Bots and Automated Attacks

Black Friday Versus The Bots

What can last year’s Black Friday shopping trends teach us about expected attacker behavior during the 2024 holiday shopping season?
November 21, 2024
11 min. read
Previous article in this series

Introduction

Black Friday has long been a cornerstone of the retail calendar, not just in the United States but around the globe. During this period, including Thanksgiving weekend and Cyber Monday, consumers anticipate steep discounts and rush to purchase products both in-store and online. However, these low prices also bring about a surge in unethical buying practices and automated attacks that can disadvantage both retailers and genuine customers.

Last year, we delved into how malicious bots exploited Black Friday 2022 sales by analyzing data from retail enterprises protected by F5 Distributed Cloud Bot Defense. In this previous article, we concluded that while Black Friday led to increased legitimate user traffic there was no widespread rise in unwanted automation across online retailers as a whole. However, grocery enterprises on the web and fashion and eCommerce mobile applications did see a notable increase in automated attacks. There were marked increases in malicious automation targeting user login and user registration pages, with a marked rise in attack sophistication during this period.

As retailers across the world brace for Black Friday 2024, they are wondering whether they will face similar challenges, or if new threats will emerge. This analysis hopes to shed some light on these questions based on Black Friday 2023, and suggest strategies to safeguard businesses and consumers in the upcoming Black Friday season.

Executive Summary

The 2023 Black Friday shopping season revealed critical insights into legitimate customer traffic and malicious automation trends. Retailers saw an impressive 46.6% increase in legitimate traffic compared to 2022 with elevated transaction volumes persisting for four days post-event. However, malicious automation declined slightly, year-on-year, a reduction largely attributed to the attackers growing weary of being continuously blocked.

Despite the overall decline, specific industries such as grocery and fashion retail experienced targeted automated attacks. Grocery retailers faced significant increases in bot-driven activities, particularly targeting web login and account registration flows, with malicious automation peaking at 21.8% on Black Friday. Similarly, fashion retailers were heavily impacted by bots targeting gift card abuse and account login pages. Mobile APIs also became a critical attack vector, with grocery retailers facing persistent scraping attacks on "add-to-cart" pages and fashion retailers enduring a surge in mobile API login automation leading up to Black Friday. These patterns demonstrate a shift in attacker behavior, with increased sophistication and focus on high-value flows such as fake account creation and credential stuffing.

Black Friday 2023 Analysis

Later sections in this article will explore the differences we found between how web and mobile apps are targeted, as well as highlight those industries most affected. Let us first start, however, at a high level and uncover whether malicious automation does indeed peak during periods of intense sales.

Legitimate Traffic Went Up!

In both 2022 and 2023, retail companies experienced a significant uptick in legitimate customer traffic leading up to Black Friday. The steep rise in the legitimate traffic volume during Black Friday 2023 is illustrated in Figure 1. Since Black Friday (labelled ‘BF’ in figures) falls on different days across the two years, the x-axis has been adjusted to show the number of days before and after ‘BF’ so we can easily compare the two years. This ‘BF’ scale for the x-axis will be used throughout this article.

Customer traffic to both web and mobile apps surged by 46.6% on Black Friday itself, with elevated transaction volumes persisting for the next four days (by contrast, 2022 saw an increase of 23.2% on Black Friday).

Figure 1: Legitimate Traffic Trend in November 2023 and 2022

Figure 1: Legitimate Traffic Trend in November 2023 and 2022

Malicious Automation Went Down

Figure 2 shows the change in malicious automation volume between 2022 and 2023. The first thing to note is that automation volumes in 2023, taken as a whole across all industries and application types, were lower than in 2022. This may appear to be good news for many retailers although, as we explore in more detail later, some industries are more heavily targeted than others.

We saw an average of 7.6% automation in 2023, down from 17.1% in 2022. This decrease is primarily attributed to malicious actors giving up after persistently being blocked by F5 Distributed Cloud since 2022. Automated attack volumes tend to trend down over time when attacks are effectively blocked due to attackers throwing in the towel and moving on to new targets.

Figure 2: Automated Traffic Trend in November 2022 and 2023

Figure 2: Automated Traffic Trend in November 2022 and 2023

Automation volume was also less volatile in 2023 compared with 2022 with only minor fluctuations throughout the 2023 Black Friday period. Digging deeper into this reduced volatility revealed that scrapers made up a much larger proportion of automation in 2023 compared with the previous year. Scrapers, such as those used by AI bots to harvest data, tend to have more consistent traffic patterns than other kinds of automation like reseller, gift card, fake account, and credential stuffing bots, which made up a larger proportion of 2022 automation.

Building Up to Black Friday

So far our analysis has focused on Black Friday and the three weeks preceding it. What can we learn if we look further back in time? We now go back three months before Black Friday and dive a little deeper. Figure 3 splits out the automation rates between ‘web’ (traditional websites) and ‘mobile’ (API calls made by mobile apps).

