Ahead of this year’s Black Friday, cyberfraud protection company DataDome has released new data showing that top retail sites are ‘unprepared’ against bots. With bot operators using fake account creation to bypass purchase limits, DataDome warns it is ‘inevitable’ bots will snap up coveted consoles this Black Friday (November 29), leaving genuine customers disappointed.
This investigation follows the launch of the Xbox Series X and S on October 15 and Sony PS5 Pro on November 7, as well as shortages of the PS5 Pro disc drive – now being resold for almost double the RRP. The data shines a light on the true scale of bot activity over these two landmark launches, which has, until now, been unmeasured.
DataDome tested 14 major eCommerce websites in the US, UK, and EU to assess their readiness against bot attacks. The bots used in the investigation could easily be bought online for as little as £37 and used by fraudsters with no technical training or proficiency.
Findings:
1. 100 per cent of tested sites allow fake account creation – used by fraudsters to circumvent purchase limits
Nearly one-third of the tested sites allowed bots to create an account without advanced techniques.
Almost three-quarters of these major retailers allowed bots to create an account using advanced techniques like CAPTCHA solving or Multi-factor Authentication (MFA) handling.
2. Most lack basic security measures
Most (57.2 per cent) of the websites did not deploy a CAPTCHA challenge to protect the registration process.
64 per cent of the websites failed to validate provided email addresses, allowing for account creation using disposable emails, alias tricks, and dot techniques. These loopholes are easily exploited by bots to create multiple accounts.
3. Weak Authentication Practices
Half of the websites allowed a bot to login to an account without advanced techniques.
35.7 per cent of the websites allowed a bot to login to an account with advanced techniques like CAPTCHA solving or MFA handling.
Even those that implemented MFA could be bypassed using common tactics like rented phone numbers or SMTP access.
Gaming retailers have historically been plagued by scalper bots. In Sony’s 2020 PS5 launch, some bots were able to purchase thousands of consoles, with one infamous bot, Carnage, even boasting ‘it just gets easier and easier’. Even in the run up to the launch of the PS5 Pro, there were reports of ‘attempts to buy’ listed on marketplaces for up to £20,000 – an enormous markup on the console’s RRP, £699.99.
Gilles Walbrou, Chief Technology Officer at DataDome, said: “We are rapidly approaching a landmark day for gaming enthusiasts everywhere, yet like so many other major events, bots are set to ruin the fun for thousands. Thanks to AI, it’s easier than ever to create a bot capable of creating multiple fake accounts to snap up coveted items – or you can simply buy a bot online for less than £37.
“We’ve already seen the PS5 Pro external disc drive being snapped up by scalpers and sold for eye-watering prices on resale sites. To add insult to injury for customers that failed to get their hands on the sought-after PS5 Pro or the disc drive that goes with it, these same bots are now waiting in the wings to snap up the best deals this Black Friday, and it’s inevitable that thousands of them will be successful in their mission.”
Share