Heading into Black Friday, Cyber Monday and this holiday season, the biggest security threat may come from bots designed to steal credentials, overwhelm e-commerce sites and siphon funds from gift cards.
To better understand the threat, San Francisco-based bot detection and mitigation company Distil Networks analyzed 2016 holiday traffic to approximately 600 e-commerce sites as well as a sample of 2,600 non-e-commerce sites over a six-day period.
Distil found bots – automated programs or scripts programmed to perform very specific tasks at the request of their architect – most likely deployed for one or more reasons over last-year's holiday season, performing various tasks:
- Scraping sale prices so competitors can match deals in near real-time.
- Flooding a competitor's site with more requests than it can handle (Denial of Service) to affect their sales.
- Skewing analytics to impact conversion rates or performance metrics.
- Clicking on ads to drive up digital ad spend costs.
- Obtaining limited-availability or temporarily-lowered goods to resell at higher cost later.
- Populating forums (likely the customer review section of the site) with ads for a competitor.
- Stealing gift card balances. The Distil team actually started noticing increased bot activity on customer websites with gift card processing capabilities in February 2017.
Recommended For You
"One of the good things for consumers is price breaking bots are going into overdrive," Edward Roberts, director of product marketing, at Distil Networks, offered. "So, competitors scraping each other's prices to make sure they're not getting beaten by a deal from one of their competitors are going to increase. This will help lower prices."
Last year, according to Distil, bad bots accounted for 15.6% of web traffic on e-commerce sites and about half (7.8%) were advanced persistent bots. Good bots, such as search engine crawlers, application performance tools, and scanners accounted for 9.3% of traffic. The remaining 75.2% was human.
In 2016, almost 25% of requests made on e-commerce sites came from a bad bot. On average, bad bots create 22% of e-commerce traffic.
Bots hitting e-commerce sites is not only bad for businesses but also for financial institutions because of the increase in criminal activity involving credentials that coincide with account takeovers related to APBs.
During the past year, the Distil Networks analyst team uncovered GiftGhostBot, an APB targeting gift card payments processes on websites. The bot attempts to defraud consumers from the money loaded on gift cards from a variety of retailers.
On one customer website, the Distil analyst team recorded 4 million bad bot requests per hour, almost 10 times their normal level of traffic. Distil expects more gift card abuse between Thanksgiving and Christmas in 2017 when gift card sales should surge.
Read the full bot account in the Nov. 22 issue of CU Times.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
