(No Ratings Yet)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

February 4, 2021 4

PS5 Bot Networks Are Helping Scalpers Snag Every Console in Sight

in ssl certificates

PS5 Bots Are Making It Impossible for Shoppers to Buy the Console as Scalpers Enjoy Huge Profits

You see the dreaded message yet again and your heart sinks – “We’re sorry, this item is out of stock and cannot be added to your cart.” Just like every other time there’s been a re-stock.

You think it over – what could you possibly have done faster? You used a third-party site to get instant in-stock alerts sent to your phone and email. You bookmarked the product page on every single store. You logged in and saved your address and payment method ahead of time to make for the quickest possible checkout.

But once again, you missed out. Next time, you’ll refresh the page sooner. You’ll click faster. That’ll do it, right? You were just unlucky – it’s just a matter of time, isn’t it? Think again. By the time you click “add to cart,” a PS5 bot run by a scalper has already checked out and is working on even more transactions. The sheer volume of orders placed by bot networks is staggering. Per Walmart,

One bot preventative action we implemented just hours before the PlayStation 5 event on Nov. 25 blocked more than 20 million bot attempts within the first 30 minutes alone.

It’s gotten to the point where the scalpers and their PS5 bots are so effective that they are openly bragging about their handiwork (while simultaneously infuriating the 99.9% of people trying to make a legitimate purchase).

So how do scalping bots work? What is the scalping scene like? What are retailers doing to fight back? And is there any hope of outlawing the practice altogether?

Let’s hash it out.

Why Scalping?

Scalping used to be something that was primarily associated with live event tickets. Scalpers would buy blocks of tickets for in-demand events and resell them at a markup (often outside the venue right before the show or game began). Thanks to the emergence of online shopping, though, scalpers were able to expand to low-supply, high-demand physical items like toys, collectibles, video games, and fashion goods. They could both buy and sell without leaving their desk.

Every holiday season there’s a different “must have” gift that everyone tries to get their hands on, including scalpers. This past year, it was the Playstation 5 video game console from Sony. Released on November 12, 2020, the console was in hot demand from the beginning. Even pre-orders were selling for thousands.

Nowadays, scalpers use bots and other pieces of software to determine which products are in the highest demand and then place orders for as much quantity as possible. The bots are written to essentially help the scalpers skip the lines and automate the checkout process to the extent that real customers have next to no hope of completing a purchase.

How Do Scalping Bots Work?

At their core, scalping bots are just shopping bots that are abused by resellers en masse. You could legitimately use a shopping bot to compare prices for an item you want to purchase – you find the lowest price, buy the item, and then are done. Scalpers, on the other hand, take it to a ridiculous degree and instead aim to buy up the entire stock of a particular product. They will also sometimes modify existing shopping bots and tailor them to the kind of repeatability they’re looking for. Either way, they ultimately sell their stock at the highest possible price they can get.

Let’s take a closer look at a particular scalping bot, one that has been used heavily on PS5 listings – the BestBuy Bot. As the name indicates, it’s a bot that was designed to help customers place orders from BestBuy even when they aren’t physically at their computer. Created by a third party, it lets users select a particular product they want using keywords or an item number. They can also input instructions for how exactly the transaction should be carried out – type of payment, shipping methods, etc.

It’s a very helpful tool for shoppers that might be asleep or at work when a particular item becomes available. Of course, it’s a tool that can be abused, as well. The developers of the bot seem to distance themselves from the moral quandary associated with its use, and make no guarantees as to its effectiveness:

Buying a bot can increase your success chances only but no guarantee that you will successfully cart each time. There is no refund at all if you could not succeed, but if the bot gets outdated, then we can update it. If you do not agree, then please do not buy our products or services.

The Scalping Scene

We’ve seen both sides of the coin as far as how shopping bots can be used in the real world. Let’s now focus on the more nefarious aspects (because let’s face it, no one wants to read about someone’s aunt using a shopping bot to save five dollars on a new Tupperware set) by taking a closer look at the scalping scene.

