses and credit card numbers. This data is then saved by the bot for future use, so that once one of these bots has been identified as a “valid” user, it will be able to proceed quickly through the checkout process without having to retype information.
- Auto-refreshers are scripts that automatically call a website every few minutes in order to refresh the page and check if tickets have gone on sale. If they do, then the script will use any credit card details previously saved by the form filler, enabling it to buy them before other users can do so. Since this method is often used in conjunction with form fillers, it is possible for multiple purchases to be made from one bot over a period of several hours or days, depending on how frequently the website refreshes its ticket inventory.
- API scrapers are bots which extract data contained within an application programming interface (API). These scripts enable automated access to many different functionality features across websites and applications, and their use can allow them to carry out a variety of tasks automatically from programmatically sending messages through Facebook to checking in on Foursquare. Since they often do not need human input or interaction, API scrapers can be used to purchase goods or services automatically on websites with minimal effort.
The Goal of Scalper Bots
Scalper bots are designed to fill in information that is required for the purchase process, such as credit card details and billing address, which would take a human user significantly more time than it takes for an attacker to complete the checkout process in a fraction of the time it would take any legitimate user.
More sophisticated scalper bots are able to bypass the CAPTCHA and other security measures that are in place.
They are also programmed with software scripts to increase their chances of success while they purchase tickets from online vendors like Ticketmaster or Live Nation, using automated techniques such as scraping pages for content or following web links.
By continuously guessing until a positive response is received by the website, scalper bots often circumvent any limit on ticket purchases set by the vendor. They can fill out hundreds of credit card numbers at one time so it would be virtually impossible for any human being to do this manually and without any errors.
Is Scalping Illegal
Scalper bots are illegal in some countries because they prevent fair and equal access to goods for consumers who want to purchase them.
There is no way that a human being can compete with the speed at which scalping bots execute their transactions, meaning that it’s difficult or even impossible for people without these tools to buy tickets in bulk before attackers have already snatched up all inventory; scalpers often try to resell high-value tickets at inflated prices on secondary markets.
As of July 5th 2019, the UK has banned the use of ticket scalping bots and other scalper bots, imposing “unlimited” fines on anyone caught breaking the law.
How to Stop Scalper Bots
In order to prevent the use of scalping bots, organizations may take steps such as limiting ticket purchases to one or two per person and implementing time limits on transactions. They also might decide not to put tickets for high-demand events in automatic checkout systems that allow speedy purchasing with a credit card.
Retailers are battling scalpers with a variety of measures, including not informing customers about upcoming sales weeks in advance and blocking the checkout process with security filters.
Monitoring for bot activity is a difficult task because of how quick these programs can work and their ability to operate on different IP addresses all over the world.
However, there are certain red flags that indicate when you might be dealing with a scalping bot:
- Internet connection speed slowing down sharply after clicking buy tickets
- Not being able to use your mouse cursor during online purchases
- Long wait times between steps completing transactions – especially if it’s going through many pages
Some online shopping and auction sites have developed systems to prevent scalpers from using their scripts efficiently. For example, in order to combat scalper bots from exploiting concert tickets as unsold goods before they can be used by ticket holders, Ticketmaster developed Verified Fan technology – allowing fans who have registered and followed instructions ahead of time access to tickets first-hand when making them available online or through mobile devices.
What is the Best Way to Protect Your Business From Scalpers
The only foolproof method is using server-side bot management software.
A server-side bot management software will prevent bots from accessing your website, and will give you access to advanced analytics that you can use to see the real number of legitimate users who visit and interact with your site.
Frequently Asked Questions about Scalper Bots
How do you stop a scalper bot?
There are several effective methods for preventing a scalper bot from accessing your website. These include using server-side bot management software, placing a CAPTCHA on every page of your website, and ensuring that cookies are enabled in browsers to prevent the use of multiple accounts by one person.
How are scalper bots built?
Most scalper bots are coded in software languages like Python or PHP and run on a variety of operating systems, which often means they can be adapted to work on different devices such as smartphones.
Is there any way to see if my business has been attacked by scalper bots?
The best way to determine whether your business has been attacked by a scalper bot is to use server-side bot management software. This will allow you to see who recently visited your website and what they did when they were there, as well as time spent on each page of the site.
Who makes scalper bots?
Scalper bots are made by a variety of different independent builders, who have identified a need in the market for online scalping software and designed a program to fill that role.
How much does it cost to build a scalper bot?
The cost of building a scalper bot varies greatly based on what is required for the project. Developers will charge different rates depending on their experience and the type of work involved in the design or modification of an existing program. The most effective programs can easily cost thousands of dollars each in their initial development costs alone.
How can you monitor your website for the presence of scalper bots?
The best way to monitor your website is to use server-side bot management software. This will allow you to see who recently visited your site and what they did when they were there, as well as time spent on each page of the site.
What differentiates scalper bots from standard bots?
In basic terms, scalper bots have been developed using tactics and methods normally associated with malware writers/criminals: breaking into systems and attacking vulnerable network segments for personal gain via fraud or theft of goods/data etc. The main difference is the objective; instead of interfering with networks at a central level, scalper bots focus on attacking specific servers and resources such as ticketing sites or ticket vendors.
Sign up for a demo and see Netacea in action today to discover more about our pioneering approach to defeating scalper bots with bot management.