What is the denial of inventory attack?

The common thought of denial of inventory refers to making products or services out of stock by adding them to online shopping carts but never proceeding to checkout.

Denial of inventory sometimes also known as inventory hoarding or inventory exhaustion is a prevalent security threat that people usually see in the e-commerce industry. It's a type of automated attack that is more subtle and sophisticated than others, but it can significantly cramp online retailing businesses by preventing customers from placing orders which not only stains the business reputation but also impacts their revenue stream.

Who is the target of the denial of inventory attack?

With web-based technology and internet communication continuing apace, digital transaction has come to our rescue. Various enterprises turned to the internet to boost business revenue, and companies from certain industries such as e-commerce almost completely rely on it, which makes them extremely vulnerable than others when it comes to automated bot attacks, like denial of inventory, scalping, carding, etc.

Targeted sectors:

Industries that constantly suffer from denial of inventory attacks are likely to be those have time-sensitive items involved, such as tickets, limited edition products, fresh produce, etc. 

Listed below are the top targeted sectors (as stated by OWASP).

• E-commerce

E-commerce companies face an increased risk of denial of inventory attacks, especially during the holiday season when bad bots await to make their move. These bots automate nefarious attacks on retailers' inventory by holding products in their carts so no one else can access them.

• Travel

Companies in the travel industry, like airlines and hotels, usually have a real-time searching system for booking flights and choosing seats. Once the automated bots continually make reservations without purchasing tickets, the real users cannot make successful purchases, which brings immediate financial impact on their business.

• Healthcare

Denial of inventory attacks aimed at the healthcare industry constantly happens when there is a huge demand for medical resources. Healthcare entities, like hospitals and health care organizations, currently are relying on online platforms for vaccine appointments, which has already led to a sharp rise in bot traffic. It would be no surprise if fraudsters take advantage of this situation to infect healthcare response to the pandemic.

Some sectors also witness a rising risk of denial of inventory attacks:

• Blockchain/crypto games
• Government
• Financial
• Technology

Damages caused by denial of inventory attacks

Businesses that are highly dependent on their web assets are very sensitive to any type of service interruptions like denial of inventory, account takeover, credential stuffing, ad fraud, etc. As soon as bot herders successfully make the items unavailable to real users, what comes after is not just financial loss. 

The results are a series of damages:

• Immediate financial impact: It is quite apparent that as long as the products are taken out of circulation, the sellers are unable to sell to make money.
• Increased infrastructure cost: When attackers release their bots to the targeted website, the traffic of the site suddenly spikes, so the site owners have to pay higher-than-normal infrastructure fees to maintain the operation of their websites.
• Stained business reputation: Bad bots will ruin real customers' shopping experiences by preventing them from purchasing items and accordingly decrease the business reputation.

Motivations for denial of inventory

Most attackers do it for competitive reasons.

The bad actors have various motivations for denial of inventory attacks but most of them are not aiming for direct financial profit (unlike scalping where the goods or services are acquired by fraudsters and resold at higher prices somewhere else).

• To sabotage the sale of its competitors by preventing customers from placing orders at a certain time (e.g. new product release)
• To figure out the inventory level of the targeted store by adding limited items to the shopping cart

How does denial of inventory work?

Attackers take advantage of the inventory tracking system of online stores which takes an item out of inventory once it is added to the shopping cart.

Real customers may do this from time to time when they want to shop around and get the best price, but attackers would use automated bots to relentlessly select and add targeted items to the shopping cart by using the time-to-checkout policies (website owners usually set 15 minutes or so for customers to complete the purchase; the time setting varies from sector to sector).

Automated bots can be customized to attack specific items in a targeted website. For example, bots would automatically repeat the purchase flow thousands of times until the item becomes unavailable.

How to detect denial of inventory attacks?

Here are some symptoms you should pay attention to. Once it happens to your website, there might be a possibility that you are under a denial of inventory attack.

• Inventory balances reduce quickly
• Increased stock held in baskets or reservations
• Elevated basket abandonment
• Reduced use of payment step
• Increasing complaints from users being unable to obtain goods/services 

Use CAPTCHA to stop denial of inventory attacks

CAPTCHA is one of the most commonly used tools in the fight against the denial of inventory attacks and other automated bot attacks, like account takeover and credential stuffing. It is designed to detect and stop high-risk and repetitive requests to a website (and apps in the age of screens). There is an undeniable need for all online platforms with critical operations such as login, registration, submission, etc., to defend against automated bot attacks.

CAPTCHA can help:

• Prevent comment spam
• Stop fake registration
• Protect online polls
• Defend against ATO & credential stuffing attacks
• Secure bonuses, giveaways, and ticket purchases
• Safeguard e-commerce operations
• …

Register for a 30-day free trial of GeeTest Adaptive CAPTCHA now!