Getting Into the Game

A large percentage of electronics scalpers originally started out in the sneaker market. In fact, many of the PS5 (or Xbox Series X) bots that have been seeing heavy use recently are actually just sneaker scripts that have been tweaked and modified for a different product or storefront.

These bots, as well as proxy connections, can be bought via Discord, which is the most popular place for the various scalping groups to congregate. The community helps users get up to speed and pick the best targets for maximum profitability.

It’s in the best interest of the developers that newbies are welcomed and assisted because it translates to increased business in the future for those creating the bots. If someone joins, doesn’t know what they’re doing, and ends up wasting their money and complaining, then it doesn’t look good to other outsiders. But if users are able to turn a profit without much headache, then more and more people will be interested in buying the bots.

For users that are simply looking to buy a console or two, then the easiest and most efficient way is to just pay another reseller to run a bot for you (for a fee of roughly $50 or so). Otherwise, anyone that’s comfortable with using computers and the internet shouldn’t have too much difficulty getting up to speed with running their own bot.

The biggest players in the scalping game aren’t just running a single instance of a bot. They’re looking to do more than a single bot can handle, so they run their own networks of bots, commonly referred to as a botnet, to exponentially increase their purchasing ability. The same commands can be executed in unison by all of the different bots. They will all appear as unique users with different IP addresses to the retailers, helping them avoid detection.

Targeting the Weak

In the wild, the strong survive and the weak get taken advantage of. It’s similar with scalping – those retailers with weak sites will get their stock cleaned out first. Resellers are well aware of this and specifically target the sites where their bots will be most effective.

One such instance of this strategy occurred with UK-based retailer John Lewis on the PS5 launch day. Their focus isn’t on electronics, rather they sell a board range of goods including home décor, clothing, and sporting goods. One would thus assume that they wouldn’t be as prepared for a major console launch as retailers that have a stronger connection to the gaming world. An anonymous scalper also said that they were only able to find one bot that was capable of targeting John Lewis’ website – indicating that they were flying under the radar as far as PS5 targets went. The scalper had great success as a result – completing 12 orders with only four being cancelled afterwards.

The bots themselves have become more and more refined to where there are no doubts regarding their effectiveness. Now, rather, the biggest challenge is having enough credit cards and addresses to complete all the orders. Virtual cards are readily available thanks to the glut of new fintech apps on the market, but many scalpers still get physical address the old-fashioned way – borrowing them from friends and family.

The Arms Race Continues

As we often see in the cybersecurity world, there is an ongoing battle for superiority between the “good guys” and the “bad guys” when it comes to scalping via bot networks, as well. Retailers are doing all that they can to stifle the efforts of bots, with scalpers continuing to develop their tools in response. Per Dr. Bill Mitchell, Director of Policy at BCS,

We have both sides trying to develop AI systems that can outsmart each other.

Dr. Mitchell also sees the moral dilemma that accompanies scalpers and their tools. While this kind of scalping isn’t technically illegal, the fact that it’s directly benefitting a very small number at the expensive of the general public certainly raises ethical questions. Dr. Mitchell said

I think they’re unethical and I think they’re probably immoral. We are in a capitalist society, so it’s not quite clear that the principle is itself wrong. Where the unethical and unfairness is in this, is that the retailers want every human to have an equal chance of getting this thing and the bots are trying to subvert that principle. It’s not about legality, I don’t think, it’s about ethics and good practice.

This type of thinking keeps motivating the creators of anti-scalping and anti-bot measures used by retailers on their websites. Take Captcha technology, for example, where users perform basic tasks to prove they are human. Captchas have no doubt cut down on the effectiveness of bots, but they are rapidly catching up thanks to the capabilities of increasingly-sophisticated artificial intelligence. As Dr. Mitchell explained,

There’s a kind of a technology war going on between the people who are building the kind of Captcha-type technologies and the people who are trying to outsmart the Captcha-like technologies, and now of course, to throw AI into the game and it all becomes great fun.

