For years, scalper bots have wreaked havoc for customers wanting to purchase tickets for popular music events and shows. Enterprising scalpers use bots to buy sought-after tickets faster than human customers, re-selling them at considerably inflated prices. In July this year, scalperbots targeted Ticketmaster during the presale of Taylor Swift’s leg of the Era’s tour. Hopeful concert goers reported website crashes, and tickets were spotted on resale sites for five times their original price within 15 minutes of the release.
This high profile attack has demonstrated the sophistication of bad bots in today’s current threat landscape. These bots were able to surpass Ticketmaster’s ‘Verified Fan’ presale, which was specifically designed to keep tickets out of the hands of bots and touts.
Unfortunately, the Taylor Swift Ticketmaster fiasco has likely incentivized other threat actors to build and deploy bad bots, demonstrating the serious payout they can expect to receive as a result of scalping other popular ticketed events. Those in the events and ticketing industry must therefore understand the sophistication of these bots, and adapt their cybersecurity strategies accordingly in order to prevent the devastating financial and reputational damage that occurred during the Era’s tour presale.
The emergence of scraping as a gateway threat
The Taylor Swift Ticketmaster fiasco is but one example of a growing trend, where malicious actors use bots to scalp limited edition drops. Back in 2020, gamers struggled to get their hands on the new PS5 console after they were snapped up by scalper bots. Even public health isn’t immune - during the pandemic, COVID-19 vaccine appointments were scalped and sold on to desperate members of the public. No industry or sector is safe, so how can organizations best protect themselves against these expert opportunists?
Understanding the way fraudsters execute these bot attacks is key to preventing them and protecting your business. Web scraping is the automated collection of data from a website, mobile app or API. Whilst not all web scraping is inherently bad, many cybercriminals rely on scraper bots to extract data that can be used for malicious intent, such as content theft, price scraping or resource draining.
The threat research team at DataDome has observed a recent trend, whereby scraping is increasingly being used as a gateway threat that leads to more aggressive and damaging attacks like scalping. Based on this observation, it is likely that in the case of the Ticketmaster Era’s tour fiasco, bots used scraping to monitor when the tickets would go on sale. They then scalped the tickets using automated software to position themselves at the start of the line, add the tickets to the cart and autocomplete the purchase.
This emerging trend of using scraping to conduct more sinister attacks is demonstrative of increasingly sophisticated methods that fraudsters are using to conduct malicious activity online, and this style of threat is by no means limited to the ticketing industry. Online retailers selling exclusive, high-value goods are also a prime target for these attacks, and therefore companies across all sectors must develop a robust cybersecurity strategy that protects against the financial and reputational damage that these attacks can cause.
Developing a robust cyber strategy
The fact of the matter is that bots are now highly sophisticated. Bot programmers are extremely skilled and are quick to adopt new technologies like AI and ML to enhance their attacks. This means that no amount of presale or verified fan systems can prevent scalper bots. In order to truly protect against these attacks, ticketing companies must adopt a robust cyber strategy, which includes real-time bot detection and prevention software.
Fortunately, there are many anti-scalping techniques that can be deployed. Fingerprinting, for example, allows websites to collect information about a user’s browser or device type and version, which can help them identify bots. This is because scalper bots use automated browsers or HTTP clients that have slightly different characteristics compared to browsers used by genuine humans in a non-automated way. As such, scalper bots are identifiable through their browser and device parameters. Once they have been detected, they can be blocked accordingly.
Similarly, bots can be detected through behavioral analysis. Most bots don’t act like humans - they race through a website, heading straight for the target ticket or item. Humans, on the other hand, tend to meander, moving their cursor around the page, and generally act in slower, more natural ways. Once these behavioral patterns are detected, additional bot detection and block methods can be deployed.
Balancing security and user experience
The importance of protecting against bots cannot be overemphasized. However for sites where bot attacks are most likely to occur, user experience is also critical. If a customer has repeatedly poor experiences on a website, this could permanently damage their trust in the company, preventing them from being willing to make repeat purchases, which will ultimately damage a business’s bottom line.
In DataDome’s E-commerce Holiday Bot Online Fraud Report, only 47.46% of online traffic came from actual humans. The last thing an organization wants to do is reduce that number by adding customer friction with slow page loads and endless CAPTCHAs. Common CAPTCHAs aim to create challenges that are difficult enough to stop bots, however this method also challenges real people, which can cause frustration and alienate customers.
To ensure users have a seamless purchasing experience, businesses need to minimize the likelihood of human users being faced with a CAPTCHA. In order to do this, CAPTCHA should never be the first line of defense, in fact, it should be a last resort. Instead, companies should deploy purpose-built bot detection and mitigation software that can aggregate global detection signals which can adapt in real time to new threats.
Ultimately, bots are more sophisticated than ever before. Ticketing companies must be hypervigilant and evolve their cybersecurity strategies at the same rate that bots are evolving. Only then, can they end the disillusionment brought about by the scalping era.