Cybercrime

The Complex Implications of Grinch and Scalper Bots Beyond the Holidays

millennial couple using computer

Despite legislation created to stop “scalper” and “grinch” bots from buying products faster than humans on e-commerce sites, desperate consumers are wrestling with the dilemma of either paying inflated prices or using bots themselves.

Nearly half of the respondents to a buying trend survey conducted by Osterman Research for bot detection and response firm Netacea found that bots have impeded shoppers from acquiring in-demand goods and services online.

Many of these individuals, particularly those attempting to purchase tickets for live events, fashion items, consumer goods, and travel, experienced high levels of interference.

According to researchers, bot activity produces various negative effects on consumer buying behavior. As a result, some shoppers are reacting by making bots part of their shopping toolkit.

The Growing Impact of Bots on Consumer Choices

Scalper usage is most common with Gen Z and millennial consumers, with some 25% admitting they used one over the last 12 months. Even shoppers over 65 claim they use a bot to get what they want online.

Bot-induced scarcity leads to significant markups on everyday items. Despite inflation, people are willing to pay scalpers 13% to 17% more for things like household goods, medicines, and event tickets.

Despite these inflated prices, more than half (57%) still bought products on secondary markets, even though over 90% feared being sold fakes or having their data compromised.

The report, titled “How are bots changing buyer behavior?” surveyed over a thousand people across the U.S. who regularly buy popular goods and services online.

Automation is now part of the public consciousness. A barrier to entry for consumers, scalper bots, in particular, are an acknowledged money-maker, according to Bec McKeown, cyberpsychologist and founder of Mind Science.

In effect, this creates the underlying conditions for confirmation bias where bot users only ever see the upside in their actions.

“They reason that no one will come to any harm. It’s very easy for this to happen when mediated by the internet as the morals and principles people hold go out of the window as the consequences aren’t immediately apparent,” she said.

Lackluster Laws No Deterrent

The Better Online Ticket Sales (BOTS) Act aims to restrict the use of bots by outlawing the purchase of tickets by circumventing security measures. It calls for potential fines of up to $16,000.

The proposed Stopping Grinch Bots Act aims to apply this deterrent more widely by attempting to tackle bots that buy up goods around the holiday season.

Research found that those surveyed agreed with the need for action. With 89% saying retailers should act and 82% wanting government policy, it is apparent that more corrective measures are needed.

“Bots are leaving consumers with a dilemma. Either they pay inflated prices on reseller sites, with all of the risks involved, or they get involved with the murkier business of using bots — a case of if you can’t beat them, join them,” Andy Still, co-founder of Netacea, told The E-Commerce Times.

The BOTS Act specifically prohibits large-scale ticket buying and resale using bots in the U.S. Typically, however, the use of the technology itself is not limited, just the act itself, he noted.

“For example, bots abusing credentials would be illegal, but those that scrape inventory exist in an emerging area of law. Retailers are often left trying to ban attacks using terms and conditions, which can be difficult as bots simply swap IP addresses to appear like someone else,” he explained.

Reactionary Response Building

Consumers view the worsening problem as the result of shared blame among the government, retailers, and even the brands behind the goods and tickets they want, added Still.

As bots get more successful, the whimper of consumer discontent has become a roar. Policymakers have heard this and are beginning to be more proactive.

For instance, the congressional hearings in the U.S. following the Taylor Swift ticket incident are a case in point. Questions on the subject have also been asked at Prime Minister’s Question Time in the U.K.

Some emerging debates on AI regulation, such as those surrounding the EU AI Act, hinge on whether bots will be classified as an AI system, as noted by Still.

“Specific anti-bot regulation would help fix some of the consumer harms. However, for this to happen, what is really needed is greater recognition of how the problem harms real people,” he suggested.

These issues impact many people in fragmented ways rather than manifesting as a single, spectacular event like a ransomware attack, which often leads to them being swept under the carpet.

“This is not OK, and policymakers need to engage with this,” urged Still.

Complexity of Implementing Anti-Bot Measures

Solving the bot problem for e-tailers might be easier said than done. Many challenges surround the question of how to implement legislation effectively.

