Lawmakers seek to quash ‘Grinch’ bots that inflate holiday toy prices

"Grinch bots let scammers sneak down the proverbial chimneys of online retailers and scoop up the hottest products before regular Americans can even log on — and then turn around and sell them at outrageously inflated prices," Sen. Tom Udall (D-N.M.) said in an email.
(Rafe Swan / Getty Images/Cultura RF)
Washington Post

Were your Cyber Monday deals not as attractive as you had hoped? Lawmakers say “Grinch” bots might be to blame — and they are introducing legislation to try to curb this digital threat to e-commerce.

A group of Democratic lawmakers is trying to make it illegal for people to use automated accounts to inflate the prices of consumer products online. On Black Friday, the day after Thanksgiving, they announced the Stopping Grinch Bots Act of 2018 in an effort to prevent anonymous profiteers from deploying bots that buy in bulk in-demand products on retailers’ websites and resell them elsewhere at exorbitant prices.

“These Grinch bots let scammers sneak down the proverbial chimneys of online retailers and scoop up the hottest products before regular Americans can even log on — and then turn around and sell them at outrageously inflated prices,” Sen. Tom Udall (D-N.M.) said in an email. “That’s just not how the marketplace is supposed to work.”


Rep. Paul Tonko (D-N.Y.) introduced a House version of the bill in mid-November, and Sens. Udall, Richard Blumenthal (D-Conn.) and Charles E. Schumer (D-N.Y.) introduced a parallel bill in the Senate. They are hoping the timing — just before the holiday gift-buying season — will give them momentum in the waning days of the congressional session. After all, last year, Super Nintendo and Barbie products were identified as top targets.

The bill highlights how lawmakers are becoming increasingly aware of how automated accounts are used online to subvert commerce, undermine institutions and perpetrate cybercrime — and willing to take action. For decades, hackers have employed bots to carry out denial of service attacks, which can shut down websites by overwhelming them with traffic. And anonymous, automated social media accounts have been instrumental in spreading the kind of political propaganda online that disrupted the 2016 presidential election.

“The Grinch bot problem is another example of the countless unforeseen risks — and stealthy bad actors, ready to pounce on innocent consumers — that are lurking around every corner in this increasingly online world,” Udall said. “Cyberbots are enabling unscrupulous scammers to game the system and steal hard-earned money from Americans who have saved up just to buy gifts for their family and friends during the holiday season.”

Even so, bot-fueled bulk buying resides in a legal gray area. Most e-commerce companies have policies in place designed to block bots electronically and limit how much inventory any customer can buy. But the bill would make it illegal to resell products that are obtained in violation of an e-commerce company’s purchasing limits. That could give retailers a new legal weapon against online scammers, similar to how copyright laws are used to prosecute online piracy.

The senators are looking to previous legislation to prevent similar scams for ticket prices as a model. In 2016, Congress passed the Better Online Ticket Sales Act, which made it illegal to circumvent event ticket limits for public events with more than 200 people in attendance. In 2017 Ticketmaster sued one ticket broker for allegedly employing an army of bots to scoop up 30,000 tickets to the Broadway show “Hamilton,” using thousands of separate accounts to place hundreds of thousands of ticket orders.

Cyberdefense experts who work with online retailers say the e-commerce industry has to constantly contend with bots that are trying to game the system at consumers’ and retailers’ expense.

Rami Essaid, co-founder of Distil Networks, a company that helps corporations stop bot-related cyberthreats, says the practice mainly hurts consumers and specialty retailers, while e-commerce sites such as Amazon and EBay see less of a disadvantage.

“I would say Amazon is the least impacted by this,” Essaid said. “Usually the bad guys turn to marketplaces [like Amazon] to sell their goods.”

(Amazon founder and Chief Executive Jeff Bezos owns the Washington Post.)

Essaid says bot-powered buyers tend to go after any retailer that tries to sell something on a limited basis — such as a limited-release Nike shoe or concert tickets that might sell out quickly. Companies hosting ticketed events such as concerts and sports, airlines and, especially, high-end sneaker retailers have been grappling with bots for years, he says.

Last year Distil found a 20% leap in bot traffic during Black Friday and Cyber Monday for a sample of about 300 e-commerce companies, suggesting e-commerce bots are used more heavily as the holiday season approaches.

“It is absolutely always happening,” Essaid said. “These bots are trying to get as much inventory as possible as quickly as possible, and they can even end up bringing your site down. We actually saw that last year where bots took down a company’s site because of a Black Friday sale.”

Of course, the threat goes beyond just toys. “For me it’s interesting to see the willingness of potentially malicious actors to misuse systems in a variety of ways, and the evolution of those ways over time,” said Dan Cornell, chief technology officer of the Denim Group, a Texas-based cybersecurity consulting firm.

Lawmakers sponsoring the bill positioned the problem as more than just an affront to consumers and retailers. It’s also an affront to Christmas, they said.

“Grinch bots are stealing the holidays by snatching up hot toys, driving up prices, and leaving parents empty-handed on Christmas morning,” Blumenthal said in a release describing the bill. “We successfully banned ticket bots and we can use that same strategy to banish toy bots once and for all — putting consumers back in charge.”

Gregg writes for the Washington Post.