The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Lawmakers seek to quash ‘Grinch bots' inflating holiday toy prices

with Bastien Inzaurralde


Were your Cyber Monday deals not as attractive as you had hoped? Lawmakers say “cyber-grinch” bots might be to blame — and they are introducing new legislation to try to curb this digital threat to e-commerce. 

A group of Democratic lawmakers is trying to make it illegal for people to use automated accounts to inflate the prices of consumer products online. They announced the Stopping Grinch Bots Act of 2018 on Black Friday to prevent anonymous profiteers from deploying bots that buy in bulk in-demand products on retailers’ websites and resell them elsewhere at exorbitant prices.  

“These Grinch bots let scammers sneak down the proverbial chimneys of online retailers and scoop up the hottest products before regular Americans can even log on — and then turn around and sell them at outrageously inflated prices,” Sen. Tom Udall of New Mexico, one of the co-sponsors of the legislation, told me in an email. “That’s just not how the marketplace is supposed to work.” 

Rep. Paul Tonko (N.Y.) introduced a House version of the bill in mid-November and Sens. Udall, Richard Blumenthal (Conn.), and Chuck Schumer (N.Y.) introduced a parallel bill in the Senate. They are hoping the timing — just before the holiday gift-buying season — will give them momentum in the waning days of the congressional session. After all, last year, Super Nintendo and Barbie products were identified as top targets.

The bill highlights how lawmakers are becoming increasingly aware of how automated accounts are used online to subvert commerce, undermine institutions and perpetrate cybercrime — and willing to take action. For decades, hackers have employed bots to carry out denial of service or DDoS attacks, which can shut down websites by flooding them with traffic. And anonymous, automated social media accounts have been instrumental in spreading the kind of political propaganda online that disrupted the 2016 presidential election. 

“The Grinch bot problem is another example of the countless unforeseen risks — and stealthy bad actors, ready to pounce on innocent consumers — that are lurking around every corner in this increasingly online world,” Udall said. “Cyber bots are enabling unscrupulous scammers to game the system and steal hard-earned money from Americans who have saved up just to buy gifts for their family and friends during the holiday season.”

Even so, bot-fueled bulk buying resides in a legal gray area. Most e-commerce companies have policies in place designed to block bots electronically and limit how much inventory any customer can buy.  But the bill would make it illegal to resell products that are obtained in violation of an e-commerce company’s purchasing limits. That could give retailers a new legal weapon against online scammers, similar to how copyright laws are used to prosecute online piracy. 

The senators are looking to previous legislation to prevent similar scams for ticket prices as a model. In 2016, Congress passed the Better Online Ticket Sales Act, which made it illegal to circumvent event ticket limits for public events with more than 200 people in attendance. In 2017 Ticketmaster sued one ticket broker for allegedly employing an army of bots to scoop up 30,000 tickets to the Broadway show “Hamilton,” employing thousands of separate accounts to place hundreds of thousands of ticket orders. 

Cyberdefense experts who work with online retailers say the e-commerce industry has to constantly contend with bots that are trying to game the system at consumers’ and retailers’ expense. 

Rami Essaid, co-founder of Distil Networks, a company that helps corporations stop bot-related cyberthreats, says the practice mainly hurts consumers and specialty retailers, while e-commerce sites such as Amazon and eBay see less of a disadvantage. (Amazon founder and chief executive Jeffrey P. Bezos owns The Washington Post.) 

“I would say Amazon is the least impacted by this,” Essaid said. “Usually the bad guys turn to marketplaces [like Amazon] to sell their goods.”

Essaid says bot-buyers tend to go after any retailer that tries to sell something on a limited basis — such as a limited-release Nike shoe or concert tickets that might sell out quickly. Companies hosting ticketed events such as concerts and sports games, airlines and especially high-end sneaker retailers have been grappling with bots online for years, he says.  

Last year Distil found a 20 percent spike in bot traffic during Black Friday and Cyber Monday for a sample of about 300 e-commerce companies, suggesting e-commerce bots are used more heavily as the holiday season approaches. 

