Controls

Reseller Bots: Understanding the Ecosystem

Resellers and their bots don’t work alone. A whole ecosystem of partners and facilitators supports them. Learn how they work together and what it means for retailers and defenders.
By Tafara Muwandi (additional contributions by Sander Vinberg)
January 12, 2023
11 min. read
Table of Contents
Benign (Mostly)
Manufacturers
Retailers
Buyers
Malicious (Mostly)
Resellers
Bot Makers
Click Farms and CAPTCHA Bypass Providers
Neutral/Mixed Intentions
Proxy/VPN Service Providers
Reshippers
Secondary Marketplaces
Marketing and Communication Platforms
Payments Facilitators
Conclusion

In our previous article exploring reseller bots, we explored the emergence and impact of bots that specialize in targeting ecommerce, as well as some of the countermeasures that are available to retailers, manufacturers, and security practitioners. That article also alluded to the deep and diverse field of supporting entities who make reselling operations possible.

This piece will delineate that ecosystem, the various entities within it, and how they interact. This is important not just to understand the professionalism of that economy, but to recognize why stopping resellers is a pernicious hydra of a problem. Before we dive into each entity, it helps to look at the entire system from a bird’s eye view. Figure 1 shows the entire system, including the benign, malicious, and hybrid or neutral forces at play.

Figure 1. The reseller bot ecosystem. The normal path of commodity exchange is on the left, with buyers purchasing both through retailers and direct from manufacturers. On the right are all of the entities that support resellers in diverting sales to their advantage.
Figure 1. The reseller bot ecosystem. The normal path of commodity exchange is on the left, with buyers purchasing both through retailers and direct from manufacturers. On the right are all of the entities that support resellers in diverting sales to their advantage.

With an understanding of the overall picture, let’s examine each type of entity in detail.

Benign (Mostly)

These are actors who are completely or primarily benign, in the sense that they are operating legally and their actions do not diminish the value of another actor in the system.

Manufacturers

These are the brand owners that are responsible for designing, manufacturing, marketing, and distributing products. With ecommerce making it possible for manufacturers to have a global presence even without brick and mortar stores, most manufacturers today both sell through retailers and maintain significant direct-to-consumer businesses. Examples of manufacturers would be fashion brands like Supreme, Nike, Adidas and Puma.

Retailers

Retailers are intermediaries that purchase products from manufacturers and sell to consumers. This category includes primarily ecommerce operations like Amazon, strictly brick and mortar operations, or hybrid players like Walmart, Target and Nordstrom. Retailers typically must comply with requirements from manufacturers on when and how to distribute their products.

Buyers

Taken at face value, this group should be self-evident. In a reselling context, these are people who purchase commodities from resellers on the secondary market at premium prices. This group is the key to the entire value chain, since they are the ones who create demand and pay for goods. However, buyers in the secondary market have a variety of motivations which affect how far they are willing to go to obtain LTO commodities, which has ramifications for many other entities in the system.

Buying to Keep/Use

These buyers are trying to acquire commodities for themselves or a loved one. Since resellers thrive in the high-demand, low supply dynamics surrounding limited time offers (LTOs), most of the buyers that are still trying at this point are superfans who are emotionally attached to a product or brand and are willing to pay extra as a result.

To differentiate between human and bot traffic during the original transaction, it is also useful to consider why these buyers are shopping in the secondary market. Some of the buyers who intend to keep and use these commodities are spatially close to the original sale, but missed out (ironically, this is often due to the activities of reseller bots). Others live in places where retailers and manufacturers cannot or will not do business. In other words, some of resellers’ customers could have bought the product directly in theory, but not in practice, and some of them couldn’t have bought the product even in theory.

Buying to Resell (Again)

Resellers also buy inventory from other resellers. This might be because they were unable to purchase inventory in the original sale, or were unable to secure enough and want to buy the balance on the secondary market. Resellers also are sometimes unable to purchase items from retailers or manufacturers for the same reason other buyers are: because the product is not available in their market, or not available to unlicensed vendors. No matter their motivation, these resellers buy large quantities of inventory on the secondary market as long as they are able to sell it on at a bigger price premium. This means that the reseller economy is subject to many of the same time and pricing pressures that affected the original market, which can have the effect of squeezing buyers yet again.

Edge Case: Speculators

Speculators are buyers with a foot in both categories, which makes them an interesting case. These people buy commodities on the secondary market with the intent to resell them, but only after they have appreciated over the long term. While their motivation to resell puts speculators into a similar position as other resellers, they are also banking on being able to supply a completely different demand far into the future. Effectively, they are removing the commodity from the current economy, much like a regular buyer.

