Home » Business » A former sneaker botter is now a cyber security expert who protects e-tailers

A former sneaker botter is now a cyber security expert who protects e-tailers

password hacker cybercriminal

A data scientist and cyberthreat expert at a major security firm uses the experience of an Australian “sneakerbotter” who programmed bots for years to attack merchants’ websites and to prevent Account Takeover attacks (ATO). Arkose Labs.

The term “sneaker botter” originated from the practice of using advanced software to quickly buy limited-edition inventory of major brands, such as Nike or Adidas, online in order to resell them at a premium price. The term came after a series of bot attacks which included concert tickets and high-priority goods sold on ecommerce platforms.

Mitch Davie, a former NSA agent and now a world-renowned bot manager and account security expert, is a leader in the field. Around eight years back, a friend had invited him to this programming opportunity. The group was one of the first in Australia that used code automation techniques for e-commerce websites.

He never went over the line to fraudulently use stolen credentials for purchases. He said that if the bot does not commit fraud, then using bots are legal.

“We did not use stolen credit card numbers.” We shipped the products to our own address and used our own money. Davie told E-Commerce Times that they made the purchases much faster than other customers.

Davie used his programming skills a few year ago to improve cybersecurity and protect ecommerce platforms. This was when he decided to focus on raising a young family and a career helping many more people.

“Instead attacking just a couple websites, I’m now protecting 50+ websites. “That’s a great feeling,” he said.

Botters Attack Various Industries

Ashish Jain is the CPO/CTO of Arkose Labs. He says that automating bulk purchases online hasn’t gone away. Automating bulk purchases by using bots may not be illegal [in certain jurisdictions]Some attackers use these to steal the credentials of consumers to make fraudulent purchases.

The bots can also be used to take over the accounts of consumers on ecommerce sites, and create fake accounts in order to send their purchases to themselves. Jain was familiar with these practices during his time at eBay, where he validated user identities and handled risk and trust assessments.

Jain told E-Commerce Times that if you looked at the internet traffic, you would see, according to multiple reports, sites and our own data, 40% of it was bots.

The use cases for bots in banking, ecommerce, and tech industries differ, according to him.

The line is very fine. What is the point at which you begin to abuse the system. What point does one become a total fraud? This again depends on the case-by-case,” Jain said.

It is very easy to cross the line, and if the terms of the service agreement states that scraping user information is not allowed — if you have a bot and scrape it, it is considered illegal, he offered.

Illegal bot practices Illegal Bot Practices

There are other ways to abuse the system of e-commerce. One involves making returns to make money. Returns are legal if you bought an item with the intention of keeping it.

It becomes abuse if you repeat it repeatedly. Jain explained that your intention is to be able defraud the business.

A second illegal bot usage involves payment fraud. He continued that attackers might use bots in order to obtain a list or credit cards, or financial information stolen. The information is then used to order and ship the item. This is definitely illegal. It’s illegal when a bad actor uses a bot to do financial harm to an entity.

He explained that the key to determining bot usage is whether it’s fraud or stockpiling. The bot’s purpose must be determined. Is it simply automating tasks, or is it being used to commit fraud? This evaluation is also influenced by an agreement between the entity that uses the bot and website owner who is collecting the data.

A good example is an agreement between Reddit, Google and other parties to allow Google to use the data gathered to create large language models to train Google AI. Jain believes that this is a good bot. China’s bot activities are a bad example of bot usage.

“We found multiple entities trying to do exactly the same thing in China. “Let’s take OpenAI as an example, where people are trying to scrape or use APIs to gain more data with no payment or agreement terms from OpenAI”, he clarified.

Bot Threats: Staying ahead of the Game

Davie says that cybersecurity firms such as Arkose Labs are experts in advanced defensive measures for protecting e-commerce websites from bot activity. They are constantly updating their detection technology.

“We monitor pretty much everything that the attackers are doing. We can understand their attacks and the reasons behind them. This allows us to improve detection methods, enhance our captures and stay on top attacks,” said he.

Bot attacks are a process that is constantly evolving and affecting many industries. Arkose can mitigate an attack scenario, but attackers may move to another industry or platform.

“It’s like a cat and mouse game.” Davie said that the current attacks are at their highest level, but are also well-mitigated.

Always Be on the Lookout for Attack Signals

Jain was of course unable to divulge any defensive secrets. Jain identified the defensive secret sauce by leveraging different signals observed on e-commerce server. These signals are divided into two categories, active and passive.

Signals that are active have a direct impact on users. Passive traits operate behind the scenes.

“A common example when you can detect bots is by looking at passive signals like the Internet Protocol (IP) and devices that fingerprint, the source of the signal, or behavior biometric,” said he.

Look for information about behavior. If you notice someone trying to sign in on an application but no mouse movement, this could indicate that the person on the other end of the screen is a bot or script.

Also, IT teams need to check known bad IP address lists. If they see a large volume of requests from an IP associated with a datacenter, like a million requests in 30 minutes, this is a good indicator of bot activity.

Jain said, “That doesn’t seem like a typical behavior when people like me and you are trying to sign in two times within an hour from your home IP address.”

The third example is velocity checks. They monitor the frequency of occurrences of a particular transaction data element within a certain time interval. You are looking for anomalies and similarity to fraud behaviors.