Kicks & chips: an investigation into scalper bots!

perfect wonderful getting back to the right side i think we're good

i think you're good to go i'm seeing the kicks plus chips on the rtx 3080 right there okay perfect uh well we're about to begin then okay great hi everyone and welcome to kicks and chips an investigation into scalper bots so hello it's matthew i am a subject matter expert at montego i focus on matter analysis and as you can probably tell by my accent i am french but i live in barcelona and i am liv rowley i am also a subject matter expert at multigo my research primarily focuses on cyber criminal investigations primarily on the deep and dark web and i am also barcelona based

so here is our agenda for today we're going to start with a quick introduction to scalperbots in general so just everyone kind of has a baseline for what we're talking about next we're going to go into the technical details about how these bots actually work after that we'll take a look at the bot landscape so questions such as pricing and where they're being um sold and then finally we'll wrap it up with some key takeaways so why this talk well at the beginning of this year i was looking to buy a graphic card to build a gaming pc however the lack of supply at the time and the rise of demand provoked by pandemic as well as the rise of bitcoin

prices made it a very interesting target for scalpers and i wasn't able to buy any gpu so on the lower left of these slides you have a quote from pcmac.com talking about how the launch of the geforce rtx 380 ones and how a good portion of the graphic cards were bought by people using bots to buy them before anyone else and then you resell them on ebay and other websites so as you can see the scalpers were reselling the gpus at around three times retail price which is quite a lot of money so this is part of why we wanted to know and learn what was going on with this box the bots that most people are probably

most familiar with are ticket scalper bots um those have been around for a long time they're kind of the og scalper bot uh we found references to them all the way back to 1999. and here we have a graph showing google trends results for searches for ticket bot sneakerbot and gpu bot so you can see the interest in ticketbot has been the most enduring but there's been significant increase in interest for all these different bot types over the past few years one thing we think that is fueling that is just general accessibility these aren't that difficult to find these type of bots anymore for this investigation we surveyed 46 different bots primarily sneaker bots so

that's where a lot of the research that we're going to present comes from and it's also to note that these bots are operating in a legal gray area um there there's not a lot of laws and regulations that explicitly make this activity illegal though it is often in terms of service violation for the retailers that they're targeting but in the past few years or past several years there has been definitely an increase in government interest in curtailing this activity for instance in parts of the u.s ticket bots are now illegal and the eu has rolled out legislation trying to curtail this activity specifically around ticket bombing as well so what are the common targets of these

uh scalper bots as we talked about tickets are definitely a very common common target also collectibles such as trading cards and stuffed animals other types of stuff that is maybe only available in a limited quantity sneakers is a big one this has been talked about in the media for a couple years now especially around exclusive or limited releases and as matt you mentioned before gpus and other electronics such as uh the new xbox and stuff like that the images that we have on this slide these have come from quote success accounts so oftentimes bot users will have either twitter or instagram accounts where they boast about their latest acquisitions so that's where most of these photos here

have have come from is directly from bot users bragging about what they've been able to acquire all right so now that we have the general idea of what snickerbots are we're going to take a look at how they are operated so first of all i'm going to show you really quickly the graphical user interface of a scalpel bot here you can see it is pretty user friendly a few bots are available in command line interface but that's not the majority of it most of them are for people that are not obviously very technical you don't need to be very technical to use one as you can see you have different tabs relating to different kind of

aspects that you need to configure to run properly is capital bot uh but the most important one is probably the task all the way on the left and it's something that you're going to use to list different items you're going to want to buy and try to purchase your thoughts so what's under the hood what technology do these bots use we don't really know for sure we couldn't get our hands on one so we surveyed the bots that are available on github a lot of boards were made last year to counter kind of the professional paying bots that were used by scalpers so they were made by people who just wanted to be able to to buy a gpu for

themselves because they were another way to get one time maybe so um both of them are available on github following the line of fair game that you have on the slide if everyone is botting then no one is bought so what do you have in using this box you have the some brother mimicking tools or at least driver that can pilot pilots a browser such as selenium because you need to be able to run javascript you need to be able to fill forms simply using curl is not going to cut it you also need to have some captcha solving capabilities such as death by capture that is going to connect your app to a capture phone

