Kasada, provider of the most effective and easiest way to defend against advanced bot attacks, today released new research about four major cybersecurity threats impacting the holiday shopping season: gift card fraud, fake account creation, Freebie Bots, and scraping attacks.
Key Highlights Include:
- 50% increase in bad bot traffic
- 6x increase in automated online gift card lookup attempts
- 3x spike in fake account creation the week before Black Friday
- $1.1M of products purchased by Freebie Bots for $134, within one community
- 43% surge in web and API scraping attacks
- 49% of holiday bot attacks originate from the United States
Kasada observed a 50% increase in bad bot activity during Black Friday week (the five days from Thanksgiving to Cyber Monday). Bot operators frequently used customized open-source development tools, headless browsers, and new Solver Services to conduct their attacks at scale.
“Retailers have to deal with bot attacks every day, but the increased activity we’ve seen during the holiday shopping season truly highlights just how extreme the problem is,” said Sam Crowther, CEO and founder of Kasada. “As they say, follow the money. If there is an opportunity for profit, bots will be there, looking for every way possible to exploit a retailer’s business. It is critically important for retailers to employ solutions that can adapt quickly to the increasing sophistication of modern bots.”
Gift Cards Grow in Popularity with Consumers – and Fraudsters
According to the National Retail Federation (NRF), holiday gift card spending is expected to reach $28.6B this year. Since gift cards have fewer protections than other payment methods, fraudsters favor them, as they can anonymously obtain quick cash through irreversible transactions, or by reselling stolen cards.
Kasada’s threat intelligence saw a 6x spike in automated gift card lookups this holiday shopping season, a key indicator that fraudsters are using bots to identify and steal gift card balances. Recipients may be in for a surprise when their gift card already has a balance of zero, before they get to use it.
Increase in Fake Account Creation Leads to Increase in Fraud
Kasada’s research found large numbers of fake user accounts being created; there was a 3x increase the week before Black Friday and a 40% increase from Black Friday to Cyber Monday. Fraudsters generally create fake accounts in the run-up to Black Friday so they have well-established aged accounts that blend in with legitimate customer accounts.
During the holiday season, retailers run promotions that offer coupons and goods as incentives for new accounts. The 40% increase in account creation on Cyber Monday reflected bot-driven efforts to obtain and abuse as many promotions as possible.
Freebie Bots on the Rise, Purchasing Mispriced Goods at Massive Discounts
Freebie Bots, which scan hundreds of retailer sites for mispriced items and purchase them in mass quantities, continue to surge this holiday season.
Within one community, Freebie Bots successfully purchased over 40,000 mispriced products during the Thanksgiving shopping weekend, totaling over $1.1M in retail value – for just $134. Freebie Bots were used to rapidly purchase erroneously priced items such as LED strips, dog collars, and dinosaur toy hand puppets that could then be resold for a large profit.
Scraping Attacks Increase, Slowing Site Performance and Enabling Fraud
Kasada found a 43% increase in scraping attacks, with more than 3 million scraping requests made each day, in the days leading up to Black Friday.
Scraping bots capture real-time data that is used by competitors to undercut pricing. In addition, fraudsters use scraping as the basis for counterfeit websites that trick unsuspecting consumers into making a fraudulent purchase or providing their credentials. In its 2022 State of Bot Mitigation Report, Kasada found that nearly 40% of companies reported a 10% or greater loss of revenue due to web and API scraping.
Almost Half of Holiday Bot Attacks Originate from the United States
Over the course of the holiday shopping season to date, Kasada found that 49% of all bot-driven attacks originated from the United States. The United Kingdom, Canada, Australia and South Korea rounded out the top five.