“Fun” might not be the best word to use depending on who you ask (like the millions of frustrated consumers around the world that are still yearning for a PS5), but regardless it is a battle that looks poised to intensify as AI continues to evolve.

What Retailers Are Doing to Combat PS5 Bots

We mentioned earlier how Walmart blocked a whopping 20 million orders placed by bots within the first 30 minutes of the PS5 launch. These networks of bots rely on automated scripts to put up such impressive numbers, and anti-bot software basically aims to interrupt the process by presenting the bots with something that their code isn’t able to handle.  Walmart won’t give out exact details about their anti-bot measures, but Jerry Geisler, Walmart’s chief information security officer, explains in a blog post how

Bot scripts are constantly evolving and being re-written, so we’ve built, deployed and are continuously updating our own bot detection tools allowing us to successfully block the vast majority of bots we see.

An audit was subsequently performed afterwards to try and identify any other suspicious purchases, leading to the cancellation of even more orders. Geisler added:

Bot scripts are constantly evolving and being re-written, so we’ve built, deployed and are continuously updating our own bot detection tools allowing us to successfully block the vast majority of bots we see.

Geisler also wants to see anti-scalper measures taken to the next level, to the point that legislation is ultimately created to address the issue. He hopes:

Others across the retail industry will join us by asking lawmakers to do more to prevent these unwanted bots on retail sites, so customers have equal access to the products they want.

Walmart isn’t the only one fighting back against PS5 bots. A spokesperson for retailer GAME said they have implemented “strong measures” to prevent more than one console being sold to the same customer. They went on to add:

All pre-orders are subject to automatic checks and order updates such as cancellations following these checks…At the present time these orders are still pre-orders and as such no payments have yet been taken from customers. Payments will commence once our order checks have been completed.

What Other Retailers AREN’T Doing In Response to PS5 Bots

Not everyone shares the anti-bot enthusiasm, however, and it’s not hard to understand why when you put yourselves in the shoes of a retailer. For them, a sale is a sale. Either way, in the end, they’re getting paid to ship out a product. Then, it’s on to the next product and next customer.

The marketplaces that help enable scalpers to profit so handsomely – chiefly eBay and Facebook – have done essentially nothing to hinder scalpers or place a cap on selling prices for certain items. They don’t want to alienate their users so it’s usually safer to remain hands-off. And to be fair, it’s not the responsibility of a business to crack down on bot-using third parties anyway.

Sony, in particular, has very little incentive to fight bots. According to their ledgers, the PS5 launch has been incredibly successful thanks to constant sell-outs of the console. But will they eventually feel the hurt if this kind of event ends up damaging their brand? Gamers are unhappy at the moment, and rightfully so. It could translate in the short-term to buyers changing their minds and going with an Xbox or Nintendo Switch instead, and in the long-term to lost recurring revenues that games and subscriptions provide.

Banning Bots?

There have been calls in the UK recently for bot networks like Carnage to be banned completely. The process is still in its infancy, though, and for the foreseeable future the onus will continue to fall on retailers to combat bots. Jason Kent, Hacker in Residence for Cequence Security, sums it up by saying how

Utilizing purchasing bots to snap up console inventory isn’t necessarily illegal. There are components of these transactions that border on fraud or are actual fraud but in standard bot purchasing the bot simply enables the transaction. Since most retailers have built their environments for high-speed and high-volume transactions, the bots are being supported by the environment that is trying to keep them out.

The effort to build a retail store that delights customers and enables transactions plays right into the bot creators’ hands. In order to keep the bots at bay, organizations need to utilize mechanisms that can see them operating by applying AI and machine learning models that can identify and mitigate bot transactions, even if they are attempting 50,000 transactions per second.

It’s certainly not a black-and-white issue, and the debate on anti-bot legislation is just getting started. In the meantime, consumers will need to have faith in retailers that they’ll be able to keep ahead of the scalpers. So far, it’s been an even fight at best. Until the pendulum swings back to the side of the consumer, we’ll all just have to cross our fingers and keep hitting “refresh” as fast as we can.