As Online and Mobile Retail Rises, So Does Bot Fraud

Holiday shopping is not what it used to be. This year, 51% of surveyed shoppers told Deloitte that they planned to do more holiday shopping online than in stores. And Cyber Monday dethroned Black Friday as the year’s biggest shopping day, with customers spending $6.6 billion, according to Adobe Insights. That’s $1.6 billion more than was spent on Black Friday.

2 billion of these Cyber Monday dollars came from mobile transactions. It was the single biggest day so far for mobile shopping. To keep up with customer demands for fast and frictionless payments, merchants are leveraging tools like 1-click ordering (for which Amazon’s 20-year patent expired in September.) And they’re discovering that as much as customers love immediacy, fraudsters love it even more.

Gone are the days when fraudsters would wait in line at Toys”R”Us to return an item they had stolen. Today, these fraudsters are hiding under all these piles of data, and they’re using speed and velocity as tools for their crimes. In this blog post, we’ll look at one of these tools in particular: bot attacks.


Putting the focus on bots

In my job as Fraud Analyst for Feedzai, I’ve been looking closely at bot attacks so we can better protect our clients.

Bot attacks are about completing a lot of transactions in a small amount of time. In my research, I’ve discovered these bots add to carts 5 times faster than humans. Bots will attack hundreds of times in minutes, and some of these bot attacks can last as long as several hours.

What does a bot attack look like from the outside? A bot or a script will choose one item and repeatedly try to buy it. When a bot strikes, you’ll see an item appearing many times in a short period, with transactions happening at an average speed that’s not humanly possible.


What are the signs of a bot attack?

  • The transactions are originated by one IP address, or thousands of sequential IP addresses
  • The device will likely be null or unidentified
  • Cards could have several decline authorizations, because the card’s limit has been reached, or zero decline authorizations, because the bot has yet to fail filling the codes
  • Bots can create accounts or enter them as guesses, but either way, the time between registration and finishing the order will be absurdly fast as compared to a human customer
  • Bots will show systematic patterns in how they update their orders. For example, the item and value will be the same for all transactions. Or, in the case of different items, patterns will be similar.
  • These bot attacks are concentrated on items that are on sale, have just launched, or are particularly easy to sell.


Evolving criminals

The defining characteristic of today’s fraud is that it is constantly evolving. In the past, fraudsters would need to learn a programming language, like Python, in order to launch these attacks. But today, the use of bots has become so widespread that a cottage industry has sprung up on the black market.

“Learn how to bot!” That’s the promise of one underground startup (I won’t name it here) that promises to teach fraudsters how to create customized bots without any programming language needed.

The fraudsters who learn how to master bot attacks can come away with an incredible payday. In a single attack with a bot and a hacked email account, four minutes was enough for the fraudster to gather over $600,000 worth in stolen goods!

Fraudsters are getting creative in how they evade fraud detection for periods of time that are just long enough to complete their bot attacks. In one instance I saw a fraudster generate three bot attacks simultaneously: two attacks were meant to receive stolen items, and a third “decoy” bot was dispatched only to make noise in the queue so the attack wouldn’t be detected until it was too late.

Retailers who are busy trying to satisfy customer demands for immediacy are faced with solving another goal at the same time: staving off the technological savvy of fraudsters, who are busy using immediacy to their advantage.


The machine to the rescue

How can merchants identify attacks at this scale? The solution is in connecting the dots. Bot attacks, like any fraud tool, involves multiple signals that alone can’t be acted on. A location by itself may or may not indicate fraud. Multiple shipments to the same location, all originating from hundreds of billing addresses, is likelier to indicate fraud.

But humans can’t make decisions on mere likelihoods, especially in the face of high velocity attacks. It takes machine learning algorithms to link the thousands of signals behind each act of fraud. Machine learning is what lets us proactively stop fraudsters, with all their fast-evolving techniques, as they present patterns that no human eye can see.

Subscribe to stay infomed