While the rapid digitization over the last few decades has made it easy for us to purchase and consume products and services, it has also unintended consequences. For example, it has become easy to shop online for everything from food to furniture and even purchasing tickets to entertainment events.
But at the same time, malicious actors are improving their hacking techniques and also turning to software and bots to automate tasks that net them large profits in unethical ways. Scalping is one such technique that is common in digital purchases of tickets and other entertainment products.
What is Scalping?
Scalping is a term to describe the practice of purchasing items that are in high demand but of limited supply and reselling them at a higher price to generate profit. Those who engage in scalping, known as “scalpers” purchase the items at the normal retail price and then quickly resell them at the higher price on a secondary marketplace. Since they can set the new price in the secondary marketplace, scalpers can make a huge profit, sometimes as much as 10 times the retail price.
On the internet, scalping can be done through software that automates the process, which can boost the profits even more.
The Goal of Scalping
Scalper bots are designed with the intention of automatically scanning to check for product availability and to fill out purchase details during the checkout process. For example, entering user data such as billing address and credit card details during checkout, which normally takes time for a human user could be done quickly when automated. Some of the bots are programmed to proceed straight to the checkout process, bypassing the cart flow.
Which Types of Businesses are Most Vulnerable?
Scalping can affect any business which relies on the sale of items that are in high demand but limited availability. It is especially a concern in the ticketing industry, be it for entertainment events, sports games or concerts.
It is also seen when limited edition items go on sale, such as sneakers, vintage or retro items in the luxury apparel sector and also for new launches of electronics products.
What are Scalper Bots?
Scalper bots are software programs that automate the process of buying goods in bulk and completing checkout in quick time as soon as the items go on sale. These bots complete the purchase and checkout of thousands of tickets – much faster than human customers, creating a scarcity that allows for boosting the prices for profit.
How Do Scalper Bots Work?
Scalper bots work through a few steps. First, an attacker creates multiple fake new accounts or takes over existing user accounts for searching for the products. The bots are programmed with scripts that will start searching at the front of the queue as soon as the online sale goes live.
The automation also allows attackers to add the maximum products to carts, way more than any single human is capable of. The bots then use credit card details from previously compromised accounts to complete the checkout, ensuring that the products are not available for real users. All of this is done in quick time, faster than human users can react.
Are Scalper Bots Illegal?
Scalping is a technique that finds itself in a gray area when it comes to its legality. Scalper bots have been declared illegal in some countries due to the fact that they prevent fair access to goods for consumers.
In the UK for example, scalper bots have been banned and breaking the law can result in “unlimited” fines. In the US, the Better Online Sales (BOTS) prevents attempts by organizations and individuals to automate the process of buying tickets en masse using ticket bots. In Singapore however, it is not illegal but if scammed, consumers can lodge police reports.
Types of Scalper Bots
Scalper bots can be of different types depending on their specific task and how they operate. They can be used to fill up online forms, scrape APIs or auto-refresh web pages to check for ticket sales. Here are some of the types of scalper bots.
A pre-bot is one which is used to set up an account before the official date of a sale for a major event. It contains scripts that when run automatically visits multiple sites at the same time. With the accounts already set up before the event, the bot will be ready with credit card information to secure tickets as soon as they go live.
Auto Form Fillers
Form fillers are types of scalper bots that crawl pages with registration forms and save the data entered by users. The forms could ask users for their names, addresses and credit card numbers, and this data is saved by the bot to be used in the future for quick checkouts.
Auto-refreshers are bots that are scripted to automatically call and refresh a website to check if tickets have gone on sale. Once it detects that tickets are on sale, it will use credit card details obtained by the form filler bot to quickly make purchases before real users can.
API scrapers are bots that scrape data from APIs to automate various tasks such as sending spam, logging into accounts and purchasing items.
How to Monitor Your Website for Scalper Bots?
If you are in the business of selling tickets or other products at a specific time in the future, you will need to watch out for scalper bots. It can be a challenging task to monitor for such bots because of how quick they work but there are a few signs to look for when trying to detect bots.
- Unusually long delays between transaction steps
- Slow down of internet speed immediately after a ticket has been bought
- Slowing down of mouse activity or even freezing of cursor during online purchase
How to Stop Scalper Bots?
Like with many cybersecurity threats, there is no single way to stop scalper bots but rather a few different techniques that could work together. Some of these include:
CAPTCHA is a familiar technique of checking for bots by asking for a complex action to be performed, like detecting letters or spotting items on photos.
Bots by definition rely on automated processes that run a number of requests to a web server in quick time. So one way to stop them is to set limits on the number of requests and rates of incoming connections to a web server. These can be set on mobile paps, websites and even APIs.
Manually Blocking Hosting Providers
A brute force method of fighting scalper bots is to block hosting providers and proxies that scalpers rely on. Digital Ocean, OVH and Choopa are some of the common ones used by scalpers.
The most comprehensive method to thwart scalper bots may be by using a bot management solution. These are capable of monitoring bot activity and preventing bots from accessing your website, while allowing legitimate users to continue interacting with your business.
CDNetworks offers Bot Shield(机器人防护与管理), a cloud-based bot management solution that does exactly this by distinguishing between human and bot traffic as well as between good and malicious bots. It can be used in multiple industries to identify and block attacks and abuses, including ticket scalping, content scraping, denial of inventory, brute force and account takeover and much more.