For example, do you punish the person buying the ticket or the act of using an illegally obtained ticket? How do you enforce this? Would the seller become responsible for enforcement?

“The additional issue with legislation is that the victims here, the fans who end up having to pay excessive fees for tickets, are also perpetrators. They drive the secondary market and will likely be complicit in helping bot operators to bypass legislation,” Still suggested.

A fallback solution might be to warn the general public of the need to impose controls on shopping bots first. Then, if public sentiment about shoppers using the technology does not change, imposing penalties on those consumers caught using bots might be less controversial.

Public education is only one method of warning people of such risks. It takes a long time and sustained effort to do so, countered Mind Science founder McKeown.

“Human beings are naturally disinclined to take notice of things they think are not relevant to them, so any attempts at education would need to cover a wide range of tactics,” she told the E-Commerce Times.

Research shows that “inoculation training,” which focuses on the actual content of scams rather than more abstract information, can increase awareness without decreasing trust in legitimate communications.

Another inoculation method known as “pre-bunking” (as opposed to debunking!) works by giving people practical experience in spotting scams. Hence, they are more rehearsed when they come across it in real life, she recommended.

Human Psychology Works Against Deterrent

According to psychologist McKeown, it is difficult to assess if all shoppers are vulnerable to being victimized or if only certain age groups or social categories are impacted. That is because of how vulnerability is measured.

“People do not always report they have been a victim of scams, and there is no way of telling how many unsuccessful attempts are carried out before a fraudster hits the jackpot. Victim blaming makes it even more difficult to get accurate data to explore this problem,” she told the E-Commerce Times.

Certain personality traits might predispose people, she offered, noting that some people are comfortable with taking risks or are very impulsive. Additionally, some research studies have found low literacy and numeracy correlate to greater susceptibility to fraud.

“But correlation does not equal causation. So these results must be treated with caution,” she advised.

Often, unconscious brain processes can stimulate the urge to buy certain in-demand products or tickets. She added that these happen in our brains when making decisions, noting that the report addresses those factors.

“We have an innate thirst for immediate gratification which clouds our judgment. If the ability to get the product immediately was removed, then we are capable of making more rational decisions. This psychological explanation adds weight to the idea of banning bots through legislation,” she observed.

Old Bot Tactic, Only Getting Worse

According to Still, bots have been a maligning influence in e-commerce for a long time. For example, according to an FBI indictment, one of the earliest wholesale ticket scalpers had been operating since 2001.

“The problem now is that bots have become far more sophisticated. They have become far better at evading the technologies put in place to stop them,” Still said.

Legacy controls are fooled by bots using proxies, emulating humans. Thus, they can bypass security measures like Captcha to empty digital shelves en masse. He warned that this issue, affecting people, brands, and retailers, will only grow as automation becomes more advanced.

“Bots have also become much easier to use. They are no longer complex scripts that require technical excellence to execute. They are commercial software and services that can be easily accessed without even needing to go on the dark web,” he explained.

These bots will handle not only the requests needed to execute the transaction but also can access distributed proxy networks to make the request source look legitimate and execute code to bypass legacy detection.

Bots operate in a gray area legally. Because of this, many are available in the open. Unlike traditional online threat actors, who conceal their activities behind Tor, you can pick up a bot on Twitter.

Tor is a web browser that hides your IP address and browsing activity by redirecting web traffic through a series of routers known as nodes.

Protecting Against Bot Shopping Attacks

Defending against these inventory-stealing bots may not be an easy chore for shoppers. It is difficult for consumers because these attacks are directed mainly at the external attack surface of large online companies.

“So there is little in the way of technical solutions they can put in place,” Still noted.

Practically, to protect against the harms of scalper bots, people can simply refuse to pay inflated prices, he offered. Bots also abuse consumer credentials at high volumes for account takeover.

“So people should practice good password hygiene to stop their details from being stolen in the first place,” he said.

What may be the only other alternative is changing shoppers’ newfound willingness to use bots themselves. That new behavior trend is based on the “If you can’t beat them, join them” logic.

“There is also an acceptance that the secondary market is a place you may have to go for limited availability items. This drives up demand and, therefore, prices. It becomes a vicious circle,” Still lamented.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Cybercrime

E-Commerce Times Channels