Surveying the Bot Manipulation Landscape Among top US Retailers

Online retail is one of the largest targets in the cyber-security landscape. The identity theft resource center has logged over 10,000 data breaches, many of them against retailers. Being large stores of individual consumer data, containing potentially sensitive or otherwise valuable demographic and financial data, retailers are already known to be valuable for data exfiltration.

Data scrapers, account takeovers, card swipers, and other malicious behaviors are often pointed towards retail sites. Evidence for these behaviors abound in news articles covering breaches and all over the margins of the internet. At IPM, the root of our work is grounded in the tools used by these would-be attackers. As a sociotechnical security firm, we identify and validate solutions that are aimed at defeating these types of attackers. If attackers can mimic an individual consumer at scale, with targeted behaviors, they can manipulate markets, steal promo codes, and exploit KYC loopholes to get infinite brownies. We help people verifiably stop these attacks.

Newsweek’s 2022 Best Retailers list is invaluable as a single roadmap for the highest profile retailers, and thus, likely the largest targets for malicious actors. How do these retailers do today in proactively mitigating these actors? We probed the 193 distinct URLs from this list of retailers for their ability to proactively mitigate bot traffic with some form of anti-bot defenses. In total, we delivered 8,492 probes to these the retailers across our 44 bot deployment interfaces, testing whether or not each retailer would determine that our bot traffic was indeed bot traffic.

To make the determination that the retailer determined we were sending bot traffic, we developed an internal tool that interrogates the web response any bot receives to decide whether or not that web response is an anti-bot warning page. We developed a statistical signature of these pages with a machine learning algorithm, cross-validated the model, and determined our tool was ≈96% accurate when labeling these pages.

We used our internal web application firewall / anti-bot machine learning detection algorithm to automatically assess the 8,492 probes we sent to the 193 retailers across our 44 bot deployments. Of the 8,492 probes we sent to the 193 URLs, 61% of our probes successfully reached their targets. While that doesn’t sound like a high percent, we intentionally design bots across the spectrum of sophistication, from basic first-pass direct HTTP requests out to cutting edge bot browsers.

In the best case, our least-sophisticated bot deployment was successfully mitigated by retailers 91% of the time. In the worst case, our most sophisticated bot deployment penetrated 88% of the retailers. No single bot we deployed worked perfectly against every retailer. Because IPM tests a huge array of bot deployments, however, IPM was able to identify at least one bot deployment that could penetrate every single retailer. In other words, for each of the 193 retailers, at least one of our 44 bot deployment strategies was able to bypass all security measures and access pages intended for human consumers.

Beyond just determining that no retailer can evade all of our bot deployments, we wanted to understand what this data tells us about the latent, nascent industry of defending systems from malicious bots. Given these 193 sites, representing many billions of dollars of revenue, across many retail verticals, can we learn anything meaningful about who mounts strong defenses against malicious bots?

Initially, our hypotheses were relatively straightforward - more high profile companies would mitigate such attacks - perhaps some verticals of industries would deal with these issues better than others (e.g. Nike and Adidas have to contend with people attempting to mass-purchase their shoes as this tweet wonderfully illustrates). In the Newsweek article we sourced these retailers from, there was an associated index score for each retailer which was a composite of various factors of how well the company was regarded - do we see any clear associations with that variable?

In our data analysis, we found no discernible relationships between bot mitigation effectiveness and various measures of company health or retail vertical. Initially, we were disappointed to find that every chart we generated, for every regression we tested, we couldn’t find any compelling associations that told any clear story about which companies excel at bot mitigation and which don’t.

After some consideration, there’s a reasonable explanation for why there’s seemingly no relationship between how valued a company is and how comprehensive their bot security stance is — retailers are dealing with sociotechnical security issues in a piecemeal fashion. What we see in this chart is evidence of every company idiosyncratically solving the problem according to their own experiences with the problem measured against their risk appetite for the problem. If there were a strong relationship in the above chart, then we’d be able to say that as companies become more sophisticated, they get better at dealing with this problem.

That we don’t see that relationship indicates that companies don’t deal with this in a linear way - it’s not as if companies get better at these things as a matter of course while becoming bigger and better retailers. In reality, they just deal with it when they get hit with a breach, when it just so happens to pop up on their radar, or when they need to in order to address some future due diligence process.

In some sense, IPM’s goal is to make this relationship real - as companies get more sophisticated, dealing with The Bot Problem should become more important - we’re here to help folks through that process.

Finally, we generated a score of our own. To create our own composite score, we factored in the number of bot deployments that are able to break through, the relative exposure of each of those bot deployments as measured by relevant Github activity, the average per-request cost of accessing the sites in question, and the complexity of the HTML structures on the successfully rendered pages. Below, we provide the IPM Best Retailers 2022 Bot Exposure Index for reference - again, no strong relationship here, but a rank-sorted list of the retailers is provided for these companies to start thinking about how to better address sociotechnical security concerns.

IPM Best Retailers 2022 Bot Exposure Index