Malicious (Mostly)

These are actors who are primarily engaged in activity that is either illegal or detrimental to retailers and buyers: the resellers and their closest allies.

Resellers

These are the entities that license and run the reseller bots that purchase inventory from retailers at original product launches. They fund the purchase of the inventory with their own resources (benign resellers), or with stolen credit cards/gift cards (criminal resellers). Modern reselling is a sophisticated and complex operation, which means that in addition to merely licensing and running bots, resellers need to set up an entire business that usually includes but is not limited to the following business functions:

  • Financial management—ensuring they have enough cash to purchase what they need; managing product pricing, operating expenses, and profitability.
  • Inventory acquisition—acquiring and maintaining the best reseller bot technology; maintaining awareness of which products are going on sale when; understanding the dynamics of the resale market; reconnaissance of retailers’ sites to ensure they can circumvent available controls and acquire the required inventory.
  • Marketing—knowing how to spread the word that they are selling the high demand items and where people can buy. Resellers also occasionally take orders in advance of the original product sale. This helps the reseller estimate potential demand as well as know what sizes, colors, options, etc. to buy.
  • Inventory management—knowing how much inventory is on hand, the different sizes, colors, etc.
  • Sales—managing the sale of items on the secondary market and collect payments
  • Shipping and logistics—this serves both to aggregate the supply (since resellers might need to use many different addresses during the original sale to prevent detection by retailers) as well as to ship the product to the final buyer. Depending on the secondary market, the market may handle the shipping for the reseller. Resellers that take pre-orders can have the retailer ship the product straight to the buyer during the original sale, saving them the cost of shipping.
  • Customer service—dealing with returns, complaints or issues from the buyers.
  • Operations—ensuring all parts of the reseller operations work in concert with one another to deliver a good customer experience to the buyers and profits to the business

Bot Makers

As highlighted in our piece defining the reseller problem, the arms race among bot makers has led to the professionalization of the bot making economy. Professional bot makers specialize in creating, testing and optimizing reseller bots. There are many different bot makers with varying reputations, bot quality and pricing. The top bot makers create charge thousands of dollars for their creations, which feature superior performance and ability to bypass controls. Along with this professional engineering comes professional support, including free updates for customers, to ensure continuing success.

Click Farms and CAPTCHA Bypass Providers

One of the first anti-bot strategies was CAPTCHA—using simple puzzles to determine whether a given user is a human or merely pretending to be one. While some parts of the attacker community have focused on developing bots that can defeat a CAPTCHA on their own, most attackers tend to bypass these tests simply by employing actual humans to solve the CAPTCHAs. These services are easy to integrate into programmatic attacks and therefore scale up as easily as bot networks themselves. Given how widespread CAPTCHAs have become, CAPTCHA solving services and the related click farms have become critical for modern reselling operations that are reliant on high transaction speeds to out-compete other buyers. See Figure 2 for an explanation of the CAPTCHA solving process.

Figure 2. The CAPTCHA solving process for a single puzzle. Attackers send CAPTCHAs to solver networks, which pass them on to individual workers to solve. The solution is passed back to the attacker via the solver network API.
Figure 2. The CAPTCHA solving process for a single puzzle. Attackers send CAPTCHAs to solver networks, which pass them on to individual workers to solve. The solution is passed back to the attacker via the solver network API.

Neutral/Mixed Intentions

Many of the actors in this system are neither completely benign nor completely malicious. Some of these practices are bifurcated into legal and illegal practices, such as the rather obvious distinction between criminal and benign payment facilitators. Some of these provide services that can genuinely be used either way, such as reshipping services and VPN services. In many cases the service providers prefer not to know how their services are being used, and therefore occupy a grey area in which resellers and related entities thrive.

Proxy/VPN Service Providers

To appear to be many individual buyers and evade easy detection, reseller bots need to use IP addresses from a variety of different geographical locations and Internet service providers. To maximize the probability of success, these IP addresses have to be of high reputation, that is, they must not appear on any lists of known malicious IPs. Naturally, in such a mature industry, there are service providers that offer this to resellers. Not all of these are malicious—many benign users employ legitimate VPN services for privacy—but many of them are. Without these services, retailers would easily be able to detect and mitigate resellers’ efforts, so this represents a critical service for resellers today.

Reshippers

These are service providers that are in the business of receiving shipments on behalf of people and reshipping them to a secondary location. Reshippers are controversial, since there are both benign and nefarious reasons that people use them.