“It is absolutely always happening,” Essaid said. “These bots are trying to get as much inventory as possible as quickly as possible, and they can even end up bringing your site down. We actually saw that last year where bots took down a company’s site because of a Black Friday sale.”

Of course, the threat goes beyond just toys. “For me it’s interesting to see the willingness of potentially malicious actors to misuse systems in a variety of ways, and the evolution of those ways over time,” said Dan Cornell, chief technology officer of a Texas-based cybersecurity consulting firm called the Denim Group. 

Still, lawmakers sponsoring the bill positioned the problem as more than just an affront to consumers and retailers. It’s also an affront to Christmas, they said. 

“Grinch bots are stealing the holidays by snatching up hot toys, driving up prices, and leaving parents empty handed on Christmas morning,” Blumenthal said in a release describing the bill. “We successfully banned ticket bots and we can use that same strategy to banish toy bots once and for all — putting consumers back in charge.”

Sign Up! Our newest 202 newsletter is launching Tuesday, Dec. 4: The Technology 202 by Cat Zakrzewski. Cat worked at the Wall Street Journal covering venture capital in Silicon Valley before joining The Post to launch this new venture. She’ll be covering the dynamic and evolving relationship between Washington and technology companies, delving into everything from proposed privacy regulations to artificial intelligence and quantum computing. Get your copy here.


PINGED: The FBI sought to identify suspected financial scammers in two separate cases with hacking tools that the bureau usually uses in cases that include child pornography or bomb threats, Motherboard's Joseph Cox reported. “The two 2017 search warrant applications discovered by Motherboard both deal with a scam where cybercriminals trick a victim company into sending a large amount of funds to the scammers, who are pretending to be someone the company can trust,” Cox wrote. “The search warrants show that, in an attempt to catch these cybercriminals, the FBI set up a fake FedEx website in one case and also created rigged Word documents, both of which were designed [to] reveal the IP address of the fraudsters. The cases were unsealed in October.”

But it appears, as Motherboard noted, that the FBI's use of the fake FedEx website did not bear fruit. “That FedEx unmasking attempt was not successful, it seems — the cybercriminal checked the link from six different IP addresses, some including proxies — and the FBI moved on to use a network investigative technique, or NIT, instead,” Cox reported. Moreover, it is not known “how successful either of these NITs were in identifying the suspects” in the two cases, according to Motherboard. “Both warrants were returned as executed, according to court records,” Cox wrote.

PATCHED: “Nine human rights and civil liberties organizations sent a letter to the U.S. Justice Department today objecting to a potential agreement between the United States and the United Kingdom that would give British law enforcement broad access to data held by U.S. technology companies,” the Intercept's Trevor Aaronson and Sam Biddle reported. “The possible agreement stems from the Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, for which Justice Department officials have lobbied since 2016 and which President Donald Trump signed into law in March.”

The groups that signed the letter are Human Rights Watch, Access Now, Demand Progress, Electronic Frontier Foundation, Fight for the Future, Freedom of the Press Foundation, Government Accountability Project, Restore the Fourth and World Privacy Forum, according to the Intercept. “In addition to requiring American tech companies to provide data on U.S. citizens when served with a warrant, the CLOUD Act allows for so-called executive agreements between the president and foreign governments,” Aaronson and Biddle wrote. “These agreements, the first of which would be with the United Kingdom, would empower foreign law enforcement agencies to order U.S. tech companies to produce data about individual users without a warrant, so long as the search target is not a U.S. citizen or resident.”

PWNED: “Eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part of an ad fraud scheme that could have stolen millions of dollars, according to research from Kochava, an app analytics and attribution company that detected the scheme and shared its findings with BuzzFeed News,” Craig Silverman of BuzzFeed News reported. The Chinese company Cheetah Mobile owns seven of those apps while Kika Tech, also a Chinese firm, owns the eighth app — called Kika Keyboard — according to Silverman.

“This particular scheme exploits the fact that many app developers pay a fee, or bounty, that typically ranges from 50 cents to $3 to partners that help drive new installations of their apps,” Silverman wrote. “Kochava found that the Cheetah and Kika apps tracked when users downloaded new apps and used this data to inappropriately claim credit for having caused the download.” Grant Simmons, head of client analytics for Kochava, told BuzzFeed News that such practices are not uncommon among Chinese apps: “It’s not as if it's some big state secret. It’s more that this is the de facto business tactic given the app universe, especially in China."


