IE 11 is not supported. For an optimal experience visit our site on another browser.

'Grinch bots' are here to ruin your holiday shopping

Didn't catch that hot item online? That may be because you're competing with bots programmed to sweep up the best deals.
Get more newsLiveon

Consumers may think they’re avoiding the crush this holiday season by shopping online, unaware that as they’re trying to get through the digital doors, so too are hordes of bots. And they’re throwing elbows.

Up to 97 percent of all online traffic to retailer login pages this holiday shopping week comes from bots, largely operated by organized gangs of cybercriminals, according to estimates by cybersecurity firm Radware. The cyber thieves also crack into accounts, drain accounts of rewards and other digital currency, conduct credit card fraud, and more, said Ron Winward, a Radware spokesman.

“Website operators are seeing uptick in bot activity leading up to Cyber Monday from people trying out their bots,” said Winward. “People are really competing with automated infrastructure and bots to get hot holiday items.”

On a normal shopping day, humans outnumber bots on login pages by two to one. On the days leading up to Black Friday and Cyber Monday, bots outnumber humans by 20 to 1.

While most of the responsibility is on retailers to use the best cybersecurity and server management practices to protect their customers, experts recommend several steps shoppers can take to protect themselves from automated fraudsters this holiday shopping season.

“The most significant bot-linked threat related to the retail sector is the risk of account takeover, also known as credential stuffing, with criminal groups using bots to brute force tools to log in to legitimate customers’ accounts, often assisted by records that they have found online from other cyber breaches,” said Christian Beckner, Senior Director of Retail Technology and Cybersecurity at the National Retail Federation, an industry group.

“If individuals are reusing passwords across multiple sites, they are most susceptible to an account takeover attack and illicit transactions within their account,” Beckner told NBC News.

Protect yourself

Installing a password manager software tool can make this easier. Implementing two-factor authentication can also make your accounts harder to break into.

  • On retailer websites, look for a green lock in the URL address bar or “https” instead of “http." Those features indicate the website traffic is encrypted, better protecting your banking and personal information.
  • Complete checkout with Paypal or another payment service instead of a credit card. If there’s a breach, then your credit card information is protected.
  • Scrutinize your billing and accounts and contest any unexpected charges. Sometimes fraudsters will try out a series of low-level charges to see if cards work before running up unauthorized charges.

"The proceeds go to fund organized criminal activity," said Stephanie Martz, general counsel for the National Retail Federation.

Another kind of bots online this time of year are shopping bots, which fill out online forms and navigate retail sites faster than a real person can, and try to swiftly purchase limited supply gifts before you’ve even filled up your cart. The items are then sold for a higher price on third-party sites.

The newest of these "grinch bots" can appear human, even defeating image-based CAPTCHAS by sending them to a human to solve, either the bot's owner or outsourced workers, and mimicking human user activity by adding in random mouse movements and other “humanlike” browsing behaviors. They also spread out their activity to use a variety of devices and IP addresses to make it harder to detect, according to Radware’s research.

Experts recommend that if you miss a must-have item while shopping the holiday sales online, avoid the temptation to buy it on a third-party site. You may be funding a scalper, or the site itself could be a scam.

Shopping bots can exist in a legal gray area. Only ticket scalping bots are illegal, under the federal BOTS act of 2016. But other automated purchase bots can violate a site's terms of service.

Without bots, some buyers say they'd never have a shot at some hard-to-get items.

"A lot of it is bot vs bot," said Eric R., a 20-year-old computer science student, who requested his last name be withheld for privacy reasons. He uses bots to quickly buy scarce sneakers and resell them for a profit. He plans to use the money to help pay for school.

"If you're 50 milliseconds faster, then you can get all of the stuff," he said.

This year he's gearing up his bots to try to purchase limited edition all-black Yeezy sneakers sold by Adidas in collaboration with rapper-designer Kanye West. They retail for $220, but he hopes to sell them for as much as $400 on a third-party site.

Despite the technological advantages, he says even human shoppers can still beat bots.

"Be persistent. A lot of times stores will crash if a lot of bots attack. You just have to get lucky."