Controls

Reseller Bots: Defining the Problem

Far from a minor annoyance, reseller bots create significant problems for manufacturers and retailers. Learn how we got here, why they’re such a problem, and what we can do about it.
By Tafara Muwandi (additional contributions by Sander Vinberg)
December 16, 2022
13 min. read

Bots are not new. Attackers have used bots to achieve scalability in a variety of attack techniques for decades, and defenders have been fighting bots, to varying degrees of success, for just as long. However, two events in 2022—the prolonged acquisition of Twitter by Elon Musk, with its attendant discussion about exactly how much of Twitter’s traffic is genuinely human,1 and the Taylor Swift concert ticket debacle in late November—thrust bots into the public eye.2 As a result, this is a great time to examine a particular kind of automated threat that is a huge headache for many ecommerce platforms: reseller bots.

While some bots have benign and even useful purposes, such as search engine crawlers, many bots are used by those looking to attack applications or exploit loopholes in business logic. Any interaction with a website or API which is capable of being automated is an opportunity to create a bot. For anyone wanting to get up to speed on the basics of bots, what they are, and what they’re capable of, take a look at our primer: Good Bots, Bad Bots, And What You Can Do About Both.

What Are Reseller Bots, and Where Did They Come From?

Simply put, reseller bots are bots designed to buy high-demand commodities faster than any human can, so that the bots’ owner—who is known as a reseller—can sell them at a profit. Resellers thrive in markets in which demand far exceeds supply, so they tend to target limited time offer (LTO) sales. This includes commodities like limited edition sneakers (e.g. Air Jordans, Adidas, Nike), concert/event tickets, video game consoles (e.g. Nintendo Switch and Sony PS5), and fashion (e.g. Supreme, Yeezy, Fear of God, Kith). The demand for these items is so high that people queue outside retail locations for hours to try and get them.

In the digital world, these items are usually sold on a first come, first served basis. In the early days of the Web, this limited stock and high demand created an incentive for buyers to find ways to complete the online purchase faster than other customers. To this end, tech-savvy buyers started creating automated computer scripts (bots) in the mid-1990’s that could complete a purchase in a fraction of the time it would take a real human. This is how it all began.

Over time, bot creators started placing orders for other people and charging a premium. They would buy large quantities of high demand items and resell them to the public on the secondary market at inflated prices. This practice is known in the U.S. as “scalping,” and so the bots consequently became known as “scalper bots.” In our articles we favor the term “reseller bots.”

In the early 2000s, several forces combined to drive a leap forward in bot capabilities.3 As more and more people began reselling high demand items, bots started to compete with one another in order to get access to inventory. This created a need for higher performance bots capable of performing ever faster transactions. At the same time, retailers began to clamp down on the practice, which also drove demand for bots that could evade retailer’s anti-bot defenses.

It was at this point that professional bot makers emerged and began engineering bots that were faster and could bypass retailers’ anti-bot defenses. In exchange for a license fee, this new professional tier of bots also came with full product support. Bot creators were careful to limit the number of bot licenses they sold, however, to keep the success rate high and to prevent their buyers competing against each other for inventory.

To support this professionalized software, an entire ecosystem of supporting actors emerged, offering add-on services such as web proxies, CAPTCHA solvers, reshipper networks, payment processors, and logistics partners. These allowed resellers to professionalize their operations and scale into the large, well-resourced businesses that they are today. The entire reseller bot ecosystem will be detailed in the next article in this series.

The Unexpected Business Impact Of Reseller Bots

The primary objective of retailers and manufacturers is to sell all their available inventory. Given that reseller bots buy all of the available inventory, on the surface it would seem that these bots are a boon for retailers and manufacturers. In reality, however, reseller bots cause headaches on a number of financial and operational levels.

