What are Denial of Inventory and Scalping Attacks? | Detection & Prevention

Denial of inventory (also known as hoarding) and scalping attacks are types of transaction abuse that are very common in the e-commerce, ticketing, and travel and hospitality industries. Fraudsters use bots to snatch up high-demand inventory, either by hoarding the products in their shopping carts to create a stockout or buying the products and reselling them at inflated prices.

The appetite for limited-edition apparel and collectibles is increasing. The sneaker resale market alone is expected to generate $30 billion globally by 2030. Researchers have found that bots can account for more than 70% of traffic during sales of limited-edition sneakers. Attackers keep up with the latest technology, using sophisticated bots that impersonate real users and legitimate system behaviors to evade detection. 

In denial of inventory attacks, bad actors use malicious hoarder bots to add an item thousands of times to a shopping cart over the course of a few days until the item’s inventory is depleted. By hoarding a high-demand product, bots keep it out of stock, annoying customers, taxing your infrastructure and reducing conversions and revenue.

In scalping attacks, cybercriminals unleash automated scalping bots to buy sought-after products, such as limited editions of sneakers, concert tickets, designer clothing or hot toys. They set up fake accounts that browse product pages and execute checkouts to increase their chances of success. Then, after they’ve snapped up your best inventory, it is sold at inflated prices on third-party sites or the black market.

Though hoarding and scalping aren't illegal in most cases, these attacks can hurt your business. Here’s why:

• Scalper and hoarder bots prevent real human customers from buying the products they want, forcing them to leave your site empty-handed. This causes customers to be disappointed, leads to a negative brand association, and motivates them to take their business to your competitors.
• Even if scalper bots purchase all your PlayStation 5 consoles, they don’t buy companion items (such as the video games). This lowers overall purchase value and leaves you with companion items that are now harder to sell.
• Bots tax your bandwidth and consume web resources, and scalpers and hoarders are no exception. This raises infrastructure costs and reduces efficiency.
  Some scalper bots can scrape inventory off of inventory management systems before they’re even listed on the website, deterring potential customers from even attempting checkout.

Despite the growing sophistication of bots, many retailers still rely on traditional signature-based recognition methods that utilize a static database of known bad bots. This is ineffective because modern bots are quick to morph. Site owners have trouble keeping up with the development of bots due to outdated protection tools so their site remains exposed to these attacks. Sophisticated bots are able to evade detection from web application firewalls (WAFs) and basic bot detection tools by mimicking human behavior.

HUMAN Transaction Abuse Defense prevents automated bots from scalping or hoarding your inventory. It detects and blocks malicious bots on your web and mobile applications—in real time—with unparalleled accuracy. By leveraging machine learning and predictive algorithms to constantly update a library of attack patterns, Transaction Abuse Defense stays ahead of quickly evolving bots. 

Transaction Abuse Defense performs detection out-of-band without adding another layer of traffic processing. The enforcement is done inline and bots are blocked close to the edge, so the web servers can serve traffic from humans. This preserves page load performance and user experience. Transaction Abuse Defense mitigates malicious bots before they wreak havoc on your site with denial of inventory and scalping attacks.

E-Commerce Security: Cyber Threat Protection for Your Business and Customers

Carding: What It is and How to Prevent It

What Does CAPTCHA Mean? | How CAPTCHAs Work

What is Fake Account Creation? | How to Prevent It

What is Bot Detection? | How to Detect & Block Bad Bots