Fraudsters Siphon $360M From Retailers Using 50M Fake Shoppers
Online fraudsters posing as consumers likely siphoned off more than $360 million from the marketing budgets of online businesses by generating fake clicks during Black Friday, while 20% of visits to retail sites on Cyber Monday were bots posing as shoppers and not humans, Web security firms said this week.
The surge in fraud included techniques such ad injection, search engine redirects, and affiliate fraud — and shows the trouble that cybercriminal automation such as bots can cause for online commerce providers. The increase in fraud matched the annual upswing of US holiday sales that start the week of Thanksgiving though the following Monday, also known as Cyber Monday. Overall, online retailers saw a nearly 12% increase in sales during November and a 2.3% increase in purchases on Black Friday.
The lockstep growth of sales and fraud underscores the opportunistic nature of attackers, says Guy Tytunovich, CEO of Cheq.
“Fraud is always there, but it is very seasonal in terms of peak times,” he says. “[The trigger] could be anything — it could be political, like an election, or it could be like Black Friday or Cyber Monday.”
Fraudsters have had a significant impact on online businesses, according to data provided to Dark Reading by Cheq and online network-services provider Akamai. By donning the disguise of legitimate consumers, bots can cost advertisers and retailers real money on marketing — typically a loss of 10% to 15% — that is not being seen by human eyes. In addition, bots can be used to buy out popular items, enable credit card fraud, and tie up inventory.
The largest cost to businesses comes during peak times. During the peak on Cyber Monday, consumers spend $12 million every minute, according to Adobe, which collects information on consumer activity. Yet 46 million of those shoppers were bots, leading to $368 million in fake clicks on retail ads, Cheq estimates.
About 20% of sessions overall are “being distorted” because of something happening on the client side, says Patrick Sullivan, chief technology officer for security strategy at Akamai. While businesses tend to focus on attacks against their own infrastructure — the server side — they pay less attention to what is going on with visitors’ systems and browsers, he says.
“In general, we’ve seen over the last five years that no longer can security be focused on the crown jewels just being on the server side,” Sullivan says. “Across a number of industries, we see attackers more focused on the client side. We’ve seen supply chain attacks where the fraudsters gain control of the javascript running on the client side, for example.”
Scalper Bots & Denial-of-Inventory Attacks
One major fraud scheme enabled by client-side bots are scalper bots/sneaker bots — automated programs running on clients that scrape retailers’ sites looking to buy particularly popular items, sometimes purchasing the items with stolen credit cards, says Cheq’s Tytunovich.
While credit card fraud continues to be a significant concern for retailers, the increase in attacks that deplete inventory or make inventory unavailable to legitimate buyers is more worrisome, he says.
“While they are not as malicious as other [cyberattacks], retailers are extremely scared about scalper bots,” he says. “The bots that are wholly aimed at getting those Jordan Ones or PlayStation 5s or whatever, and get the entire stock.”
Another major inventory-impacting attack are bots that abandon shopping carts, which typically puts a hold of 10 to 15 minutes on an items — a small amount, but one that can add up quickly with the intensity that only automation can provide. These denial-of-inventory attacks can cause chaos with retailers’ visibility into the state of their stocks, Akamai’s Sullivan says.
“There are certain industries that almost engineer scarcity — they want people to queue up for sneakers or handbags — but now we have seen it across multiple industries — groups that have traditionally never seen that,” he says. “Because of the supply chain issues now, a lot more industries are impacted by these inventory-grabbing bots out there.”
Unwanted, But Legitimate
However, most of the invalid traffic, or IVT, that companies such as Akamai and Cheq track are not necessarily fraud, but just unwanted by retailers.
In many cases, the influx of non-human traffic included user-installed price-comparison tools, such as Honey and Rakuten, which retailers might prefer that their visitors did not use, but which are not fraudulent nor malicious. In the US during Cyber Week, for example, retailers saw 25% to 30% more sessions that used browser extensions for price comparison, Akamai stated.
Yet such traffic also skews retailers’ understand of consumer demand, which can lead to inefficiencies, according to Cheq. Unique site visits are increased by 22% by automated traffic, while sessions duration can dive 41% and the number of new users overestimated by 21%, the company found.
Read More HERE