Before we get into the issues that reseller bots cause for retailers and manufacturers, however, it is important to understand an important distinction among bots and the people who run them. This distinction is not about the use of the bots themselves, but the source of funds used to purchase LTO items. All resellers are trying to obtain high-demand items to resell, but some are “legitimate” entrepreneurs who pay for their purchases with their own funds. Their entire business model is based on a form of arbitrage, that is, reselling inventory for more than they paid. These legitimate resellers stand in contrast to cybercriminals and fraudsters who use stolen credit cards, gift cards, or other illicit funds to acquire items. They have a significantly higher profit margin since they acquire the limited release items for essentially for free (less any cost of acquiring the stolen payment methods). As you can imagine, cybercriminals also have a significantly larger impact on organizations than the legal resellers, starting with the impact of their fraudulent use of funds.

Fraud

Because criminal reseller bots use stolen funds to buy commodities, they pose a significant fraud risk for retailers and manufacturers. The retailer accepting card payments is responsible for detecting fraud and is on the hook for any transactions they process that turn out to be fraudulent, but it is often extremely difficult for ecommerce sites to distinguish “legitimate” bots from criminal bots in the split-seconds during which online transactions take place. This fraud risk manifests as chargebacks from financial institutions for purchases made with stolen credit cards/gift cards or illicit funds. These chargebacks have several implications:

  1. Lost revenue: the business must reimburse the funds back to the stolen credit cards, gift cards, or bank accounts.
  2. Lost inventory: the business loses inventory that goes out the door and was never paid for.
  3. Fines: if chargebacks exceed a specified threshold, credit card companies will punish the business with fines which can reach tens of thousands of dollars. They may also impose restrictions that make it harder for the business to process card payments in a timely manner, which can impact their sales revenue.
  4. Lost time and resources: the business may need to participate in criminal investigations with law enforcement, which consumes resources including time.

Decreased Revenue

Real, loyal customers of a given retailer/manufacturer will often buy more products at a time—not just the sale item but also accessories, complementary products, and maybe something else they’ve been eyeing. As a result, the average basket size of legitimate users tends to be a lot higher than that of reseller bots. These bots typically only purchase the LTO item and nothing else. For example, a reseller bot might only purchase a Sony PS5 console, whereas a real customer might purchase additional controllers and some new games as well. By selling all the inventory to the bots, the retailer actually ends up with less total revenue.

Retailers and manufacturers also benefit from a direct relationship with the customer. Because the retailer has the customers’ contact information if they buy something, the retailer can then market to this customer, encourage them to sign up for their loyalty program, and inform them of other items they might like. Over time this leads to loyalty and increased lifetime value (LTV) of the customer, which in turn leads to higher revenues. If the most valuable sale items are purchased by reseller bots, even the “legitimate” (that is, non-criminal) ones, then retailers and manufacturers miss out on an opportunity to create a direct relationship with the customer and that increased LTV.

Brand Reputational Damage

Loyal customers of a retailer are likely to be frustrated by being unable to secure their prized limited release items at the recommended price. This can cause them to:

  1. Purchase items from a different brand rather than purchase the items at an inflated price.
  2. Run the risk of purchasing the items on the secondary market where they can fall victim to scammers and risk getting counterfeit products, which further erodes the brand value.
  3. Even those customers that are able to secure the limited release items on the secondary market at the inflated price are likely to be left with resentment and a feeling of being taken advantage of.

Many of these frustrated customers usually take to social media to voice their frustrations. These posts and negative brand sentiment will affect the brand’s ability to attract new customers and generate revenue even from non-sale inventory. Figure 1 shows some examples of social media posts by frustrated customers who could not get their hands on LTO Taylor Swift tickets because of reseller bots:

Figure 1. Frustrated would-be customers who lost out on concert tickets due to reseller bots. Source: Twitter.
Figure 1. Frustrated would-be customers who lost out on concert tickets due to reseller bots. Source: Twitter.

Denial of Service

In order to secure the LTO items, reseller bots operate at very high speeds, which results in a large amount of traffic being sent to the retailers website, especially when disparate actors are competing against each other for the same inventory. The sheer number of web requests (typically millions of transactions per hour) can often create an inadvertent denial-of-service outage. This poses several problems for retailers:

  1. Reputational damage — much anticipated and publicized product launches are ruined by site or app crashes when nobody can acquire any of the new products. This kills the excitement about the product launch and frustrates customers.
  2. Revenue impact — if the app or site is offline then very little or no revenue will be generated. This not only affects the limited release sale but the entire infrastructure, meaning no revenue is being generated at all.
  3. Operational cost — as a result of the strain on infrastructure, organizations have to devote worker time, and occasionally even additional capital for additional capacity.

