We are fast approaching the end of 2020. A year that was different in many ways due to the COVID-19 pandemic, and the impacts on retail were no exception. There has been widespread coverage of retail strategies to survive as physical stores remain closed. Black Friday was not a day but several months this year. Delivery services were overwhelmed as users sheltered in place. And we also saw how quickly those popular items like Sony Play Station 5 gaming consoles and NVIDIA Graphics cards sold out and are now selling for crazy prices in secondary markets. The backlash from consumers has been swift as they vent their frustration on social media about feeling cheated as limited inventory is sold out in seconds. Their frustration amplified as they discover they are being gamed (pun not intended) by the rise of Bot-as-a-Service (BaaS), an emerging form of automated shopping that enables a small set of buyers to suck up all the inventory of these highly popular items, then resell them for exorbitant prices. This is aptly described as the consumerization of botting.
This gives me a pause to look back on how bots have evolved over the years. In the early days, bots were scripts or simple programs that mostly targeted account take over (ATO) and fake account creation for financial gains. Bots created millions of fake accounts on money transfer platforms like PayPal to exfiltrate funds. They went after loyalty points and committed shipping fraud on retail websites post ATO. To hide their behavior, bots modified User-Agent strings from popular browsers and used rate limiting techniques to evade anti-bot tools. You needed programming, reversing and hacking skills to be in the business. Finding resources was hard and required knowledge of where to look.
Fast forward a couple of years and we saw tools like SentryMBA, Sniper, BlackBullet become popular. Originally built as QA automation tools, users could customize them to target certain sites and applications. Initially, customization was left to the botter, but the next phase of the evolution saw custom attack configs built for popular sites being sold in the underground market. These attack tools enabled a botter to manage all aspects of the attack – adding proxies to massively geo-distribute their activity and circumvent IP rate limits. They even had callouts to CAPTCHA solving services, as CAPTCHAs were being adopted to stop or slow down the bots. These tools, configs, credentials and proxies were only available in various underground forums – a tightly knit community of botters across the world.
Open Source Bots
The phase of the evolution made bots readily available to all. Someone looking to get their hands on sneakers can easily find everything they need to build a bot and execute an attack. Thousands of GitHub repos of Bots and their configs can be found using simple search terms. Multiple proxy vendors are competing to sell you millions of proxies to anonymize the attack. OpenBullet is a great example. It has it’s own GitHub repo where the core platform is developed by contributors around the world. It has a user forum and you can find numerous marketplaces where you can configs, proxies and credentials for your target. This means that anyone with a decent computer and enough money to buy these tools could become a botter. These modern bots are software solutions using real browsers with automation driving them to complete a certain set of tasks.
Botters can increase their success using the many GitHub repos that are dedicated to reversing and defeating popular anti-bot solutions, solving CAPTCHAs (or harvesting CAPTCHAs as it is known in the botting community), improving your Gmail rating to get presented with simple CAPTCHAs etc, perform specialized tasks like checking stock availability and inventories, etc. All this open-source collaboration has led to the next and the latest phase in botting: Bot-as-a-Service (BaaS).
BaaS represents the continued consumerization of automated bot attacks. Effectively, a user who wants to snag the hottest sneaker, food delivery service slot, luxury clothing item or accessory, or game console, they need only rent the appropriate bot, complete with how-to guides, community support, user reviews and access to drop information. BaaS solutions are specialized for certain sites, they offer 24×7 support and the good ones offer guaranteed hit rate. The price ranges from $400 at the low end to over $5000 on the high end. These BaaS solutions have an in-depth understanding of botting with automation built for every step of purchasing a high-in-demand item on their supported retail sites. The first step is knowing when items will go on sale and that requires scraping various channels for that information. These sales, also known as Drops, are announced on Cook Groups, which are private Discord communities of paid users, and often in their social media channels. The second step is adding items to shopping carts as soon as they go on sale, ahead of other bots and humans. This involves knowing exactly the item details, SKU, size, color, etc. in advance and the ability to add the appropriate items to shopping carts. The last step is checkout. Retailers use anti-bot techniques such as queuing, raffles, CAPTCHAs, and more during this phase, and BaaS solutions are often able to circumvent them and maximize the probability of checkout with various built-in features.
These BaaS solutions make the end-to-end experience of automated shopping very easy. As an end-user you listen to drop announcements in your Cook Groups. If an item of interest is going on sale, then all you have to do is create a task in your BaaS and watch for it to execute. You can enhance your BaaS solution by opting in for more services or using plug-ins as explained below.
