Bots are not new. Attackers have used bots to achieve scalability in a variety of attack techniques for decades, and defenders have been fighting bots, to varying degrees of success, for just as long. However, two events in 2022—the prolonged acquisition of Twitter by Elon Musk, with its attendant discussion about exactly how much of Twitter’s traffic is genuinely human,1 and the Taylor Swift concert ticket debacle in late November—thrust bots into the public eye.2 As a result, this is a great time to examine a particular kind of automated threat that is a huge headache for many ecommerce platforms: reseller bots.
While some bots have benign and even useful purposes, such as search engine crawlers, many bots are used by those looking to attack applications or exploit loopholes in business logic. Any interaction with a website or API which is capable of being automated is an opportunity to create a bot. For anyone wanting to get up to speed on the basics of bots, what they are, and what they’re capable of, take a look at our primer: Good Bots, Bad Bots, And What You Can Do About Both.
What Are Reseller Bots, and Where Did They Come From?
Simply put, reseller bots are bots designed to buy high-demand commodities faster than any human can, so that the bots’ owner—who is known as a reseller—can sell them at a profit. Resellers thrive in markets in which demand far exceeds supply, so they tend to target limited time offer (LTO) sales. This includes commodities like limited edition sneakers (e.g. Air Jordans, Adidas, Nike), concert/event tickets, video game consoles (e.g. Nintendo Switch and Sony PS5), and fashion (e.g. Supreme, Yeezy, Fear of God, Kith). The demand for these items is so high that people queue outside retail locations for hours to try and get them.
In the digital world, these items are usually sold on a first come, first served basis. In the early days of the Web, this limited stock and high demand created an incentive for buyers to find ways to complete the online purchase faster than other customers. To this end, tech-savvy buyers started creating automated computer scripts (bots) in the mid-1990’s that could complete a purchase in a fraction of the time it would take a real human. This is how it all began.
Over time, bot creators started placing orders for other people and charging a premium. They would buy large quantities of high demand items and resell them to the public on the secondary market at inflated prices. This practice is known in the U.S. as “scalping,” and so the bots consequently became known as “scalper bots.” In our articles we favor the term “reseller bots.”
In the early 2000s, several forces combined to drive a leap forward in bot capabilities.3 As more and more people began reselling high demand items, bots started to compete with one another in order to get access to inventory. This created a need for higher performance bots capable of performing ever faster transactions. At the same time, retailers began to clamp down on the practice, which also drove demand for bots that could evade retailer’s anti-bot defenses.
It was at this point that professional bot makers emerged and began engineering bots that were faster and could bypass retailers’ anti-bot defenses. In exchange for a license fee, this new professional tier of bots also came with full product support. Bot creators were careful to limit the number of bot licenses they sold, however, to keep the success rate high and to prevent their buyers competing against each other for inventory.
To support this professionalized software, an entire ecosystem of supporting actors emerged, offering add-on services such as web proxies, CAPTCHA solvers, reshipper networks, payment processors, and logistics partners. These allowed resellers to professionalize their operations and scale into the large, well-resourced businesses that they are today. The entire reseller bot ecosystem will be detailed in the next article in this series.
The Unexpected Business Impact Of Reseller Bots
The primary objective of retailers and manufacturers is to sell all their available inventory. Given that reseller bots buy all of the available inventory, on the surface it would seem that these bots are a boon for retailers and manufacturers. In reality, however, reseller bots cause headaches on a number of financial and operational levels.
Before we get into the issues that reseller bots cause for retailers and manufacturers, however, it is important to understand an important distinction among bots and the people who run them. This distinction is not about the use of the bots themselves, but the source of funds used to purchase LTO items. All resellers are trying to obtain high-demand items to resell, but some are “legitimate” entrepreneurs who pay for their purchases with their own funds. Their entire business model is based on a form of arbitrage, that is, reselling inventory for more than they paid. These legitimate resellers stand in contrast to cybercriminals and fraudsters who use stolen credit cards, gift cards, or other illicit funds to acquire items. They have a significantly higher profit margin since they acquire the limited release items for essentially for free (less any cost of acquiring the stolen payment methods). As you can imagine, cybercriminals also have a significantly larger impact on organizations than the legal resellers, starting with the impact of their fraudulent use of funds.
