Bots are stealing Christmas!

Kasada released new data on the latest fraud and malicious automation trends, revealing increased threats during the holidays; rising attacks by bots; and the discovery of a new amped up All in One (AIO) Grinch Bot that is being used extensively during hype drop sales.

Malicious automation trends

• 4x increase in automated online gift card lookup attempts
• 10x increase in malicious login attempts due to credential stuffing
• Discovery of a new type of sophisticated all-in-one bot (AIO) used prominently during hype drop sales that is more efficient and effective than its predecessors
• Majority of Black Friday bad bots come from the USA, followed by Australia and the UK

“As we approach 2022, the frequency and severity of bad bots continue to threaten online businesses,” said Sam Crowther, CEO, Kasada. “The level of sophistication we are witnessing within the botting community is at an all-time high as they continue to collaborate and improve upon their methods to conduct online fraud and generate profits through the use of malicious automation.”

Gift card fraud – the unintended gift – drove a 4x increase in fraud attempts

Gift cards have been purchased at a higher rate than ever before, as they’ve served as a stopgap for consumers who encountered empty shelves. It is predicted that gift cards will make up 40% of total gift purchases this season, making them an ideal target for fraudsters.

Automated gift card balance lookups quadruple over the past two months. This is a key indicator that fraudsters are using bots to identify and steal gift card balances. Typically, stolen cards are spent before they are actually received as gifts, meaning people may be unintentionally giving zero-balance gift cards to friends and loved ones this season.

Credential stuffing – 10x increase in malicious login attempts

There has been a dramatic increase in account takeover attempts fueled by large-scale credential stuffing. This occurs where attackers use credentials from other breaches to takeover customer accounts to sell stolen account details, which are used for credit card washing, loyalty, gift card and reward points draining.

There was a 10x increase in malicious login attempts due to credential stuffing during the period between Black Friday and Cyber Monday, compared to the prior weeks in November.

AIO breeds new Grinch Bot variant

Similar to prior years, some of the most sophisticated botting activity occurs during coveted hype drops, where high-demand and limited-edition goods are released at a specific time and day. This year there was a heightened use of all-in-one bots (AIO) which automate the scanning and checkout process for hot items such as electronics.

In addition, researchers discovered a new Grinch Bot overtaking the types previously used. This new bot, which replays stolen telemetry through an API, is especially economical, scalable, and effective, while allowing it to bypass legacy anti-bot detection methods.

Researchers have noticed that this new bot has quickly become the de-facto method used for premium hype sales. The team observed in recent hype sales that this new Grinch Bot spikes from 0% to 99% of the total bot requests for the duration of the sale, and then once the inventory is gone, it disappears until the next drop.

U.S. leads the globe in Black Friday attacks – but China took the holiday off

During the period between Black Friday and Cyber Monday, the majority of bad bots were coming from the USA, followed closely by Australia and the United Kingdom.

Past research has shown that attacks originating from China are typically near the top of any botting activity list, but during this time period China was 6th at only 2.3% of overall bad bot traffic. This suggests that post-Thanksgiving holiday sales are more of a western trend, even amongst botters.

Researchers continue to observe the use of residential proxy networks to hide bots within seemingly legitimate traffic. Within the United States, bot operators have purchased IP addresses that are specific to a retailer’s historical traffic, making it difficult for eCommerce providers to distinguish between good and bad traffic.