The 2020 holiday season’s hottest gifts were the Sony Playstation 5 (PS5) and Microsoft’s Xbox Series X. Thanks to scalper bots, most people weren’t able to get them in time for the holidays, and despite many efforts, some still don’t have their hands on these popular consoles.

Just because Christmas is over, it doesn’t mean that scalper bots are going away anytime soon. We are seeing an upward trend of retailers launching VIP products with limited quantities year-round – including sneakers, winter coats, and other in-demand merchandise – which means that the bot problem will continue to get a lot worse. Bot operators are also well compensated for their efforts, with a low cost of doing business and a high return. It’s even becoming more popular for them to be paid commissions through a profit-sharing model.

With most major online retailers using bot mitigation solutions for many years now, why are we still talking about scalper bots? And what can be done to shut down bad bots once and for all? The short answer is: a fundamentally new approach is needed.

Most bot mitigation solutions rely on rules and risk scores, which use information from the past, even when paired with advanced machine learning or AI capabilities. Since bot operators are continually inventing new ways to evade detection, using historical data fails to detect and stop bots never seen before. As a result, retailers and e-commerce companies can’t keep up with the evolving nature of bot operators’ techniques, tools, and tactics. This is evidenced by the record volume of “Grinch” bots that we saw over the holidays.

 

It’s time to approach the bot problem differently

Bot creators and operators work tirelessly to ensure that their technology gets around enterprise defenses. What if we looked for the presence of automation itself, rather than designing a solution to rely on rules, behaviors, heuristics, or intent? That way, we can detect bots never seen before, and therefore, we can protect applications and APIs from what adversaries may do tomorrow or in a years’ time.

To further future-proof bot defense, modern solutions must also:

  • Apply a zero-trust philosophy to assume that all requests are guilty until proven innocent, ensuring bad bots are never let in prior to determining their intentions;
  • Target the economics of running bots by fighting back, making it more expensive to conduct attacks using a CPU-taxing cryptographic challenge;
  • Leverage better obfuscation techniques to frustrate bot operators when attempting to reverse engineer

Many bot mitigation vendors are hyper-focused on specific manifestations or behaviors of bots, which can be useful in the short-term; however, it doesn’t benefit their customers in the long-term. If an organization faces a new or different type of bot attack that no other company faces, the behavioral or intent-based technology may not pick it up fast enough. However, if the architecture looks for automation as the common denominator - such as use of a headless browser and automated DevTools - the bot mitigation solution will accurately identify that a bot is carrying out the attack.

 

Zero-trust philosophy

A zero-trust philosophy also prevents bots never seen before by not automatically trusting any connecting clients. This allows you to detect zero-day bots from the first request without giving attackers a window of opportunity to be successful. Not trusting any traffic also means that you don’t need to re-learn what’s good and what’s bad, which is extremely maintenance-intensive. As a result, the bots’ behavior becomes irrelevant.

 

Collapse the economics

Due to the low barrier to entry and low cost of obtaining sophisticated bots, inventory hoarding can be extremely lucrative. If you can target the economics of bots requesting info from your applications and APIs by taxing them, then you can significantly disincentivize them from continuing their operations. This is a sustainable long-term solution because you’ve made the attack unviable to conduct, and adversaries will move on elsewhere to other online businesses where it is easier to gain a profit.

 

Deter reverse engineering

Finally, your solution quickly falls down if bot operators can reverse engineer your bot mitigation technology. This is an area many people take for granted, but the reality is that knowledgeable adversaries can quickly work around some of the “leading” and expensive bot mitigation services that use open-source obfuscation tools and can be bypassed in a matter of minutes. The battlefield can be changed by using custom, dynamic obfuscation – that also shifts the skillset required from JavaScript to bytecode – making it many degrees more difficult for bot operators to retool against your defenses.

A bot mitigation solution that enables you to adapt as quickly as bot operators is absolutely key to short-term success and long-term success against scalper bots and other malicious bots. Implementing all these little things simultaneously is the only way to stop bad bots for good. It doesn’t matter how high your walls are. If there’s a brick out of place, there’s a way for them to get in. Cheers to helping retailers approach the bot management problem differently before Grinch bots ruin holiday wish lists.