somewhere with real human solving captcha or you have some automated libraries such as amazon capture that is going to automatically try to solve the captcha uh then you need to be able to manage cookies when doing requests uh to make your part simply more human-like more realistic that's why you have this uh python package on screen but of course uh retailers have been trying to find these bots because they are in violation of the term of service and we're going to take a little look at what countermeasures were applied by retailers so far so we've seen retailers using cookies this one's pretty trivial but pretty efficient as well just simply using cookies to track the bots across the

website and um seeing what's their activity how they evolve in the website and if their behavior matches the one other human then uh retailers are also be checking the delivery addresses you cannot order 50 pair of shoes for the same person so if 50 pair of shoes are ordered at the same address that seems pretty sketchy to resellers a retailer sorry then same thing happens for the ip addresses and for the billing information if the same debit card is buying a six ps5 that seems also you know fishy the last iteration of discounted measures is actually the raffle system so the point of the bots is that they fill forms very fast and they're going

to order very fast faster than any human could so the raffle system is you let anyone wanting to buy this item enter their billing information and their delivery information and enter kind of a raffle contest and then after two to five minutes plenty of time for the bots to subscribe to contest but also for real human to subscribe you're going to pick a happy few a certain number of winners that will be awarded the right to buy the actual item so this kind of negates the point of the bot which is to be to fill forms very fast so that was kind of a response by the seller of course the bots went then on to counter the counter

measures and that's what we're going to see next um so the first action they did was some things are very trivial for example scrambling the delivery address if you live on to market street apartment number five you can simply say that you live on uh market street second apartment number five or something like this and um it's not going to be exactly the same line so you would have to actually parse the delivery address which is something that can be quite difficult sometimes another thing that they did to circumvent the cookie use is simply harvesting cookies using different proxies so they have quite a bit of cookies when they go directly in to buy the item they

already have some fake history attached to their app so they look more human-like something used to counter the checking of the billing information is simply the use of the actual credit card so these services are legit services that are just going to connect a unique credit card number virtual credit card number to your own credit or debit card and this is seamless for the retailer and retailer has no way of knowing that discrete cards are in reality all tied to the same physical credit card then to counter the raffle system the way that the box found was simply enter the raffle a lot of time by buying accounts so for example here you have a

screenshot of nike accounts that are on sale on the internet and from what we observed it varies between one dollar or two dollar per account so for example if you already want to enter a raffle 200 types you're already flushing down the drain four hundred dollars and of course if you want to enter the raffle with 200 different profiles you need to have an ip address for each of this profile in a different one so these are some different categories of proxies we could find underneath on the slide you have different some logos of proxy providers especially targeting uh snickerbots so all of these are these different categories which don't check them these are things that are claimed by the proxy

providers it's interesting to note however that depending on the category that you want you're going to pay differently so residential proxies are priced by the gigabit gigabyte sorry of data with a rough estimate being 15 dollar per gigabyte and then isp and data center proxies are price priced by ieps so the price is ranging from 75 cents to all the way to three dollars so if you want to enter with 200 accounts you're paying 400 already for the accounts then maybe 600 dollars for the actual ips so it's already a thousand dollars down the drain just to have some more chance of buying the items then um not something to circumvent a countermeasure per se but

something essential to efficiently running a good snicker but or even a collectible but for that matter are the cook groups so these are basic communities that you pay to be a part of these are usually private discords and they give you tips on how to run your bots they give you information on what are the next drops coming so when are the next item going to be on sale and what is the url that you're going to have to use to input in your browser and also what is going to be the result value of the item so you can decide if it's worth your time or not so we found different prices but there

are usually around 30 euro a month and the overwhelming majority of the coup groups that we found are us based okay now let's talk about the bot landscape quickly so one thing we wanted to look into immediately was the pricing of these bots we found that bots are often using a subscription model so there is an initial upfront one-time cost to to get the bot and then there's an additional monthly cost or perhaps a bi-annual cost some type of subsequent fee in order to maintain that access we looked into the pricing of these uh these two costs so the upfront cost and the subscription cost the initial payment is an average of around 300 euro but that can range all