In 2023, while overall automation was down compared with 2022, malicious automation targeting web apps did increase in the month leading up to Black Friday. Bot traffic increased from 7.5% of all traffic to a peak of 14.0% a week before Black Friday. Automation remained between 10% and 12% of all traffic until the day of Black Friday when it dropped to previous values (7.9%).

This trend was not observed in 2022.

A possible explanation for the drop in proportion of web automation on Black Friday could include stock depletion of targeted goods due to high demand. Another factor in the decline in web automation percentage is the dramatic increase in legitimate users. This increases the denominator and causes the percentage automation to decrease significantly even if the volume of automation were to remain unchanged.

Figure 3: Automation Percentage Day Over Day by Platform in 2022 and 2023

Web vs Mobile API automation

In addition to splitting the analysis into Web vs Mobile API, we also categorized the data industry. Our analysis focused on the industries most targeted during Black Friday, namely: fashion retailers, eCommerce marketplaces, quick service restaurants (QSR) and large grocery chains. Each of these industries faced unique challenges and displayed different patterns of automated activity during the Black Friday period. This article will focus only on the industries with the most compelling insights.

Web App Automation

Figure 4 depicts 2023 web automation percentages for each industry, while Figure 5 summarizes the automation a month before, on the day of, and after Black Friday. We noticed a substantial surge in automation targeting the grocery industry. Automation in grocery increased from 7.0% before November, to 19.9% during the month of November before Black Friday, and further to 21.8% on Black Friday itself. This mirrors the pattern in 2022 where grocery also experienced a dramatic rise in automated activity during this period. This increased automation was associated with the creation of large volumes of fake accounts and logins into those accounts.

Figure 4: Automation Percentage on Web by Industry, August-November 2023
Figure 5: Aggregated automation levels on web platforms, broken down into three periods—pre-November, November leading up to Black Friday, and during Black Friday

Grocery Retailers Heavily Targeted

Figures 4 and 5 highlighted a significant increase in automation leading up to Black Friday 2023. To further understand the cause of this increase we looked at the application flows that were being targeted by this increased automation. Figure 6 shows a large spike in automation targeting the web login and register endpoints (URLs). This is indicative of a surge in attackers creating and accessing large numbers of fake accounts for use during the Black Friday period. A similar increase in login automation was also observed in 2022 but automation targeting account registration was high throughout the 2022 period and did not see a marked increase. There were consistently high levels of automation on web grocery ‘add to cart’ flows throughout the 2023 Black Friday period.

Figure 6: Grocery Automation Percentage on Web for top 5 flows, August-November 2023

Fashion Retailers Hit by Gift Card Bots

Gift cards are a common target of many types of organized crime gangs since they allow for quick payouts, and untraceable funds.

Figure 7: Automation Percentage on Fashion web platform by Flow, November 2023

Figure 7: Automation Percentage on Fashion web platform by Flow, November 2023

Figure 7 shows a heatmap of the automation percentage during November for Fashion enterprises’ web flows. It is evident that automation was more prevalent on search pages in the first few weeks of November, indicative of elevated scraping activity. This pattern shifted from scraping product and add-to-cart pages, to querying and abuse of gift card pages. This may hint at malicious actors scraping the available products for sale before utilizing their bots to add the inventory to their carts and then attempting to carry out gift card fraud to purchase these products in the lead-up to Black Friday. This activity may also be driven by unrelated actors whose timing is optimized for when it makes sense to scrape data vs try and steal gift cards when they likely have the most funds available (which is just before Black Friday sales).

Automation levels also spiked on critical web pages such as login, password reset, and account registration in the lead-up to Black Friday. This suggests that activities such as credential stuffing, fake account creation, or account takeover attempts were on the rise during this period.

Mobile API Automation

Just as we did for web applications, we also broke out malicious automation against Mobile APIs by the same four industries. Figure 8 illustrates the percentage of mobile API automation across these industries during the 2023 period, and Figure 9 shows the same for 2022.

Figure 8: Automation Percentage on Mobile API by Industry, August-November 2023
Figure 9: Automation Percentage on Mobile API by Industry, August-November 2022

A Change in Attacker Focus

As shown in Figure 9, Fashion and eCommerce experienced the highest levels of automation in 2022. However, in 2023 (Figure 8), Grocery and Fashion became the most targeted for automated activity against mobile APIs. This shift occurred partly because Grocery faced inconsistent attacks on login pages in 2022. Although login pages were a key objective for attackers targeting Grocery in 2022, the overall automation levels on its mobile APIs were not as high as those for Fashion and eCommerce.

In 2023, Grocery saw a significant increase in automation due to consistent high-volume scraping activity on add-to-cart pages. This activity inflated automation levels, making Grocery one of the most targeted industries for mobile APIs in 2023. This suggests that while Grocery dealt with sporadic login-related attacks like credential stuffing in 2022, it faced more frequent and intense scraping attacks in 2023.

