Scalper-Bots Shake Down Desperate PS5, Xbox Series X Shoppers | Threatpost

It’s a big week for gamers across the globe, with imminent, dueling releases of Xbox Series X and PlayStation PS5. However, an army of retail bots threaten to drive prices up as much as three times the retail price, putting the coveted holiday gifts well out of reach of everyday fans.

Retailers were quickly cleared out of Xbox inventory on its release day Tuesday. Best Buy sold theirs out quickly, priced at $499.99. There were plenty available on eBay though, with price tags more than double that price, several marked at over $1,000.

The PlayStation 5, also priced at $499.99, doesn’t come out officially until Thursday, but there were several pre-order confirmations — not even actual product — available on eBay listed for around $900. And experts suspect scalpers will similarly be able to snatch up those consoles on release day, just like the Xbox, mark them up and turn a tasty profit off holiday shoppers.

Bot-Powered Xbox, PS5 Scalpers

Making these high-tech hoarders harder to stop is that what they’re doing isn’t actually illegal, according to Jason Kent, hacker-in-residence for Cequence Security.

“There are components of these transactions that border on fraud or are actual fraud, but in standard bot purchasing the bot simply enables the transaction,” Kent said. “Since most retailers have built their environments for high-speed and high-volume transactions, the bots are being supported by the environment that is trying to keep them out. The effort to build a retail store that delights customers and enables transactions plays right into the bot creators’ hands.”

Kent pointed out these bots are acting similarly to the types of bot-driven distributed denial-of-service (DDoS) attacks that retailers combat regularly, and he added that applying artificial intelligence and machine learning are effective tools to combat these superpowered scalpers, “even if they are attempting 50,000 transactions per second.”

Can Gaming Learn From Sneakerheads?

Aside from AI and ML, even a simple CAPTCHA would go a long way toward slowing down resellers from scooping up huge swaths of consoles, according to Allan Liska, solutions architect for Recorded Future. He added that this is a problem other industries have been more successful at solving.

“Video-game console retailers could take a page from sneaker-sellers, who have been dealing with this problem for years,” Liska told Threatpost. “Whenever there is a limited supply of a product for sale on the internet, retailers will have to deal with bots.”

He added that as bots have gotten more sophisticated, CAPTCHAs have had to evolve along with them.

“There has been an escalation in the CAPTCHA fight over the last few years, bots have gotten better at identifying and passing CAPTCHA, so CAPTCHA companies, such as Google, have had to develop more complex CAPTCHAs based on the nature of the traffic.” Liska said.

But neither video-game company seems ready to tackle the issue, staying mum on the issue. Neither Microsoft nor Sony has responded to Threatpost’s requests for comment.

Similarly, ticket-sellers have had to grapple with cybersecurity issues and fraud. In Feb., scammers posing as Burning Man concert organizers were selling very convincing, fraudulent passes to fans.

Bots are becoming more ubiquitous and more sophisticated, even developing the ability to mimic human behaviors to evade detection. A recent Radware report pegged the overall growth in bot traffic at 26 percent in 2020 over 2019.

Nate’s Bird Bot

Last spring it was Bird Bot that grabbed headlines, along with the Virginia teen behind it who used his time in COVID-19 quarantine to write code that allowed him to cut retailers’ digital lines. With Bird Bot, the Washington Post reported the high schooler, named Nate, was able to buy enough Nintendo Switch consoles to create a global shortage.

Not surprisingly, Bird Bot also proved effective at scoring sneakers, like the Yeezys he picked up for $200 and was able to resell for up to $600 each.

But Nate bristles at the suggestion he did anything wrong.

“Some people were calling me a scalper,” he told the Post. “It’s just basic supply and demand.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.