BaaS vendors have rapidly become full-service providers, offering numerous ancillary services that complement their core botting capabilities.
- Alternate Shipping Address – For botters around the globe targeting retailers who only ship in certain geographies, users can purchase re-addressing services. Packages are shipped to addresses owned by the BaaS provider who then re-ships them to the botters in their own country.
- Account Generators – These services help maximize a user’s chances with retail sites that use raffle-based check-outs by generating many legitimate-looking (yet fake) accounts.
- Anonymous Payments – a service offering that allows you to use 3rd party payment systems to hide your real identity.
- Cook Book Monitors – A service that scans Discord channels for new drop announcements and automatically creates tasks in your BaaS.
Capabilities of a BaaS solution can be enhanced by using Plug-Ins. Some examples of plug-ins are:
- E-mail Harvesting – This service improves the reputation of your e-mail addresses by generating legitimate-looking e-mail traffic on them. Aged and trustworthy e-mails are presented with simple CAPTCHAs and faceless resistance during check-outs.
- CAPTCHA Solvers – A CAPTCHA solving service that uses OCR (Optical Character Recognition) or human farms.
- Proxys – Purchase datacenter and/or residential proxies to hide the location and identity of the botter. Res proxies blend with legitimate customers and are harder to block, whereas DCs proxies are more reliable.
BaaS solutions have features that bring all this together. For example, creating unique sets of Proxy IP, user account, shipping address and payment information and repeating them during drops.
The True Impact on Retailers
Using bots is not illegal, and in the end, they do result in a sale. So retailers should be happy, right? Products are selling, demand is up, fans are being cultivated. In reality, the impacts of automated bot purchasing are significant when high demand items all end up in the hands of a botter.
- Poor Net Promoter Score – Industry estimates are that a 7 point increase in NPS results in a 1% growth in revenue. When users spend several hours in virtual “Waiting Rooms” only to find out that the inventory is sold out, they vent their frustration on social media, support portals, rating sites, creating a negative impression of the retailer among other shoppers.
- Manpower Opportunity Cost – To ensure a successful drop, significant additional planning is required to pick a time late at night minimize impact and maintain website stability. Additional manpower is needed for fraudulent order investigation, validation and in some cases cancelations. Other manpower opportunity costs lost include managing social media reaction to failed purchases by real users.
- Future Revenue Impact – If manufacturers don’t have confidence in a retailer’s ability to control shopping bots, then they allocate less inventory to those retailers, resulting in lost revenue. These manufacturers are also concerned about their brand reputation impact from poor user experience at retailers, who are unable to stop shopping bots.
- Increased Cost – Shopping bots inflate costs for retailers in several areas. There are various components and stages of a BaaS solution that are constantly probing, scraping and carting, which dramatic spikes in traffic results in higher CDN and web site infrastructure costs. Statistics show that over 90% of all traffic at retail sites is from various shopping bots.
- Outages – Out control bot campaigns during extremely in-demand product launches like the PS 5 or NVIDIA RTX 3000 can result in traffic increases as high as 1000% resulting in application DDoS resulting an outage for all users.
- Skewed Marketing KPIs – Marketing departments track conversion rates from their marketing campaigns and customer engagements on the platform. All those statistics and KPIs (Key Performance Indicators) are deemed completely useless when 90+% of all of your traffic is generated by bots. They are left with no reliable statistics to measure their effectiveness.
The Irony: Bots to Buy Bots?
Most BaaS solutions are almost always sold out. Even if you have the money to purchase these bots, they are not easy to buy. This has led to some people renting their bots and bot brokers have become popular. When these BaaS are available for purchase, it is called “Restocking”. Restocking is available for very limited seats – typically between 1-100 at a given time and there are thousands of people waiting to buy them. Restocking is typically announced on Twitter and people have to fill various web forms to get that seat. Ironically there are bots to do that. There are bots to monitor Twitter handles and alert when Restocking is available. There are fast form filler bots to help you get ahead of the thousands of people that are also trying to buy these BaaS. Bot used to buy Bots!
*** This is a Security Bloggers Network syndicated blog from Cequence authored by Ameya Talwalkar. Read the original post at: https://www.cequence.ai/blog/bot-as-a-service-the-consumerization-of-botting/