The “Grinch Bots” Who Are Stealing Christmas

  • Team Omega
  • December 19, 2017

This holiday season, “Grinch Bots” — automated purchasing tools that scalp high-demand items in large quantities and list them on e-commerce marketplaces at inflated prices — are making quite a mark.

To give you an idea of how inflated these price hikes are getting, reported that an $80 Nintendo NES Classic Edition was offered on eBay for $13,000.  If Grinch Bots sound familiar, you may have heard about Ticket Bots and Sneaker Bots, both aimed at buying high-demand items and reselling them at huge markups. Most recently, in October 2017, Prestige Entertainment used sophisticated methods to deploy an army of bots to purchase 30,000 tickets to the (already expensive) show Hamilton.

In this post, we’ll delve into how Grinch Bots work, solutions that are being proposed by Congress and economists to prevent against further bot abuse, and how typically preventative measures such as CAPTCHA and multifactor authentication are being circumvented or ignored entirely.

Grinch Bots Employ Multiple Attack Methods

Let’s first understand how Grinch Bots actually work:

Step 1 – Scraping

The first step in the purchasing bot process is to anticipate the release of a product before consumers. Omri Iluz of PerimeterX, a company that focuses on delivering anti-bot solutions, describes how bots poll sites hundreds of times per second in order to detect the start of a sale:

Bot creators study the web addresses, or URLs, for a given retail site and then use data scraping techniques to guess the ID for an unreleased product and locate the product page. Because merchants typically launch these pages hours before the product goes on sale, bots get a jump on consumers before the page goes live, he says. They get another jump by subscribing to Twitter APIs to learn about a manufacturer’s sale milliseconds before everyone else…there is simply no competition between a bot and even the most organized human.

2016 Bot Traffic Report

Step 2 – Automation

The initial checkout procedure is similar for all types of purchasing bots – they automate the checkout process by saving every piece of information required for a purchase, such as user preferences for size and color, shipping information, and the credit card payment information.  As you can imagine, automating the checkout process takes significantly less time than it would take a single person to enter all the information manually for a large number of transactions.

Developing a purchasing bot certainly doesn’t require a degree in online programming; scalpers can simply create a bot using bot creator software or hire a service to manage the entire automation process.

Step 3 – Variation

Now this is where things get interesting. Many sites, such as Amazon and Google, employ a diverse set of analysis mechanisms to detect and block purchasing bots. In response, the following tactics are often employed to provide enough variation in purchasing methods to skirt these detection algorithms:

  • Attacks are launched from multiple proxies. This enables the bots to order multiple items without getting blocked by the retailer.
  • The number of IP addresses used in a single purchasing campaign by bots can number in the thousands.
  • Bot operators then employ a high number of credit card numbers to slip past limits placed on purchases from a single buyer.

Step 4 – Human Verification

One common solution that we’ve all seen is CAPTCHA – a tool that challenges a user to verify obscured letters or answer questions in order to verify that he or she is human. Unfortunately with machine learning, even CAPTCHA can be bypassed with automated bots. Google’s research determined that today’s artificial intelligence technology can solve distorted text CAPTCHAs 99.8% of the time.

  • Where a human hand is required—perhaps to defeat a captcha—tasks can be farmed out to remote workers via sites like Amazon’s Mechanical Turk, thereby crowdsourcing the purchasing process to manual workers only when required.

BOTS Legislation – the dangers of making a law too specific

The Council of State Governments informs us that at least a dozen states have legislation making it illegal to use bots or to sell tickets obtained via bots.  California law prohibits the use of ticket bots and makes it a misdemeanor, punishable by up to six months in jail and fines of up to $2,500, according to the Los Angeles Times.

On the national level, the appropriately named Better Online Ticket Sales (BOTS) Act was passed by Congress nearly one year ago, on December 14th, 2016.  The BOTS act is intended “to prohibit the circumvention of control measures used by Internet ticket sellers to ensure equitable consumer access to tickets for any given event, and for other purposes.”  To put it simply, the BOTS Act makes it illegal to use bots to buy tickets and sell tickets, and establishes enforcement responsibility with the state Attorney General’s office and the Federal Trade Commission. As a result of the BOTS Act, Prestige Entertainment was ultimately forced to pay $3.35 million and agreed to never use bots in the future.

As of this writing, we have found no similar law applying to Grinch Bots. Senator Chuck Schumer of New York has reached out to the National Retail Federation and the Retail Industry Leaders Association and is encouraging them to “immediately investigate how these dishonest software programs are being used on your members’ sites and take all available steps to thwart computer systems from cheating America’s consumers.”

Applying Economic Incentives Is Difficult

What is the retailer’s incentive to block bots? After all, they sell their product regardless of who bought it, right?

The Economist proposes placing control in the hands of the ticket seller rather than the bot broker: just “make the tickets much more expensive in the first place.” Essentially, price should fluctuate with demand. Of course, this solution implies that the seller knows which items are going to be hot before they go to market. Nevertheless, changing the price as demand increases still keeps the toys out of Tiny Tim’s reach. Imagine, now that food orders are also online, if this scenario were to occur with food — the impact of purchasing bots in such a scenario would be far more consequential.

Multifactor Authentication = Something you Know + Something you Have

The strongest solution to date to secure payments is multifactor authentication that includes not only something you know (your username and password), but also another factor, such as something you have (a smart phone) or something you are (biometric).  Logging into your site using a password can be cracked by a password cracker, but a second factor that authenticates via a smart phone prompt requires that you also have the phone in your possession.  So why is multifactor authentication (e.g. using a one-time password) not more widely used for purchases?

The issue here is the inability to enforce multifactor authentication at the consumer level for small, one-time purchases. Merchants that aren’t using it said their fraud volumes were too low to merit its use and they did not want to negatively impact the user. As Mark Risher, Manager of Google’s identity systems, states, “People won’t accept more security than they think they need.”

Looking Ahead

Looking ahead, there are a few paths forward. First, consumers must demand that appropriate legislation gets passed to penalize companies employing Grinch Bots. While the penalties levied against Prestige Entertainment and similar companies for using bots are a great start, it remains to be seen whether the BOTS Act will actually reduce the number of purchasing bots. Incapsula releases its annual Bot Traffic Report for 2017 in just a few weeks; we’ll check back in to see the results.

Second, the solution to defending against Grinch Bots might just be better technology. Companies like PerimeterX claim to effectively employ sophisticated machine learning techniques to detect advanced bot threats. Google’s new reCAPTCHA considers additional variables like the user’s IP address and movements of the mouse in order to “actively consider a user’s engagement with CAPTCHA – before, during, and after – to determine whether that user is a human.”

Lastly, until these solutions are proven effective, it’s ultimately up to each individual company to defend itself against threats. Adidas’ app, Confirmed, allows users to reserve sneakers and then pick up and pay at a nearby store. Essentially, Adidas is enforcing physical verification and payment for their limited products.

If all else fails, let’s remember the moral of How the Grinch Stole Christmas! — Christmas is about more than gifts, right?

“Then the Grinch thought of something he hadn’t before! What if Christmas, he thought, doesn’t come from a store. What if Christmas…perhaps…means a little bit more!”

Email to get notified about future posts/articles/newsletters.  Type Newsletter in the subject line.

Further readings

– Biometric update, “Survey finds half of merchants use consumer authentication for ecommerce”,
– The Economist, “The War on Ticket Bots is Ulikely to be Won”, united-states/21713869-2016-bots-tried-buy-5bn-tickets-or-10000-minute-ticketmasters-website
– The Council of State Governments, “Blame it on the Bots: States Act to Ban Ticket Buying Software”,