23 Sep 2022 • 10 min read
23 Sep 2022 • 10 min read
The common thought of denial of inventory refers to making products or services out of stock by adding them to online shopping carts but never proceeding to checkout.
Denial of inventory sometimes also known as inventory hoarding or inventory exhaustion is a prevalent security threat that people usually see in the e-commerce industry. It's a type of automated attack that is more subtle and sophisticated than others, but it can significantly cramp online retailing businesses by preventing customers from placing orders which not only stains the business reputation but also impacts their revenue stream.
With web-based technology and internet communication continuing apace, digital transaction has come to our rescue. Various enterprises turned to the internet to boost business revenue, and companies from certain industries such as e-commerce almost completely rely on it, which makes them extremely vulnerable than others when it comes to automated bot attacks, like denial of inventory, scalping, carding, etc.
Industries that constantly suffer from denial of inventory attacks are likely to be those have time-sensitive items involved, such as tickets, limited edition products, fresh produce, etc.
Listed below are the top targeted sectors (as stated by OWASP).
E-commerce companies face an increased risk of denial of inventory attacks, especially during the holiday season when bad bots await to make their move. These bots automate nefarious attacks on retailers' inventory by holding products in their carts so no one else can access them.
Companies in the travel industry, like airlines and hotels, usually have a real-time searching system for booking flights and choosing seats. Once the automated bots continually make reservations without purchasing tickets, the real users cannot make successful purchases, which brings immediate financial impact on their business.
Denial of inventory attacks aimed at the healthcare industry constantly happens when there is a huge demand for medical resources. Healthcare entities, like hospitals and health care organizations, currently are relying on online platforms for vaccine appointments, which has already led to a sharp rise in bot traffic. It would be no surprise if fraudsters take advantage of this situation to infect healthcare response to the pandemic.
Some sectors also witness a rising risk of denial of inventory attacks:
Businesses that are highly dependent on their web assets are very sensitive to any type of service interruptions like denial of inventory, account takeover, credential stuffing, ad fraud, etc. As soon as bot herders successfully make the items unavailable to real users, what comes after is not just financial loss.
The results are a series of damages:
Most attackers do it for competitive reasons.
The bad actors have various motivations for denial of inventory attacks but most of them are not aiming for direct financial profit (unlike scalping where the goods or services are acquired by fraudsters and resold at higher prices somewhere else).
Attackers take advantage of the inventory tracking system of online stores which takes an item out of inventory once it is added to the shopping cart.
Real customers may do this from time to time when they want to shop around and get the best price, but attackers would use automated bots to relentlessly select and add targeted items to the shopping cart by using the time-to-checkout policies (website owners usually set 15 minutes or so for customers to complete the purchase; the time setting varies from sector to sector).
Automated bots can be customized to attack specific items in a targeted website. For example, bots would automatically repeat the purchase flow thousands of times until the item becomes unavailable.
Here are some symptoms you should pay attention to. Once it happens to your website, there might be a possibility that you are under a denial of inventory attack.
CAPTCHA is one of the most commonly used tools in the fight against the denial of inventory attacks and other automated bot attacks, like account takeover and credential stuffing. It is designed to detect and stop high-risk and repetitive requests to a website (and apps in the age of screens). There is an undeniable need for all online platforms with critical operations such as login, registration, submission, etc., to defend against automated bot attacks.
CAPTCHA can help:
Register for a 30-day free trial of GeeTest Adaptive CAPTCHA now!
Content Marketing @ GeeTest
Subscribe to our newsletter