Inventory hoarding or denial is when a user selects and holds an item in a basket that is usually, limited in availability. Because that stock is held in a basket, it becomes unavailable for others to purchase.
Denial of inventory is a common practice on eCommerce websites, where automated bots are programmed to take items out of circulation by adding them to the user’s basket. Often, the threat actor has no intention of completing the checkout process but, is actively preventing legitimate customers from purchasing the item.
What motivates denial of inventory attacks?
There are a variety of motivating factors for denial of inventory attacks, including:
- Making money – threat actors are commonly driven by the profitability of action, and acquiring inventory is a fairly low risk, high yield opportunity to make some hard and fast cash
- Defeating the competition – denial of inventory can be used to send customers from a competitor website directly to your own. And, if they believe you are the only vendor with availability, it’s an opportunity to charge a premium for in-demand items
- Disrupting availability – denial of inventory attacks can be used to make an application unusable as part of an application-layer denial of service attack
Denial of inventory in practice
Bots are used to hoard inventory in various areas of the travel industry. For instance, bots are programmed to carry out a flight reservation up until the point of payment. At this point, the seat is reserved for up to 20 minutes and real customers perceive there to be no availability. While the seat is being “hoarded”, the threat actor is attempting to sell the seat for a profit.
If they don’t get a buyer, the seat drops out of their basket and becomes available once again. At which point a new bot can pick up that available stock and repeat the process until the inventory is successfully sold.
How to prevent denial of inventory
Netacea’s revolutionary approach to bot management empowers businesses with control over automated bot traffic, with the ability to detect bots and block malicious traffic in real-time.
Collaborating with an expert bot management vendor that specialises in analysing intent and identifying patterns in user behaviour, ensures you understand what constitutes normal in the unique context of your traffic environment to quickly detect and block bad bots.
Frequently asked questions about denial of inventory
What is the effect of denying inventory?
Denial of inventory attacks can result in customers experiencing problems with availability, and lead to fewer sales. It’s important that you take steps to make sure no bots are accessing your eCommerce website or application unless they have a legitimate need to do so.
How does an attacker maliciously deny inventory?
Bots can be programmed to carry out denial of inventory attacks by using up stock until there is none left. This happens frequently on websites where a limited number can be sold or when products are only available for certain dates – such as event tickets. The more sophisticated bot programs will keep refreshing a page repeatedly until either the item becomes unavailable or it has been bought by another user.
What’s the best way to prevent denial of inventory attacks?
It is important that you work with an expert bot management vendor who can collaborate with your business to detect bots on your website or app, and block malicious traffic in real-time. This can safeguard against the risks associated with denial of inventory attacks such as losing customers, revenue or being held liable for damages. You should also ensure there are robust protections in place to stop bots accessing your eCommerce site via cross-site scripting (XSS) vulnerabilities.
Are denial of inventory attacks illegal?
Denial of inventory attacks could be considered a form of hacking under the Computer Misuse Act 1990. If an attacker is accessing your website or application to carry out this illegal practice, you can take legal action against them for their misuse. It’s important that you review what constitutes normal in the unique context of your traffic environment to quickly detect and block bad bots during a denial of inventory attack.
Are denial of inventory attacks more prevalent in certain industries?
While it can happen in any industry, websites that sell tickets to events are particularly vulnerable to denial of inventory attacks. Bots can be programmed to repeatedly refresh purchase pages and keep clicking ‘buy’ until they reach the maximum allocation allowed or until the ticket becomes unavailable. This is because bots have no need for the event tickets but may be acting on behalf of users trying to obtain a ticket at a cheap price – which will inevitably cause problems for genuine customers.