As Black Friday 2024 nears, online retailers are preparing for a surge in demand, particularly for deals, discounts, and bundles on popular gaming consoles like the PS5, Xbox, and Nintendo Switch, along with their accessories.

However, this excitement also attracts sophisticated fraudsters who use bots to capitalize on the limited availability of these consoles and other sought-after items. 

Bot operators and scalpers have refined their tactics, leveraging fake account creation as a primary tool to bypass purchase limits. By deploying bots at scale, they quickly create multiple accounts to snatch up inventory, preventing genuine customers from securing these high-demand products. These accounts can then purchase consoles in bulk, with scalpers profiting by reselling them at inflated prices on secondary markets.

DataDome’s recent analysis underscores the growing threat posed by bots, revealing that many online retailers are not sufficiently prepared for these attacks. Without proper bot protection, e-commerce platforms risk losing control over inventory and revenue, while consumer trust and brand reputation suffer in the process.

For retailers, proactive bot protection is essential to ensure gaming enthusiasts, rather than bot-driven scalpers, can access consoles this Black Friday.

Security Assessment of E-Commerce Sites

Using open-source bot frameworks with minimal configuration, DataDome tested 14 major e-commerce websites in the US, UK, and EU to assess their readiness against bot attacks. 

Key findings:

• 100% of Tested Sites Allow Fake Account Creation 

• Nearly one-third of the tested sites allowed bots to create an account without advanced techniques.
• Almost three-fourths allowed bots to create an account using advanced techniques like CAPTCHA solving or MFA handling.
• This indicates a serious gap in preventing mass account creation, a tactic commonly used by fraudsters to circumvent purchase limits.

• Most Lack Basic Security Measures

• Most (57.2%) of the websites did not deploy a CAPTCHA challenge to protect the registration process.
• 64% of the websites failed to validate provided email addresses, allowing for account creation using disposable emails, alias tricks, and dot techniques. These loopholes are easily exploited by bots to create multiple accounts.

• Weak Authentication Practices

• Half of the websites allowed a bot to login to an account without advanced techniques.
• 35.7% of the websites allowed a bot to login to an account with advanced techniques like CAPTCHA solving or MFA handling.
• Even those that implemented MFA could be bypassed using common tactics like rented phone numbers or SMTP access.

Implications and Risks

• • Credential Stuffing: Attackers use bots to attempt stolen username and password combinations across multiple sites, aiming to steal personal data, loyalty points, or unused credit.

• Mass Fake Account Creation: Attackers use bots to create thousands of fake accounts, enabling them to place large orders under different identities. Even if retailers implement stricter controls later, these accounts can be reused in future attacks.

• Reputation Damage and Loss of Customer Trust: Security breaches can lead to significant reputational damage, potentially eroding customer trust..
• Financial Implications: The financial losses from fraudulent activities and chargebacks, could be substantial for retailers.

Recommendations

To mitigate these risks, retailers can take steps to enhance their security posture:

• Enhanced Authentication: Deploy multi-factor authentication across all critical user interactions, including account creation, logins and transactions, to add a layer of protection against unauthorized access​.
• Email Validation: Validate email addresses at account creation to prevent disposable email services and alias tricks. Implementing email verification processes like “verify your email” steps will help reduce fake account creation​.
• Advanced Bot Protection: Employ sophisticated bot management solutions that provide real-time detection and mitigation of automated threats​​. In particular, the bot protection must be resilient against sophisticated attackers capable of passing CAPTCHAs using CAPTCHA farms, be able to detect attacks started from thousands of IP addresses using proxies, and be able to detect bots that mimic human-like behavior.

Conclusion

To enhance their attacks, fraudsters often modify open-source bot frameworks to bypass detection. These modifications make bots harder to detect by traditional methods. Our tests, using minimal modifications, were able to bypass most bot protection systems—highlighting the potential scale of damage a more resourceful attacker could cause.

As bot operators share methods and techniques in underground forums, their attacks will continue to grow in sophistication, outpacing the detection capabilities of websites using basic bot protection solutions.

Retailers must prioritize bot protection to safeguard their businesses and customers during high-traffic events like Black Friday. Bots will target popular, limited-edition products, causing inventory shortages and frustrated customers. By deploying real-time bot detection and comprehensive fraud prevention, businesses can maintain control over their inventory and protect their bottom line.