— “Conservative author Jerome Corsi said Monday that he has rejected a deal offered by special counsel Robert S. Mueller III to plead guilty to one count of perjury, saying he would have been forced to say untruthfully that he intentionally lied to investigators,” The Washington Post's Rosalind S. Helderman, Carol D. Leonnig and Manuel Roig-Franzia reported. “In fact, Corsi said he was merely forgetful in his initial answers to Mueller’s team about his interest in the activities of WikiLeaks, which released hacked Democratic emails during the 2016 campaign. His apparent rejection of a plea offer is the latest twist in a months-long effort by Mueller’s team to secure the cooperation of the author and conspiracy theorist.”

— “The news media has no legal right to learn whether WikiLeaks founder Julian Assange was charged in a sealed proceeding, despite an inadvertent filing in an unrelated case that said the Justice Department has accused him of wrongdoing, the U.S. said,” Bloomberg News's David Voreacos reported. “The Justice Department responded Monday to a Nov. 16 lawsuit by the Reporters Committee for the Freedom of the Press, which seeks access to any criminal complaint, indictment or other charging documents relating to Assange. Prosecutors said that if a record of charges isn’t publicly available, that means the person hasn’t been charged or the case is under seal.”

— More cybersecurity news from the public sector:

Mueller says Manafort lied after pleading guilty, should be sentenced immediately (Spencer S. Hsu and Rachel Weiner)

CYBERCOM Has a Vendor In Mind For Its Big Data Platform But Is Open to Options (Nextgov)

Alleged LinkedIn hacker to undergo psychiatric evaluation, trial pushed to February (CyberScoop)


— “Recent data from anti-phishing company PhishLabs shows that 49 percent of all phishing sites in the third quarter of 2018 bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar,” Brian Krebs of reported. “That’s up from 25 percent just one year ago, and from 35 percent in the second quarter of 2018. This alarming shift is notable because a majority of Internet users have taken the age-old ‘look for the lock’ advice to heart, and still associate the lock icon with legitimate sites.”

— “A hacker or hackers sneaked a backdoor into a widely used open source code library with the aim of surreptitiously stealing funds stored in bitcoin wallets, software developers said Monday,” Ars Technica's Dan Goodin reported. “The malicious code was inserted in two stages into event-stream, a code library with 2 million downloads that’s used by Fortune 500 companies and small startups alike.”

— More cybersecurity news from the private sector:

IBM supplements JEDI protest (FCW)

People Who Buy Smart Speakers Have Given Up on Privacy, Researchers Find (Motherboard)


— “Russia has launched a civil case against Google, accusing it of failing to comply with a legal requirement to remove certain entries from its search results, the country’s communications watchdog said on Monday,” Reuters reported. “If found guilty, the U.S. internet giant could be fined up to 700,000 roubles ($10,450), the watchdog, Roscomnadzor, said.”

— More cybersecurity news from abroad:

A Journalist Was Killed in Mexico. Then His Colleagues Were Hacked. (The New York Times)

Uber Fined $491,000 by U.K. Regulator Over 2016 Cyber Attack (Bloomberg News)

Six months in, Europe’s privacy revolution favors Google, Facebook (Politico)

European consumer groups want regulators to act against Google tracking (Reuters)

Huawei to Complete Network Project Despite Fierce U.S. Opposition (The Wall Street Journal)


Coming soon


What you might not know about tear gas:

You might know tear gas as a non-lethal weapon used by law enforcement for crowd control. However, there’s much more to the chemical agent. (Video: Adriana Usero/The Washington Post)

How Trump is hindering the fight to stop climate change:

Scientists say that as global warming nears an irreversible level, the president has been promoting business growth, not climate fixes. (Video: Jenny Starrs/The Washington Post)

The most recent clash between Ukraine and Russia, explained:

Ukraine's president is introducing martial law after Russian ships fired at and seized Ukrainian navy ships. Here's what you need to know. (Video: Sarah Parnass/The Washington Post)