Bottom Line: AI shows the potential for thwarting the growing number of bad bot attacks on e-commerce sites and digital channels. Radware finds 58% of bad bot attacks are comprised of distributed, mutating bots that defy easy detection.
From selling subscriptions for bad bots to Instacart shoppers willing to pay hundreds of dollars a month in fees to dominating mobile phone providers’ contests to capture one of every three prizes, bad bot producers are having a busy year. Cloudflare estimates 40% of all Internet traffic is bot-related. Two recent incidents show how sophisticated bad bots have become in a short time and how AI-driven approaches can help shut them down.
Bad Bots Redirect A T-Mobile Promotion
To reward loyal customers and attract new ones, T-Mobile ran a promotion called T-Mobile Tuesdays that began earlier this summer. T-Mobile offered a series of prizes, including thousands of dollars in gift cards, prizes including electronic devices and cash. Cybercriminals created a bad bot that submitted thousands of entries automatically to the promotion, filling in fields on a web form in less than a second. That’s a relatively easy task for a bot to be programmed to do. Players of the T-Mobile Tuesday promotion went online to Reddit to discuss why nearly a third of winners were from a small Pennsylvania town of 4,000 people. Initially, everyone thought it was an accidental coding error, or there was a slight time advantage of submitting entries from the town’s location.
CNBC contacted T-Mobile to find out why so many customers from Chadds Ford, Pennsylvania were winning the contest. CNBC published their story last Sunday, Bots kept winning T-Mobile’s promotional contests and sparked a Reddit whodunit — here’s how it may have happened. T-Mobile told CNBC the high number of Chadds Ford winners was related to bots submitting multiple entries. T-Mobile could easily make a case that it’s illegal to use bots to participate and win its contests. T-Mobile Tuesdays’ rules state that they prohibit “mechanically reproduced, illegible, incomplete, forged, software-generated, third party or other automated or robotic participation.” The PR and brand reputation implications of deciding to revoke prizes or not make for a complex decision for any business, which is why bad bots need to be thwarted with AI.
Bad Bots Snap Up The Most Lucrative Instacart Orders
Instacart shoppers and the grocery workers keeping shelves stocked and stores open are among the true heroes of this pandemic. Without them, many of us wouldn’t have been able to get groceries and keep our families safe. Instacart shoppers will often wait in grocery store parking lots for a lucrative order to appear on their app, then accept it and go inside to fulfill the order. For many shoppers, working for Instacart fulfilling orders is the majority of their income. Shoppers can make up to $1,800 a week during busy periods, according to a recent Seattle Times story, Instacart shoppers besieged by bots that snatch lucrative orders.
Bad bot developers see the exponential growth and popularity of Instacart during the pandemic as the perfect market opportunity. Creating and selling subscriptions to bad bots that automatically capture the largest, most lucrative orders in less than a second are taking orders away from all the other shoppers. The average cost of Instacart apps ranges from $250 to $600, with many bot developers requiring a monthly fee of at least $130 or more to keep the bot active. Bot developers only take payment in cryptocurrency to preserve their anonymity, according to the dark web research firm, DarkOwl.
Instacart says this is a small percentage of their total order sales and is taking action to combat the bots by banning any violator found using one to re-route orders. One hundred fifty shoppers have been deactivated and Instacart claims several bot selling sites are now down. Instacart is also instituting new procedures such as prompting shoppers to verify their identity with a selfie and not permitting shoppers to switch devices in the middle of an order. Shoppers using the updated app can also choose to review a single order for 30 seconds before claiming it or passing it to another shopper. Instacart also last month enlisted the help of security platform HackerOne to battle bots by offering a bounty program, according to the Seattle Times.
Using AI To Detect and Stop Bad Bot Attacks
Interested in how AI can differentiate between good and bad bots and help T-Mobile and Instacart solve their bot-based challenges, I recently spoke with Kount, the leader in digital fraud protection and identity trust. ‘If you are a big online commerce presence, a big part of your success is based on your promotions. They work to expand your brand presence and enrich your audience and generate leads and sales, but for abusers, the goal is to take those things and the easiest way to do that is through bots. You need advanced bot detection and protection’, Gary Sevounts, Chief Marketing Officer from Kount, told me.
Kount’s Fraud Prevention Platform relies on AI techniques, including supervised and unsupervised machine learning algorithms, to …