Continuing our deep dive into reseller bots, this article explores another real-world case of how a crime group using automated attacks profited from the purchase, and subsequent resale, of expensive and limited-stock sneakers. If you’re coming to this article fresh and would benefit from an extensive explainer on the reseller/shoe bot problem and the ecosystem which they operate in, check out our new Bots and Automated Attacks landing page.
Overview
The sneaker industry is one of the top sectors targeted by unauthorized resellers with their use of highly specialized automation tools known as ‘sneaker bots’. These bots are specifically designed to target large shoe drops (sales) for limited edition and rare sneakers. Working with the F5 security team that helps defend against bots and automation, F5 Labs has spent time analyzing huge amounts of attack data from one of the largest shoe drops in recent history. Since the F5 Bot Defense service was still in a passive ‘monitoring mode’ during the event, we were able to get an inside look into the operations of these bots and were able to track the activities of these resellers from start to finish without showing our hand. This allowed us to track the acquired inventory all the way to the secondary markets and to final consumers. This case study aims to share valuable insights into the operations of these shoe resellers and their sneaker bots.
Figure 1 shows mobile and web traffic for a large shoe manufacturer and retailer, here forth referred to as “the retailer”. The green line (barely visible as it is dwarfed by the high volume of automation) represents legitimate human users interacting with their website and mobile application. The yellow line shows the level of automated traffic from bots over the three-week observation period which represented more than 99.8% of total traffic to the retailer. Figure 1 shows that retailers are relentlessly targeted by sneaker bots and this malicious traffic increases drastically during periods when high demand shoe drops occur, as can be seen by the large spike in bot traffic which accounted for 2,163 times the level of human traffic. This automated bot traffic exceeded 8 million transactions per hour and is large enough to effect a denial of service (DoS) attack on the origin servers. As we detailed in Reseller Bots: Defining the Problem, automated attacks can cause many problems for manufacturers and retailers, including fraud, reputational damage, and denial of service (DoS). While some businesses struggle to comprehend the magnitude of threats such as reputational damage, a service outage caused by a DoS incident can be directly attributed to lost revenue.
Over the three-week observation period for this large retailer, 99.8% of traffic to their web and mobile applications was automated. Lucy Rouse, vice president and general manager of SNKRS and NBHD at Nike is recently quoted by retaildive.com saying “on any highly sought after sneaker launch Nike executes, up to 50% of purchase entries can be bots”. This is consistent with the data we have observed.
How Sneaker Bots Made $2M Profit From a Single Shoe Drop:
The automated traffic seen in Figure 1 is driven by a large number of individual sneaker bots. Some are small scale operated by lone individuals that want to acquire a pair or two for personal use, while some of the traffic originates from large scale resellers that attempt to buy hundreds of pairs for resale. To highlight the inner workings of these sneaker reseller bots, we are going to focus on the activity of a single large scale reseller sneaker bot. This sneaker bot followed a multi-step plan to enable them to make $2 million from this one shoe drop.
Figure 2 shows an overview of the kill chain used by the resellers and their sneaker bots in order to make huge amounts of profit.
Step 1: Fake Account Creation
Many retailers now require users to have a verified account in order to purchase shoes online. This means that guest checkout is no longer an option for both genuine customers and sneaker bots posing as genuine customers. Retailers have also imposed limits on the number of pairs of shoes an individual account can purchase, especially during high demand shoe drops. As a result, resellers who operate the sneaker bots are forced to create a large number of user accounts on the retailer’s system that they then use to make the purchases. They therefore need to coordinate and automate the process of creating the accounts. Figure 3 shows the account creation traffic of a reseller bot. This is traffic hitting the retailer’s sign-up/create-account pages.