Kasada, a cybersecurity provider whose technology protects against bad bots, has released new research that found hackers will exploit gift card fraud, fake account creation, freebie bots, and scraping attacks during the 2022 holiday season.
Nearly Half of Bot Attacks are U.S. Based
Bot operators frequently used customized open-source development tools, headless browsers, and new Solver Services to conduct their attacks at scale, Kasada said. During the holiday shopping season to date, nearly half (49%) of all bot-driven attacks originated from the U.S. The United Kingdom, Canada, Australia and South Korea made up the top five.
Key highlights of the study include:
- 50% increase in bad bot traffic
- 6 times increase in automated online gift card lookup attempts
- 3 times spike in fake account creation the week before Black Friday
- $1.1M of products purchased by Freebie Bots for $134, within one community
- 43% surge in web and API scraping attacks
- 49% of holiday bot attacks originate from the U.S
Kasada said it observed a 50% increase in bad bot activity during Black Friday week (the five days from Thanksgiving to Cyber Monday).
As Sam Crowther, CEO and founder of Kasada, explained:
“Retailers have to deal with bot attacks every day, but the increased activity we’ve seen during the holiday shopping season truly highlights just how extreme the problem is. As they say, follow the money. If there is an opportunity for profit, bots will be there, looking for every way possible to exploit a retailer’s business."
Holiday Bots Examined
Here’s a deeper dive into the data:
- Gift cards. Kasada pointed to data from the National Retail Federation that holiday gift card spending is expected to reach $28.6B this year. Gift cards typically have fewer protections than other payment methods. Fraudsters favor them as they can anonymously obtain quick cash through irreversible transactions, or by reselling stolen cards.
- Fake account creation. Fraudsters generally create fake accounts in the run-up to Black Friday so they have well-established aged accounts that blend in with legitimate customer accounts.
- Promotions and coupons. During the holiday season, retailers run promotions that offer coupons and goods as incentives for new accounts. The 40% increase in account creation on Cyber Monday reflected bot-driven efforts to obtain and abuse as many promotions as possible.
- Freebie bots. As a case in point, Kasada found one community where freebie bots successfully purchased more than 40,000 mispriced products during the Thanksgiving shopping weekend, totaling over $1.1M in retail value – for just $134. Freebie bots were used to rapidly purchase erroneously priced items such as LED strips, dog collars and dinosaur toy hand puppets that could then be resold for a large profit.
- Scraping Attacks. Scraping bots capture real-time data that is used by competitors to undercut pricing. In addition, fraudsters use scraping as the basis for counterfeit websites that trick unsuspecting consumers into making a fraudulent purchase or providing their credentials.