Grinchbots scoop up sales before you get a chance


Bad bots are quasi-intelligent scripted tools that roam the internet looking for imperfections, vulnerabilities, and any way to make a quick buck. Now they are buying up all the stock of hard to get tech and Christmas items.

Imperva’s 2021 Bad Bots Report (here – it is free) asserts that 25.6% of all web traffic are bad bots, 15.2% are good bots, and 59.2% are humans. Bad bots are relentless. Once set to a task and let free, they just keep going and going.

The report details the various bad bots categories, but here is an overview.

Grinchbots (AKA Scalping Bots)

Sophisticated bots that can purchase stock items. The bot operators then resell those goods for a higher price.

In October 2020, Imperva Research Labs monitored an unprecedented 788% increase in bad bot traffic to retail websites, coinciding with the launch of the PS5 and Xbox X. A staggering 62.8% of this traffic was sophisticated advanced bots, those that are harder to detect and stop because they closely resemble human behaviour.

Scalping bots have been responsible for purchasing large swatches of concert tickets, any high value and limited item (commemorative Nikes, Pokémon cards), and now the Nintendo Switch OLED. In fact, NVIDIA GPUs, Intel Core Processors, PS5, Xbox and other hard to get tech is a top target. Recently airline tickets and Christmas toys have become a target. Cybercriminals can easily resell these items for a profit.

Web scraping, including Price scaping

Price scrapers trawl competitors web sites to beat them in the marketplace. But worse, this is evolving to gambling odds, bitcoin, travel and any business that has an e-commerce site that exposes prices.

Content scraping (as regularly happens to GadgetGuy) is stealing the content or even copying the whole website. Particularly vulnerable are job boards and classified adverts that are on competitors’ sites.

The practice can slow the legitimate website to a crawl and eventually penalise SEO rankings for duplicate content. GadgetGuy has had over 1 million brute force attacks in the past 14 days.

Misinformation bots

Look for opportunities to post comments on websites and social media. In the last 14 days, GadgetGuy stopped over 14,000 spambot comments.

Account takeover

Bots constantly use dark web personal profiles to test their validity against everyday business and government websites. Once an account (say with a major retailer like David Jones or Myers) is taken over, they can order goods, steal loyalty pints and credits and more.

Of particular concern is the gift card balance checking bots that try to gain access to store cards and spend or steal money.

Email bots

Attack email servers to gain access to email accounts ultimately for spamming. It can also impersonate the owner and lead to phishing and bill payment scams (business email compromise).

Credit card bots

Cybercriminals test stolen credit card validity by using bots to initiate micro-transactions on non-profit/charity sites – anywhere that accepts a micro-value item or donation is accepted. If the card is live, they then can perpetrate credit card fraud.

Denial of service bots

You can rent bots to attack competitors websites by constantly visiting them, clicking on links etc., to overload the webserver. Result – no one can access the site.

Denial of inventory bots

Bots can add items to shopping carts tying up stock, appearing that a company is out of stock.

Bad Bots summary

Bad bots are software applications that run automated tasks with malicious intent over via the internet. They scrape data from sites without permission to reuse it and gain a competitive edge (e.g., pricing, inventory levels, proprietary content). They use them for scalping, the act of obtaining limited availability items to resell at a higher price. The genuinely nefarious ones undertake criminal activities, such as fraud and outright theft.

They can completely skew analytics and advertising statistics showing up as legitimate human page hits. Their growth is exponential – 2020 was up 6.2% over 2019.

And their use is expanding via machine learning and AI to make them indistinguishable from humans. They can already defeat CAPTURE challenges.

But the worst thing is that these smart bad bots are beginning to target food and beverage delivery services, click and collect and more shopping sites. There are even some booking COVID vaccination slots to resell to people that want to jump the queue.


The bot problem is an arms race. Bad actors are working hard every day to attack websites across the globe. The tools used constantly evolve, traffic patterns and sources shift, and advanced bots can even mimic human behaviour.

Over 40% originate from the USA, with China at 5.2%, the UK at 4.9%, and Russia at 3.9%.

What can you do?

As a consumer, very little. You need to be vigilant for failed login attempts and ensure you have two-factor authentication or biometric identification enabled. Watch daily for ID theft signs like unauthorised credit card transactions because all your money, loyalty points, gift card credits can be gone in 60 seconds.

As a business with a website, read Imperva’s recommendations (pages 32-33) paying particular attention to mobile transactions.

GadgetGuy eSafty articles