More than ever before, e-commerce businesses, online travel agencies, and other organizations engaged in online sales of products and services are besieged with problems caused by malicious bots. They have to contend with scraping of prices, product descriptions and reviews, customer accounts being taken over (leading to theft of gift cards and wallet balances), skewed analytics, and most significantly, cart abandonment — also known as denial of inventory.
Cart abandonment occurs when bots deployed by competitors and fraudsters visit e-commerce sites and add products to the shopping cart, only to abandon them without completing the purchase. Travel agencies are also affected by similar tactics used by nefarious parties who reserve flights, hotel rooms, restaurant tables, and package tours, but do not actually complete the transaction. Other types of businesses as well are affected by similar attack scenarios, in which goods or services are selected for purchase or added to carts, but never actually bought.
In e-commerce, the hard truth is that when a seller’s inventory is rendered unavailable, genuine customers are often lost to competitors. While in some cases these malicious activities are carried out by competitors and others with malafide intentions, cart abandonment attacks are often combined with other attacks such as application denial of service, content scraping, and carding, each of which produces negative outcomes.
Cart abandonment is different from scalping, in which desirable goods or those sold during limited-period discount sales are rapidly bought by scalpers who then resell the goods to genuine buyers (usually at a much higher price). While many e-commerce businesses have a time limit for items placed in shopping carts, after which the product is taken out of a particular shopper’s cart and returned to inventory for other shoppers to buy, malicious bots are programmed to visit hundreds or even thousands of times to repeatedly place item(s) back into their shopping carts, thereby denying genuine shoppers from purchasing them.
The Open Web Application Security Project defines this form of malicious activity as OAT-021 Denial of Inventory (Deplete goods or services stock without ever completing the purchase or committing to the transaction). Apart from revenue losses due to genuine buyers not being able to make purchases, cart abandonment also leads to skewed analytics and waste of marketing budgets.
The graph above shows the aggregated traffic on cart pages across seven of our e-commerce customers over a 12-day period in January 2019, along with the corresponding bot traffic on cart pages. While a significant percentage of the overall traffic during this period consisted of bots, none of them were able to carry out attacks because they were all blocked by our solution. We have observed that cart abandonment and denial of inventory attacks spike during the holiday shopping season, as well as during sales, and when a highly-desirable product hits the market.
As bots grow ever more sophisticated and human-like, securing business-critical portals from bot attacks is crucial to ensure business success. Talk to us if you’d like to learn more about how we can help you fend off bot attacks of every kind.