Holiday Cyber Attacks: How to Outsmart the Bots

By Alexa Bleecker, Director of Cybersecurity Content, Kasada

With the supply chain shortages and an uncertain economic climate, many retailers are expecting a slower holiday shopping season. But even if overall eCommerce sales trend down, that doesn't mean that cybercriminals will be taking a break. In fact, you can be sure that bad actors are preparing to launch many of the eCommerce cyber-attacks we've seen this year with extra amplification between Black Friday and Cyber Monday that will continue throughout the season.


Why? The answer is simple. Cybercriminals are motivated by money, and the holidays present ample opportunities to profit—from scalping to scraping, to selling card cracking codes to committing account fraud. With automated tools and techniques to scale their efforts, threat actors are setting themselves up to prosper.

You’d Better Watch Out for These Holiday Threats

Grinch Bots

The holiday season is upon us. And with it comes all the joys (and stresses) of buying presents for our loved ones. For many of us, that means braving the crowds – or competing with the bots to purchase gifts online. These bots are dubbed as Grinch bots because they scoop up in-demand items before legitimate customers can.


Gift Card Fraud

One of the most popular targets for fraudsters during the holiday season is gift cards. And it's easy to see why - they're easy to buy and sell online, and they can be used anywhere that accepts them. Gift cards are also a form of anonymous currency, which helps fraudsters conceal their identity in the underground marketplace.


Loyalty Abuse

While loyalty programs can offer a great way to save money, they can also be a goldmine for cybercriminals. That's because many of them are easy to exploit, and the points can be sold for cash.


Freebie Bots

With many retailers offering deep discounts on popular items, it's no wonder Black Friday/Cyber Monday are magnet days for bargain hunters. But while customers are busy scouring your website for deals, fraudsters will be hard at work too. Freebie bots take advantage of these extreme discounts by continuously scanning products to see if any have been mistakenly published for $0 or discounted by 50-90%.


All-in-One Fraud Tools

Another tactic rising in popularity for cybercriminals during the holiday season is using solver services. These services help adversaries easily bypass security detection systems like CAPTCHA systems that are designed to stop them from automated attacks. Based on our research, the use of solver services has increased by 750% in the past year.


Cybercriminals are motivated by money, and the holidays present ample opportunities to profit—from scalping to scraping, to selling card cracking codes to committing account fraud.

Preparing for Holiday Bots

As the holiday shopping season kicks into gear, the goal is to stop bots without disrupting the buyer experience. Keeping bots off your site won’t matter if your human customers leave too. Here are four essential steps, tips and questions to ask to help prevent bot attacks on your website, mobile apps, and APIs.

Step 1. Identify and understand the unique bot threats and risks to your business

What types of goods or services do you sell that might be especially in demand right now? Find out what bot threats your site can detect with an instant test. Assess the various OWASP automated threats that may impact your applications.

Step 2. Remove fake users and bad bots to uncover insights into your web traffic

At peak times, your bot traffic can be 10X your usual traffic, which skews metrics and results in an unfavorable experience for customers. Clean up your bot traffic to deeply understand consumer behavior while saving on infrastructure costs.

Step 3. Prioritize your customer experience, conversion rates, and revenue generation

Use technology to help ensure your products can be purchased by legitimate customers, not fraudsters looking to make a profit. Invest in security solutions that don’t add additional layers of friction for your users.

Step 4. Continue to expect the unexpected

Make your anti-bot vendor list, and check it twice. The standard holiday preparedness practices don’t really matter if bots are exploiting your website, apps, and/or APIs. The real eCommerce holiday readiness is to expect the unexpected and become agile enough to change at a moment’s notice.


All in all, the holiday season is a busy time for everyone - including threat actors. So, it's important to be aware of the dangers and take steps to protect your organization. From gift card fraud to loyalty abuse, and solver services for CAPTCHA services and more, keep these tips in mind and you'll be sure to have a safe and happy holiday season.

NOVember 2022

NOV 2022