Operational Overhead

Many retailers and manufacturers do try to ensure that limited inventory items are sold to genuine customers and not reseller bots. Unfortunately, this is a complex problem to solve and comes with its own operational and financial overhead, including additional human resources, licensing fees for other tools, customer support, and social media teams.

In addition to preventing sales to reseller bots, the task of mitigating their negative impacts comes with its own costs. Retailers need to confront issues such as shipping delays due to post-sale analytics, false positives (in which real customers are incorrectly identified as reseller bots), and negative publicity from frustrated potential customers.

Business Contract Loss

Retailers also risk losing manufacturers’ business due to reseller bots. Bots increase the risk that genuine ecommerce sites might lose large business contracts or fail to acquire new ones. If genuine ecommerce sites are unable to demonstrate that they can keep inventory out of the hands of resellers, manufacturers will be less willing to work with them. Some manufacturers even have contractual clauses requiring retailers to minimize the impact of reseller bots.

Defending Against Reseller Bots

Retailers already have a number of options to defend against reseller bots, and each approach has several pros and cons. Some approaches are effective against unsophisticated bots only, while others only provide minimal efficacy or short term relief. Table 1 summarizes the most common defensive approaches against reseller bots, listing the pros and cons of each approach and rating its efficacy based on our experience.

 

Approach Description Pros Cons Efficacy (out of 5)
Obfuscation Making it hard for attackers to know when limited offer items are available e.g. doing flash sales +   Effective in the short run since attackers cannot plan for the sale in advance
+   Allows real customers to get access to limited offer items
-   Hard for real customers to know about sale
-   Limits hype and brand publicity created by publicized sales
-   Reduced revenue as there will be fewer people who missed out on limited item and bought other items -   Attackers can use web scraping to learn about a sale
☆☆☆☆
Virtual waiting rooms At the time of the sale, all users wanting to purchase the sale items are placed in a virtual waiting room and only a specified number of users are allowed on the website at a time +   Protects the origin server and stops it from being overwhelmed -   Bots usually at the top of the line and first out of the waiting room
-   Does not stop bots buying out sale items
-   Real users end up frustrated in the waiting room
-   No long-term efficacy
☆☆☆☆
Lottery Draws Instead of allocating limited Items on a first come, first served basis, all potential buyers have time to apply to buy, and then winners are drawn from a lottery. +   Gives legitimate customers the illusion of fairness
+   Can increase revenues as more real users will engage with sale and might buy other items
-   Bots will create thousands of fake accounts, ensuring they get bulk of allocation
-   Even unsophisticated bots can bypass this defense
-   Eventually real users realize that their chances of winning are low and stop engaging
-   No long-term efficacy
☆☆☆☆
CAPTCHA Using CAPTCHA challenges for all users to prove they are human before allowing them to participate in the sale +   Effective against unsophisticated bots
+   Effective against some sophisticated bots the first time
-   Sophisticated bots can now easily solve and bypass CAPTCHA
-   Human CAPTCHA solving services can solve CAPTCHAs for bots quickly, easily, and at scale
-   Causes friction and frustration for legitimate customers
-   No long-term efficacy
★★☆☆☆
Throttling Using WAF or other systems to rate limit volume of traffic from specific IPs and User Agents +   Effective against unsophisticated bots
+   Effective against some sophisticated bots the first time
-   High risk of false positives if real users using NAT/ Mobile IPs
-   Ineffective against sophisticated attackers
-   No long-term efficacy
★★☆☆☆
Account-based limits Limit the number of units purchased by or dollar spend limit on a given account or credit card +   High initial efficacy rate
+   Bots have to fundamentally change their approach
-   Requires significant development work to implement
-   Bots easily bypass by creating a large number of fake accounts
-   Some banks and FinTechs offer single use credit cards that can be used to bypass credit card spending limits
★★☆☆☆
Post-sale data analytics Delay shipping on all transactions until data analytics is used to weed out all the bot purchases. +   Effective if done right
+   Provides reasonable short to medium term efficacy
+   Needs continuous refinement to stay ahead of attackers
-   Expensive and time consuming, needs experts
-   May introduce significant shipping delays
-   May lead to over/under-selling inventory
-   Susceptible to reverse engineering by attackers
★★★★
In-store only sales Only sell limited sale items in physical stores +   Bots cannot buy items that are not sold online
+   Highest efficacy rate
-   Not an option for brands without a significant retail store footprint
-   Excludes a large section of customers
-   May result in crowd control and other security risks at the store locations
★★★★★
Basic Bot Defense Technical bot defense solution that evaluates transactions using simple JavaScript challenges, device fingerprinting and user behavior analytics +   Effective against low and medium sophistication bots
+   Cheap and easy to deploy
-   Not effective against sophisticated bots
-   Can be easily bypassed in the medium to long term
★★★☆☆
Advanced Bot Defense Enterprise grade advanced bot defense solutions that build on basic defense strategies using AI/ML to respond to changing bot tactics +   Effective against sophisticated bots
+   Able to adapt to changing bot tactics
+   Good long-term efficacy
-   Expensive and more involving to deploy
-   Long term efficacy can vary widely by provider
★★★★★
Table 1. Comparison of bot mitigation strategies. The two “technical” controls, Basic and Advanced Bot Defense, are distinct in that they should be transparent to human users and therefore create no business friction.