Because criminal reseller bots use stolen funds to buy commodities, they pose a significant fraud risk for retailers and manufacturers. The retailer accepting card payments is responsible for detecting fraud and is on the hook for any transactions they process that turn out to be fraudulent, but it is often extremely difficult for ecommerce sites to distinguish “legitimate” bots from criminal bots in the split-seconds during which online transactions take place. This fraud risk manifests as chargebacks from financial institutions for purchases made with stolen credit cards/gift cards or illicit funds. These chargebacks have several implications:
- Lost revenue: the business must reimburse the funds back to the stolen credit cards, gift cards, or bank accounts.
- Lost inventory: the business loses inventory that goes out the door and was never paid for.
- Fines: if chargebacks exceed a specified threshold, credit card companies will punish the business with fines which can reach tens of thousands of dollars. They may also impose restrictions that make it harder for the business to process card payments in a timely manner, which can impact their sales revenue.
- Lost time and resources: the business may need to participate in criminal investigations with law enforcement, which consumes resources including time.
Real, loyal customers of a given retailer/manufacturer will often buy more products at a time—not just the sale item but also accessories, complementary products, and maybe something else they’ve been eyeing. As a result, the average basket size of legitimate users tends to be a lot higher than that of reseller bots. These bots typically only purchase the LTO item and nothing else. For example, a reseller bot might only purchase a Sony PS5 console, whereas a real customer might purchase additional controllers and some new games as well. By selling all the inventory to the bots, the retailer actually ends up with less total revenue.
Retailers and manufacturers also benefit from a direct relationship with the customer. Because the retailer has the customers’ contact information if they buy something, the retailer can then market to this customer, encourage them to sign up for their loyalty program, and inform them of other items they might like. Over time this leads to loyalty and increased lifetime value (LTV) of the customer, which in turn leads to higher revenues. If the most valuable sale items are purchased by reseller bots, even the “legitimate” (that is, non-criminal) ones, then retailers and manufacturers miss out on an opportunity to create a direct relationship with the customer and that increased LTV.
Brand Reputational Damage
Loyal customers of a retailer are likely to be frustrated by being unable to secure their prized limited release items at the recommended price. This can cause them to:
- Purchase items from a different brand rather than purchase the items at an inflated price.
- Run the risk of purchasing the items on the secondary market where they can fall victim to scammers and risk getting counterfeit products, which further erodes the brand value.
- Even those customers that are able to secure the limited release items on the secondary market at the inflated price are likely to be left with resentment and a feeling of being taken advantage of.
Many of these frustrated customers usually take to social media to voice their frustrations. These posts and negative brand sentiment will affect the brand’s ability to attract new customers and generate revenue even from non-sale inventory. Figure 1 shows some examples of social media posts by frustrated customers who could not get their hands on LTO Taylor Swift tickets because of reseller bots:
Denial of Service
In order to secure the LTO items, reseller bots operate at very high speeds, which results in a large amount of traffic being sent to the retailers website, especially when disparate actors are competing against each other for the same inventory. The sheer number of web requests (typically millions of transactions per hour) can often create an inadvertent denial-of-service outage. This poses several problems for retailers:
- Reputational damage — much anticipated and publicized product launches are ruined by site or app crashes when nobody can acquire any of the new products. This kills the excitement about the product launch and frustrates customers.
- Revenue impact — if the app or site is offline then very little or no revenue will be generated. This not only affects the limited release sale but the entire infrastructure, meaning no revenue is being generated at all.
- Operational cost — as a result of the strain on infrastructure, organizations have to devote worker time, and occasionally even additional capital for additional capacity.
Many retailers and manufacturers do try to ensure that limited inventory items are sold to genuine customers and not reseller bots. Unfortunately, this is a complex problem to solve and comes with its own operational and financial overhead, including additional human resources, licensing fees for other tools, customer support, and social media teams.
In addition to preventing sales to reseller bots, the task of mitigating their negative impacts comes with its own costs. Retailers need to confront issues such as shipping delays due to post-sale analytics, false positives (in which real customers are incorrectly identified as reseller bots), and negative publicity from frustrated potential customers.
Business Contract Loss
Retailers also risk losing manufacturers’ business due to reseller bots. Bots increase the risk that genuine ecommerce sites might lose large business contracts or fail to acquire new ones. If genuine ecommerce sites are unable to demonstrate that they can keep inventory out of the hands of resellers, manufacturers will be less willing to work with them. Some manufacturers even have contractual clauses requiring retailers to minimize the impact of reseller bots.
Defending Against Reseller Bots
Retailers already have a number of options to defend against reseller bots, and each approach has several pros and cons. Some approaches are effective against unsophisticated bots only, while others only provide minimal efficacy or short term relief. Table 1 summarizes the most common defensive approaches against reseller bots, listing the pros and cons of each approach and rating its efficacy based on our experience.