Blog

Flash Sales, Sneaker Drops, and Concert Tickets: Protecting Your Applications, APIs, and Bottom Line

October 10, 2024 | 4 MIN READ

by Jeff Harrell

A stylized picture of a laptop with a sneaker on it and a credit card implying a purchase.

Flash sales, hype sales, and online product launches – like limited-edition sneakers – generate interest, excitement, and high demand from customers, so naturally they have also become a target for cyberattacks. These events often involve high-value items, making them prime targets for malicious actors and their bot armies. Understanding application and API vulnerabilities and the need for robust security precautions is essential for businesses that rely on these types of sales.

Flash sales and limited releases rely on the excitement of scarcity, with thousands of users attempting to grab products within seconds. However, they’ve also attracted bad actors, who use bots to automate the purchasing process, giving them an unfair advantage over regular customers. Bots, often controlled by scalpers, are programmed to swarm websites, completing purchases faster than human users could, often leading to the following issues:

  • Inventory issues: Bots quickly buy up desirable products, causing them to sell out within seconds and frustrating genuine customers.
  • Price inflation: Scalpers buy up stock to resell on secondary markets at inflated prices, hurting brand reputation and customer loyalty.
  • Infrastructure strain: Malicious bot traffic can overwhelm a website’s infrastructure, leading to site crashes, a degraded user experience, and adversely affecting marketing web site/buyer behavior statistics.
  • Customer frustration and reputational damage: Waiting in a virtual line for hours only to find out your desired item is sold out can cost customers and damage the company’s reputation.
  • Lost revenue: Bots can sometimes manipulate the applications and APIs – even if coded properly – to enable bad actors to steal merchandise. Downtime and lost customers also affect the bottom line.

These attacks typically exploit weaknesses in applications and their associated APIs, which are the backbone of many e-commerce platforms. They enable users to access product catalogs, initiate transactions, and interact with various services seamlessly. However, if not properly secured, APIs can become an open door for cybercriminals. Implementing proper security controls enables businesses to monitor, authenticate, and restrict traffic, ensuring that only actual customers can access critical functions.

Automated Bots Scale Attacks

In order to increase the scale of the attacks, bad actors typically employ automated bots. These bots may hide behind residential proxies, rendering useless IP-based prevention methods like Web Application Firewalls (WAFs). To be effective against today’s sophisticated and in many cases custom-coded bots, solutions need to employ machine learning and behavioral analysis to identify and separate malicious traffic and bots from good, and track them as they change tactics to evade detection. Native mitigation – actions like logging, tagging, rate limiting, deception, and blocking – is also a necessity; when you have one product detecting bots and another providing mitigation, response time suffers, and some bots may get through.

Case Study: Global Sports-Fashion Retail Company Dunks the Bots

A global sports-fashion retailer faced sophisticated, customized bot attacks that enabled attackers to bypass flash sale and product launch queues and acquire an inordinate amount of limited-edition and/or in-demand merchandise that would otherwise be available to legitimate customers. The concentrated bot attacks often caused site outages, affecting normal business as well as the flash sales themselves. Additionally, the attackers made use of the mobile application API which was more difficult to protect than the application itself and was therefore an easier target.

Prior to implementing Cequence, this retailer resorted to many suboptimal solutions including:

  • Utilizing waiting rooms for both bots and legitimate buyers, causing customer friction
  • Disabling their mobile applications during flash sales and forcing users to the website
  • Launching flash sales and new products in the middle of the night so that any site outages created by the bot swarms would have less effect on legitimate business
  • Launching far fewer flash sales than they wanted to, affecting revenue

The company’s prior bot management solution was largely based on IP reputation which attackers easily circumvented using Bulletproof or residential proxies, so they were interested in a more intelligent solution that would stop the bots without affecting legitimate business. Cequence’s behavioral analysis-based bot detection and mitigation enabled the company to detect and prevent the malicious bots and roll back their previous undesirable solutions mentioned above. Product launches are now held whenever the company desires, i.e., during regular business hours with no waiting rooms, on both the website and mobile applications, and at a much higher frequency than before.

As flash sales and high-demand product launches continue to grow in popularity, businesses must invest in robust security measures, particularly around APIs and bot management. Without them, the business risks are high. Implementing a strong API security program and a comprehensive bot management strategy ensures a fair shopping experience for legitimate customers and keeps bad actors at bay.

Contact us to learn how Cequence can help your business combat the bots that get in the way of your business using legitimate tools like flash sales.

Jeff Harrell

Author

Jeff Harrell

Director of product marketing

Jeff Harrell is the director of product marketing at Cequnce and has over 20 years of experience in the cybersecurity field. He previously held roles at McAfee, PGP, Qualys, and nCircle, and co-founded the company that created the first commercial ad blocker.

Related Articles