‘Grinch Bots’ Ramp Up Cybercrime During Holidays

Insidious shopping bots infiltrate eCommerce sites year-round, but the holiday season brings them out in droves, with 20 bots for every one human, NBC reported on Saturday (Nov. 30).

Cybersecurity firm Radware told NBC that as much as 97 percent of online retail traffic comes from bots in the week leading up to Black Friday and Cyber Monday. The bots are “largely operated by organized gangs of cybercriminals,” noted the report.

“Website operators are seeing an uptick in bot activity leading up to Cyber Monday from people trying out their bots,” said Ron Winward, a Radware spokesman. “People are really competing with automated infrastructure and bots to get hot holiday items.”

The bots can quickly buy limited-sale items and resell them for a premium on third-party sites. Even more damaging, they can break into shoppers’ accounts and steal card numbers, rewards, digital currency and personal data.

The newest shopping bots use artificial intelligence (AI) to fool bot detection software and CAPTCHAs. They mimic human browsing behaviors and distribute activity across devices to duck exposure.

“The most significant bot-linked threat related to the retail sector is the risk of account takeover, also known as credential stuffing, with criminal groups using bots to brute-force tools to log in to legitimate customers’ accounts, often assisted by records they have found online from other cyber breaches,” said Christian Beckner, senior director of retail technology and cybersecurity at the National Retail Federation.

“If individuals are reusing passwords across multiple sites, they are most susceptible to an account takeover attack and illicit transactions within their account,” Beckner told NBC.

Although shopping bots aren’t technically illegal – with the exception of ticket scalping bots – they can violate a site’s terms of service.

Approximately 12 percent of live concert attendees – about 11 million people – fell victim to ticket scams last year, including those in which consumers purchased fake tickets or paid for ones that never materialized.