Grinch bots

The bots that stole Christmas

We first heard about Grinch Bots in 2017 when online entities began using cyberbots to snap up popular goods as soon as they hit the market or went on sale for Black Friday. The goal is to increase demand and control the supply for everything from children’s toys to event tickets and make money by jacking up their resale prices on sites like eBay.

While states such as New York have tried to crack down on these cyber retail stalkers, they’re tough to find and they can get past CAPTCHA software by employing humans to do that work for very little money.

Fighting the bots

This happens all over the world, but in the U.S., Congress tried to block “cyberscalping” by passing the Better Online Ticket Sales (BOTS) Act of 2016. However, that law only applies to event tickets and still isn’t very effective since these so-called “grinches” are adept at making hundreds of accounts. The Stopping Grinchbots Act 2018 was introduced last year and is now awaiting more action from the House Committee on Energy and Commerce. But this would simply make it illegal to resell all products purchased by automated bots and doesn’t apply to the rest of the world. This is the tricky thing about online commerce (and the Internet in general) – it transcends legal boundaries.

The cybersecurity firm Radware found that a huge amount of online traffic comes from bots in the days leading up to Black Friday/Cyber Monday.

According to their blog:

“While it appears that internet traffic is at its annual high during the prep days before Black Friday/Cyber Monday, 37% of that traffic is comprised of bots, not holiday shoppers…Bad bots are at their highest level a few days prior to Black Friday/Cyber Monday, representing 96.6% of total traffic to retailers’ login pages. This indicates that bot masters are using this time as preparation days before the surge in customer shopping.”

So gangs of cybercriminals are now swimming in limited-time offers on goods that you’ll now have to buy at a mark-up on secondary sale sites. More nefarious thieves even break into customer accounts and drain them of points and other rewards – such as digital currency. And they’re not limited to Christmas. Any time there’s a sale or special event or offering, these bots and their masters are on the job.

No, it’s not fair, but there’s very little consumers can do other than to check on and protect their accounts with new passwords every now and then. But retailers are also in a bind. Millions of bot hits on big sales days can slow down web traffic, causing customers to go somewhere else.

Either way, we can expect to pay more for products cybercriminals have their eyes on, whether it’s due to price inflation on third-party sites or a raise in the cost of goods from the money retailers will have to invest in more effective cybersecurity.

Maybe now is the time to think about just how much you really need that shiny new item.

Further reading:

What are Grinch bots? (Government Technology, 2018)

“Grinch Bots” are here to ruin your holiday shopping (NBC News, 2019)

Retailers, how much of your holiday traffic is actually human? (Radware Blog, 2019)

“Grinch Bots” attempt to steal Christmas by driving up toy prices (NPR, 2017)

It’s a Christmas tale for our time: Cyber nerds using high-tech software to buy a slew of baby-monkey robots and holding them ransom for thousands of dollars. (The Atlantic, 2017)