the way down from 100 euro up to 850 and the monthly cost is about 30 euro the minimum we saw was 8.50 and the max is all the way up to 100. as a note we adjusted these prices into euro the majority of the bots that we looked at had their prices listed in dollars though some also had their prices listed in pounds and euros as well which is interesting and could potentially tell us some information about where these bots are being developed and who their users primarily are and another interesting thing that we saw is that a lot of these bots are often um sold out or listed as sold out on their sites

one reason we think that they're often listed as sold out is just in order to keep the supply low if you have a bunch of competitive speaker bots uh being out there in the wild they're going to become less effective as they compete against each other and another reason is to uh not draw attention from the retailers that they're targeting so if if you become the primary bot that's targeting a particular retailer the retailer will likely look into your bot and find counter measures tailored to um to to circumvent what your bot is doing um the exclusivity of this these bots have led to some odd distortions in the market here uh one thing that jumped out to us as

strange was there's a resale market for the bots so we looked at a site called bop broker in which people were reselling sneaker bots and we have a little price graph over here that shows in black the retail price of the bot so when you just buy it up front and then in yellow the resell price on bot broker so you can see it's tremendously more expensive to get a bought from bob broker and we also saw that there were services that allowed you to rent out a bot so because they are so expensive it might not be worth it for people to pay 300 euro up front and 30 euro a month to maintain access so you can just

rent out a bot for perhaps a day that you know that important release is happening we were also curious about um the cyber criminal element of this so whether cyber criminals were looking at sneaker bots as well and uh here we have a multicograph in which we were looking at cyber criminal chatter on different forums and uh we can see is three clusters of information and those are the three main forums where cyber criminals were talking about sneaker bots so these are all english language forms we saw nold hack forms and crafts.t.o and these guys were primarily talking about uh cracked bots or bots that have been reverse engineered and are now being sold again

and as a profile we looked at this one vendor called snkr bots they're active on an english language underground form and they sell access to a package of 11 different cracked sneaker bots including top secret tsb nsb soul etc the cost of the service is an initial price of uh 300 and a monthly cost of 30. which is interesting because i mean we're talking dollar to euro here but that's roughly what we saw as the price for just one bot um commonly so this is what we found on the underground and we thought that was quite interesting too let's see uh and then finally so our key takeaways um the first one that we have is that

scalper botting has been around for a long time as we said it's been around since at least 1999 and another thing that we'd like to point out is that it's been diversifying so instead of just targeting tickets and street wear it's also starting to target electronics and other other items as well so the third takeaway we had is that butters are bypassing countermeasures using special specialized services such as proxies and vccs of course we're talking about the countermeasures we saw since we got them from these butters the scalpers chatters and communities maybe there are some others that are used by retailers that we don't know about but the one we know about they are being circumvented

and the last one and a pretty ironic one actually is that the exclusivity of thoughts has led to a resale market as well as a cracked underground market so with that we would like to thank you for attending our presentation and we will now be taking questions thank you very much uh that was interesting so i've got one question uh about like what is the main issue like for companies and how like how interested are the companies on fighting these things like how many resources they are spending on these is this like a big issue for companies because like the main uh like people who get like affected by these are mainly consumers right but at

the end of the day the retailers like they are selling the stuff right so it could be like a branding issue uh or something like that so i'm interested on yeah like who is interested in fighting this okay so uh yeah it is very much of a branding issue because it does not look good for nike or for nvidia to have every time they release a new gpu to have a thousand of customers getting very angry on forums and saying that nvidia is the worst because but about everything so now if you i mean these brands they are making profits of course they are selling of this but uh at the end of the day

if they don't do anything against that they are not really pleasing their customers which is probably not a good thing on the long term um what resources do they have devoted specifically to fight this uh we have no idea we couldn't uh get any data on that yeah i wonder like if they are like specific teams just dedicated like full time on on fighting this but you know another point that you made it something like a lot of companies also like don't make money on the hardware that they sell but they do they make the money on the services uh so if if they're like the hardware is being taken by sculptors they are not making money with the the

services because they are not being uh used right so i guess that's that's another point why they're not interested on that

all right so i don't have any questions i don't see any other questions um thank you very much for for your presentation i appreciate it thank you for having us great thank you