Former Sneaker Botter now cybersecurity expert protecting online sellers

A former tennis botter from Australia, who spent years programming bots to exploit e-commerce platforms, now uses his experience to combat bot attacks to compromise merchant websites and prevent account takeover attacks (ATOs) as a data scientist and cyber threat analyst at Laboratoria Arkose.

The term “sneaker botter” comes from the practice of using sophisticated software to quickly purchase limited editions from major brands such as Nike and Adidas online for resale at a higher price. The deadline followed expanded bot attacks that escalated to hijacking concert tickets and other high-priority products sold on e-commerce platforms.

Mitch Davie is currently a recognized global leader in bot management and account security. A friend invited him to program about eight years ago. The group was one of the first in Australia to apply code automation techniques to e-commerce websites.

However, he never crossed the line and fraudulently used the stolen credentials to make purchases. Basically, if the bot user is not committing fraud, using bots is not illegal, he suggested.

“We did not use other people’s stolen credit card details. We used our own money and had the products shipped to our own address. We simply shopped much faster than other customers,” Davie told E-Commerce Times.

A few years ago, Davie decided to use his programming skills to improve cybersecurity performance and protect e-commerce platforms. This happened as he focused on raising a family and a career that helped many more people.

“Instead of attacking just a few websites, I now protect over 50 websites. It’s a good feeling,” he said.

Botters attack various industries

According to Ashish Jain, CPO/CTO at Arkose Labs, the concept of automating online shopping is here to stay. While automating bulk purchases with bots is not illegal (in some jurisdictions), some attackers use them to obtain consumers’ credentials to make fraudulent purchases.

Bot attackers can also take over consumers’ accounts on e-commerce sites and create fake accounts to ship purchases to their own addresses. Jain is familiar with such practices from his time at eBay, where he verified user identities and conducted risk and trust assessments for the marketplace.

“If you look at internet traffic, you’ll see many reports and sites, including our own data, that 40% of the traffic you see on your site is basically bots,” Jain told E-Commerce Times.

He added that this portion of bot traffic depends on the specific industry, and use cases vary across e-commerce, banking and the technology industry.

“There’s a fine line in between. At what point do you abuse the system? At what point do you completely become a fraud? I think it depends on the specific case again,” Jain asked.

It’s very easy to cross that line, and if the terms of your service agreement state that scraping user information is not allowed – if you have a bot and you do it, it’s considered illegal, he suggested.

Legal and illegal practices related to bots

There are other situations where bot automation allows for the abuse of an e-commerce system. One of them is making profits in order to make a profit. If you buy an item with the intention of keeping it, returning it is legal.

If you do this repeatedly, let it become a practice, it will become an abuse. Your intention is to essentially defraud the company, Jain explained.

Another form of illegal use of bots is payment fraud. He continued that attackers could use bots to obtain a list of credit cards or stolen financial data. They then use this collected information to purchase and ship the item purchased for this purpose. It’s definitely illegal. When a bad actor collaborates with a bot for the sole purpose of causing financial harm to an entity, then it falls into the illegal category.

He explained that the key difference in determining bot use is whether the activity constitutes fraudulent behavior or lawful hoarding. It is important to assess whether the bot is simply automating tasks or is being used for fraud. Additionally, an important factor in this assessment is the agreement between the entity using the bot and the owner of the website from which the data is collected.

An example would be the agreement between Reddit and Google allowing Google to use collected data to create large language models (LLM) to train Google AI. According to Jain, it is a good bot. However, bot activity in China is an example of bot misuse.

“We found many entities in China trying to do exactly the same thing. Let’s say it’s OpenAI, where they try to scrape the system or use APIs to get more data without having any contract or payment terms with OpenAI,” he explained.

Stay ahead of bot threats

According to Davi, cybersecurity firms such as Arkose Labs specialize in advanced security measures designed to protect e-commerce sites from bot activity. They use constantly updated, highly advanced detection technology.

“We basically monitor everything the attackers do. We are able to understand how they attack and why. This allows us to improve our detection methods, improve interceptions and prevent attacks,” he said.

Bot attacks are an ever-emerging process that cuts across many different industries. When Arkose limits the attack scenario to one sector, attackers will jump to another industry or platform.

“It’s like a cat and mouse game. Currently, the attacks are the most numerous in history, but they are also the most contained,” Davie revealed.

I’m always looking for attack signals

Jain, of course, could not reveal the company’s defense secret. However, he recognized that this exploits various signals observable on e-commerce servers. These signals are divided into two categories: active and passive.

Active signals influence the end user. Passive traits work behind the scenes.

For example, look for information about behavior. If you see someone trying to log in to your app but not seeing any mouse movements, the user on the other side of the login screen is probably a bot or script.

Additionally, IT teams should check lists of known bad IP addresses. Lub jeśli zauważą dużą liczbę żądań, na przykład milion żądań w ciągu 30 minut z adresu IP powiązanego z centrum danych, jest to silny wskaźnik aktywności bota.

A third common example is on-site speed testing. They monitor the number of times a specific item of transaction data occurs at specific intervals. You’re looking for anomalies or similarities to known cheating behavior.