One of the most important distinctions among anti-bot mitigations is between those controls that occur at the business level and impinge on all sales transactions, and technical controls that run behind the scenes and transparently enable legitimate transactions to happen. Most of the controls listed here manifest at the level of business operations, which means that they add friction to all sales. Indeed, many of these controls, such as CAPTCHA and in-store only sales, place the burden primarily on human customers. In contrast, there are two types of technical controls that are oriented around identifying bots without impacting human customers. We will go into much greater detail about the difference between these approaches, but for now we’ve just labeled them as Basic Bot Defense and Advanced Bot Defense.

Reseller Bots: Highly Capable, Deeply Impactful

Hopefully it is clear by now that the bots outcompeting humans for luxury commodities aren’t being built by naughty kids who just want totally radical shoes. Rather, the reseller bot industry is highly professionalized and deeply impactful to businesses. It is also important to understand the distinction between resellers using legitimate funds to buy commodities, and cybercriminals using stolen funds to buy commodities. While the non-criminal resellers are not retailers’ friends, their impact pales in comparison to the cybercriminal resellers, largely as a result of chargebacks that merchants face when fraud victims dispute payment card charges.

It is also important to understand the distinction between “business-level” anti-bot strategies that inevitably interfere with sales operations—such as lottery systems, in-store-only sales, and CAPTCHA—and technical anti-bot strategies that are largely transparent to human users. We will explore the finer points of this distinction, and what it means for the future of the bot/anti-bot arms race, in future pieces.

Join the Discussion
Authors & Contributors
Tafara Muwandi (Author)
RVP of Data Science
Sander Vinberg (Contributor)
Threat Research Evangelist, F5 Labs
Footnotes

1https://edition.cnn.com/2022/10/10/tech/elon-musk-twitter-bot-analysis-cyabra/index.html

2https://www.theguardian.com/us-news/2022/nov/17/tennessee-ticketmaster-investigation-taylor-swift-tickets, https://www.theguardian.com/music/2022/nov/18/taylor-swift-tickets-ticketmaster-live-nation-us-justice-department

3One of the earliest resellers that rose to international notoriety was Ken Lowson of Wiseguy Tickets. Between its founding in 1999 and its closure in 2010 following Ken Lowson’s indictment, Wiseguy tickets resold more than 2.5 million tickets netting more than $25 million in profits.

Read More from F5 Labs

2022 Application Protection Report
Ransomware
2022 Application Protection Report
02/15/2022 report 45 min. read
Sensor Intel Series: Top CVEs in November 2022
Attack Campaign
Sensor Intel Series: Top CVEs in November 2022
12/21/2022 article 5 min. read
5 Cybersecurity Predictions for 2023
Strategies
5 Cybersecurity Predictions for 2023
12/05/2022 article 11 min. read