In contrast, eCommerce saw the opposite trend. In 2022, it was heavily targeted by scraping activity on add-to-cart pages, leading to high levels of automation and making it one of the most targeted industries for mobile APIs. By 2023, automation targeting eCommerce mobile APIs declined significantly, with lower activity on both add-to-cart and login pages compared to 2022.

Grocery and eCommerce Saw Opposite Trends in the Weeks Prior to Black Friday

Most industries experienced an overall decline in automation percentage from 2022 to 2023, except for the Grocery industry which experienced an increase. However, automation targeting Grocery enterprises in 2023 saw a gradual decline specifically in the 3 weeks leading up to Black Friday, as illustrated in Figure 8. By contrast, eCommerce saw a notable increase in automation percentage during the two weeks before BF. This aligns with past trends, as eCommerce previously saw a 6-7x increase in Mobile API automation during Black Friday 2022, as highlighted in Figure 9.

Fashion and eCommerce Mobile APIs

2023 data showed significant parallels between automation targeting Fashion and eCommerce Mobile API login pages (Figure 10 and Figure 11 respectively).

Figure 10: Fashion Automation Percentage on Mobile API for top 5 flows, August-November 2023
Figure 11: eCommerce Automation Percentage on Mobile API for top 5 flows, August-November 2023

The Login lines show large spikes in automation targeting this flow on both Fashion and eCommerce. Fashion retailers saw this automation surge from 0.2% to 17.5% up to 11 days before Black Friday. eCommerce saw a similar spike in mobile API login automation peaking at 68.9% during the same period. These concurrent spikes across both industries suggest that attackers targeted Fashion and eCommerce simultaneously. Both industries offer significant Black Friday deals, making them prime targets for credential stuffing, account takeover and fake account driven reseller bot activity during this period.

In Fashion, mobile API gift card flows had the most automation prior to November 2023, peaking at 25% in October 2023, before decreasing to low single digits in November. This may be driven by attackers trying to discover valid gift cards and steal them before they were redeemed by their owners. eCommerce did not see elevated levels of automation on mobile API gift card flows as shown in Figure 11. Gift card automation remained very low throughout the entire 2023 period.

eCommerce also observed a substantial increase in fake account creation on mobile API account registration in mid-to-late October 2023, about a month before Black Friday. There was a smaller but still marked increase in automation on mobile API register around the same time in the Fashion industry. This is indicative of the importance of fake accounts to fraud in these sectors.

Conclusion

The analysis of automated traffic during Black Friday 2023 revealed significant trends in both legitimate and automated activity across various retail sectors. Despite an overall rise in legitimate customer traffic leading up to Black Friday, automated traffic showed nuanced changes, with a general decline in automation percentage across many industries. This decrease is attributed to attackers giving up in the face of persistent bot defense mitigation since 2022. Targeted attacks however persisted in high-demand industries like Grocery, eCommerce, and Fashion. Key patterns suggest that malicious automation is evolving, with attackers increasingly focusing on web and mobile API flows such as login and account registration. This shows an increased focus on fake account driven fraud/reseller bot activity, as well as potential account takeovers during the Black Friday period.

Industry-specific analysis highlights heightened automation in Grocery and Fashion retail, particularly in automated activities such as adding items to cart and fake account creation. In contrast, other sectors like eCommerce experienced fluctuating automation on both Web and Mobile API platforms as Black Friday approached, with spikes in Login attacks suggesting a focus on credential-stuffing and associated fraud activity.

Recommendations

  • Prepare for a surge in traffic of up to 45% across both Web and Mobile API based on historical trends between 2022 and 2023.
  • Strengthen Login and Registration web endpoints: Since login and registration pages were targeted the most by bots, retailers should consider advanced bot protection on these Web and Mobile API endpoints.
  • Limit inventory exposure to reseller bots: For products expected to be in high demand, consider limiting inventory exposure on key sale days. Retailers could restrict the quantity of specific items per account or implement a “reserve and purchase” system that verifies user authenticity before the item is officially reserved.
  • Plan for quick adjustments on Black Friday: Be prepared to quickly deploy new bot defense configurations or Threat Intelligence packages as attack patterns evolve over Black Friday. Implement systems that allow for rapid adjustments to block new automation trends or shifts in attack sophistication.
Previous article in this series
Authors & Contributors
Adeolu Ogunnoiki (Author)
Data Scientist
Shuang Hao (Author)
Data Scientist
Tafara Muwandi (Contributor)
RVP of Data Science
David Warburton (Contributor)
Director, F5 Labs

Read More from F5 Labs

2024 DDoS Attack Trends
2024 DDoS Attack Trends
07/16/2024 report 30 min. read
BotPoke Scanner Switches IP
BotPoke Scanner Switches IP
11/25/2024 article 3 min. read
Black Friday Versus The Bots
Black Friday Versus The Bots
11/21/2024 article 11 min. read