Put Your Best Foot Forward: The Impact of Sneaker Bots on Holiday Shopping
Video by Joseph Martinez
Introduction
Bots are one of the best examples in the tech and security fields of how something that can be used for good — such as providing simple “creature comforts” like chatbots with speedy reply times or ensuring correct search engine results — can also be used for great harm.
When security professionals think about bots, we tend to think about distributed denial of service (DDoS). DDoS has caused some major havoc in organizations globally, and those organizations’ customers have felt most of the impact.
One of the most notorious of all DDoS attacks, the 2016 DynDNS attack, caused outages all the way up to the FAANG (Facebook, Amazon, Apple, Netflix, and Google) level. DDoS isn’t slowing down either. On the contrary, attackers are evolving their strategies around DDoS, including using it as a secondary extortion method for ransomware victims.
To consumers, however, “bot” typically means a chatbot: one you converse with (like ChatGPT) and/or a customer service bot to help route you to the proper team to resolve your issue. Certainly, these are closer to the “harmless and useful” end of the bot spectrum.
What consumers may not know is that bots can also (and very often are) the reason for price gouging — if the item you want is available at all. With the western holiday season quickly approaching, consumers need to be even more vigilant this time of year.
Cybersecurity is everyone’s responsibility
Although the Akamai Security Intelligence Group (SIG) typically only posts deeply technical security research, as part of October’s Cybersecurity Awareness Month we thought it would be pertinent to speak directly to you, the consumer, to help you understand why it can be difficult to get those tickets or limited-edition items you want.
While there are a multitude of bot types out there, in this blog post we will focus on malicious “sneaker bots” or “scalper bots”: what they are, how they’re used, and how their existence and usage affects consumers.
What is a sneaker bot?
A sneaker bot is a malicious piece of code designed to scrape websites to reserve items such as limited-edition sneakers, which inspired the name. You may also hear these referred to as “scalper bots” or “sniper bots.” These bots are not exclusive to footwear by any means. There has also been an explosion of bots like these beyond digital commerce, such as in the passport renewal backlog the Israelis experienced during the summer of 2022.
These types of bots not only cause major frustration from potential customers, but also fuel the predatory industry of resale price gouging. We’ve all likely had the experience of having to use third-party resale sites with wildly high markups to buy something we really want — we’re talking profit margins up to 7000% here.
Are sneaker bots illegal?
As any lawyer will tell you, the answer is ‘it depends.’ They do, however, violate the terms and conditions of several digital commerce sites. The fact that anyone can spin one up with the proper know-how has created an additional subindustry: Sneaker bots as a service.
For a fee, you can take advantage of bots that have already been built. You can buy them outright for continued use or rent them on a case-by-case basis. The fees can be pretty steep — up to $500 in some cases — and using services like these does not guarantee that you will obtain the item; these services can increase your chances, but procurement is most certainly not guaranteed.
Risky (and not really worth it)
Nonetheless, it can be very tempting to use one of these services, especially during holiday time. You would be Parent of the Year if you came home with those limited-edition Nikes your kid has been chattering about nonstop. But $500 for a “maybe” is risky, to say the least, and — take it from those of us who work for a company that sees a stupendous amount of bot traffic data — it’s really not a risk worth taking.
Why are bots so prevalent?
We’ve established that there are good bots and bad bots. Regardless of what kind of bot you’re referring to, speed plays a large role in bots’ ubiquity. The sheer speed at which these bots can perform tasks is unfathomable by a human. This speed allows tasks to be performed so much more efficiently that it can produce large cost savings for a business to use bots.
Bots can also relieve us of mental load in our normal lives: They can deliver reminders, information, notifications, etc. Put simply, these benign bots make our lives easier. This is why it’s very important to separate these good bots from the malignant bots — the ones that are designed to cause harm or cheat the system.
How much damage can a bot cause to a consumer?
Here at Akamai, we know bots. More important, we know the damage that bots can cause. We felt, especially during Cybersecurity Awareness Month, it was necessary to show just how quickly a malicious bot can cause harm directly to the person affected (Figure).
You should no longer wonder “if” you have been personally affected by a data breach; you are astronomically more likely to have been affected than not affected. We all share our data everywhere, often mindlessly: Get a free trial here, make an account there — it adds up, and attackers know it.
Credential stuffing: the serial killer
It’s no secret that reusing passwords is a common occurrence that most of us have been guilty of at some point in our lives. Despite the continuous rhetoric that advises against this practice, the increasingly complex password requirements can make reusing passwords seem like the only option to some people. (If you’re looking for some assistance in that area, jump on down to our "3 ways to protect yourself" section.)
Reusing passwords is a critical habit to break, especially because of what is known as credential stuffing. Credential stuffing is when a malicious entity obtains the leaked credentials of a person and attempts to use those credentials to authenticate their way in to other websites.
For example: If your username and password for a social media account is compromised, an attacker with that information could use them to log in to banking websites or other sites with sensitive information.
This would be bad enough if a human was inputting these credentials manually. But add a bot in there doing the heavy lifting? As you can see in the Figure, with this automated process, an attacker could attempt thousands of credential combinations on a site in minutes. The more sites that have that same credential combination, the more risk of exposure you have.
3 ways to protect yourself
Attackers have a huge advantage over consumers by being aware of common defense measures and how to circumvent them, which is why it is imperative to remain vigilant. Cybersecurity is everyone’s responsibility.
There are three basic ways that you can protect yourself: Fight the temptation to engage with sneaker bots, get a password manager, and always use multi-factor authentication (MFA).
1. Fight the temptation to engage with sneaker bots for limited-edition items, hot concert tickets, or things of that nature
It can seem super appealing to try to enhance your chances of receiving the special item(s), but by engaging with sneaker bots you are handing over your payment and contact information to someone you know nothing about. You are also directly contributing to the problem of having bots in the first place.
Remember: Getting the item is never guaranteed; in fact, the sneaker bot itself could very likely be a scam to steal your money.
2. Get a password manager to create and keep complex passwords
Password hygiene cannot be stressed enough as a critical part of keeping your information safe online. With constant changes in requirements, it’s often best to allow a product that is specifically designed for this purpose to do the hard work for you. It will be easier and more secure that way: You only have to remember a single password and the manager will remember the rest for you.
Changing forgotten passwords too often can be as bad as not changing them enough.
3. Please, please, PLEASE use MFA
Enabling and utilizing MFA on everything you can is another great basic security tip. This forces an attacker to go through multiple steps toward account takeover, providing several places for them to fail.
It is preferable to use a method other than SMS (text messaging) for this, but SMS two-factor authentication is much better than having none at all!
We’ve reached the end, friends
As we embark on another year of cyber awareness, it seems the same advice keeps getting recycled over and over again. This isn’t because security professionals are lazy; it’s because these defense methods are still not as widely used as they should be.
Phishing, bots, and credential stuffing are attack methods that have all been around essentially since the dawn of the internet and are still some of the most effective ways for an attacker to exploit you.
They’re only human
An attacker is a human being. Whether they are a ransomware operator, a botnet author, or even a nation-state entity: They are human. They’re looking to make a living just like the rest of us. It may seem weird to humanize these villainous individuals, but it’s necessary to understand this point:
These adversaries are looking for the most efficient way to achieve their goal. So, the more difficult you make things for an attacker, the better chance you have of them moving on.
The importance of cybersecurity awareness
As we head into the end of the year — along with the bots, the malicious actors, and the ever-changing terrain of terror and joy that we call the internet — you owe it to yourself to become more educated on cybersecurity. The more dependent on technology we become, the more critical it is to take this to heart.