Benign Reshipping

Some buyers may live outside of geographic regions where their favorite ecommerce sites ship. These people will buy commodities, ship them to reshipping services within supported regions, and forward the deliveries to their home. Reshipping can also serve a benign purpose if an ecommerce company charges too much to ship internationally; in this case it might be more cost effective to employ the services of a reshipper.

Malicious Reshipping

In contrast, malicious resellers who buy items with stolen credit cards cannot ship the stolen items to their own house, as this will increase the probability that they get caught. Instead, they use a false name and a reshipping address when they check out. Depending on the level of sophistication and scale of the fraud, some criminals ship their stolen goods through a whole chain of reshippers. The rise in the use of malicious reshippers, and the fact that some of them do not maintain records to prevent being subpoenaed by law enforcement, has given this business a bad reputation.

Secondary Marketplaces

Resellers need a place to sell their products. They typically use large secondary marketplaces with a large built-in customer base and built-in additional services such as inventory management, shipping and logistics, payments collection, fraud detection, etc. Large secondary marketplaces include Amazon, eBay and StockX. There are also secondary markets that do not provide these additional services, such as Craigslist, Facebook Marketplace, TikTok, and Instagram. In these marketplaces, resellers simply post their wares and generate demand that they can service through another medium—offline, on their own or through other digital platforms. These secondary markets are especially attractive to both criminal resellers that do not want to be tracked, or those who have been banned from large marketplaces like eBay and Amazon.

Marketing and Communication Platforms

Many resellers use Telegram, Discord, or other communication channels to stay in touch with their buyers. This is where they source ideas on what products to target, collect pre-orders, deal with customer complaints, and so on. These platforms are essential to ensure the engagement, satisfaction, and loyalty of buyers, which is key for the operation of the reseller’s business.

Payments Facilitators

Just as IP addresses can give resellers away, so can a payment method. If thousands of seemingly different customers all use the exact same payment card information, that tells retailers that they’re being targeted by bots, even if the IP addresses are globally distributed. This kind of analysis by retailers has driven resellers to use a variety of payment facilitators to distribute their funds and avoid detection. As with reshippers, these facilitators can be either benign or malicious.

Benign Facilitators

There are a number of fintech companies and large banks that offer products to assist with this. One large US bank offers customers a browser extension that generates a new, single-use credit card number for each transaction. This feature is designed to protect customers’ credit card information online, but it also lends itself very well to the reseller bot’s use case. Some third-party payment providers like PayPal process payments for retailer sites, but do not pass as much buyer information on to the retailer as credit cards do. This creates a loophole that resellers can exploit to get around defensive controls.

Malicious Facilitators

In addition to the legal payment methods above, the criminal contingent of resellers needs stolen credit cards to fund their purchases, for which they engage the services of other criminals with access to validated stolen credit cards. Because these stolen cards cost resellers less than their shopping value at the retailer, criminal resellers are effectively getting a discount on the commodities they buy, leading to higher profit margins.

Separate from the facilitators trafficking in stolen goods are those who operate payment networks on the edge of legality— these are service providers with hundreds of payment cards that they lease out to resellers for a period of time, similar to how attackers can rent a botnet. This allows the reseller to leverage these cards and then get billed for their spend plus an additional fee.

Conclusion

When we noted that the reseller bot industry was professionalized, we not only meant that it was lucrative and therefore competitive, but also that it is highly differentiated and mature. These various specialized entities work together to ensure that the resellers can acquire inventory at scale and resell it at a profit. Keep in mind that the entire ecosystem is reliant upon the buyer, who ultimately supplies all the value in the system. Unfortunately, buyers vary widely in their habits and motivation, which makes permanently disrupting this business model and ecosystem very difficult. The next article in this series will illustrate these challenges by exploring some case studies around the fight against reseller bots.

Join the Discussion
Authors & Contributors
Tafara Muwandi (Author)
RVP of Data Science
About Tafara All Articles
Sander Vinberg (Contributor)
Threat Research Evangelist, F5 Labs
About Sander All Articles
TAGS: Reseller Bots Relevance Sneaker Bots Risk CISO Defending Clients Cybercrime Bots and Automated Attacks Bot Comparison Defending DDoS Defending Applications Innovation Controls automation Fraud New Approach

Read More from F5 Labs

2023 Identity Threat Report: The Unpatchables
2023 Identity Threat Report: The Unpatchables
11/01/2023 report 80 min. read
Sensor Intel Series: Top CVEs in February 2024
Sensor Intel Series: Top CVEs in February 2024
03/28/2024 article 5 min. read
2024 Bad Bots Review
2024 Bad Bots Review
03/14/2024 article 15 min. read