Bots as a Service and Their Sordid Secret Shopping World


The rise of BaaS is a problem of scale, rather than of essence, and is merely one more way that AI bias can kill a business.

2020 was a weird year, and as we approached the last few weeks of the year, it just got weirder. The latest rumors are that something strange is happening in the world of online re-selling – bots are buying up a huge number of items, which are then being hoarded by re-sellers looking to make a tidy profit from the ensuing shortages.

While this development has taken many retailers by surprise, it’s something that those of us who work in the (sometimes) sordid world of eCommerce have been worried about for years. The truth is that, though bots have been very useful in driving innovation in the industry, they can also be used to actively harm retailers.

Bots as a Service (BaaS) is quickly emerging as the most popular way of doing that. In this article, we’ll explain everything you need to know about this growing threat.

See also: Credible Chatbots Outperform Humans

Rise of the bots

Before we get to the current threats posed by BaaS, it’s worth noting that bots have represented a nuisance (if not an outright danger) to retailers for almost a decade now. Ten years ago, the advances made in reducing latency in AI systems, as well as the rising popularity of edge computing, meant that bot began to be used for account takeover (ATO) or to automatically create accounts on money transfer platforms such as PayPal.

Then came platforms like SentryMBA, Sniper, and BlackBullet. These systems were originally built as QA automation tools, but users could customize them to target certain sites and applications with what is called malvertising – a mixture of annoying ads and malware. Through a rapidly growing set of add-ons and plugins, hackers could also outfit their bots with powerful additional capabilities. These included the ability to solve CAPTCHA tasks, which were increasingly being deployed to slow down rampaging bots.

With this said, it’s also important to note two caveats. One is that bots also have legitimate uses – whether they are the kind that Google uses to index web pages or those that are designed to execute automatic stock trades for retailers. The second is that, up until now, working with bots has been a complex business and one that generally required at least a basic knowledge of coding.


This is what has led to the rise of Bots as a Service (BaaS). Acronyms like this might be familiar to you from similar models that have appeared in recent years, such as Software as a Service (SaaS) or even Cybersecurity as a Service (CaaS). The same idea underpins all of these models – that a third-party company will provide you with everything you need to use a set of bots. You won’t have to worry about any of the technical details.

In BaaS systems, a company will provide another (in a classic B2C model) with a fully functioning set of bots that are able to navigate the internet on their own, interact with target websites, get through CAPTCHA tests, and make purchases in a completely autonomous way.

You may be able to see where this is heading. Because bots can make purchases much more quickly than humans – within microseconds of an item going on sale, in some cases – they can be used to buy entire inventories of hot new items just before they become available to “real” customers. These products can then be re-sold at much higher prices.

In order to make that process easier, in fact, some BaaS providers even offer alternate shipping addresses to overcome location-specific blocks on purchasing particular products and email harvesting to make fake accounts look legitimate.

This ability to perform this kind of “attack” has been around for years, but it’s no coincidence it came to prominence in 2020. With a Black Friday online shopping bonanza that lasted for months rather than a day, and with online shopping numbers and revenue up significantly this year, BaaS services and their clients are realizing higher profits than ever.

The impact on retailers

At first glance, it would seem that automated BaaS campaigns don’t hurt retailers. A sale is a sale, whether it was made to a bot or a human, after all. However, in reality, BaaS campaigns can quickly undermine confidence in a retailer and lead to a number of other problems. For instance:

  • At the most fundamental level, BaaS campaigns can mean that products sell out quickly. Having products out of stock on your website can lead to your users becoming frustrated in the short term and disillusioned in the long term. There can also be a knock-on effect here because up-chain suppliers can be hesitant to assign stock to consumer-facing retailers who don’t look like they are in control of their stock levels.
  • More problematically, BaaS campaigns can sometimes break the very websites they are using to look for profits. Bots are associated with large amounts of increased traffic on sites, and where bots run out of control, this can look very similar to a DDoS attack from the perspective of the retailer. Sites can crash and remain offline for days because every time they are restored, they are targeted again by bots.
  • Finally, and perhaps less obviously, BaaS campaigns can skew the statistics that many retailers live by. By undermining their ability to assess the true demand for a product, BaaS can make it impossible to plan for the future.

Defeating bots

There is a glimmer of hope in all this, though. Though BaaS represents a relatively new business model, the bots it uses are well-understood. Experienced retailers will (or should) already have in place systems and techniques to limit their impact. In other words, the rise of BaaS is a problem of scale, rather than of essence, and is merely one more way that AI bias can kill a business, rather than a completely new threat.

That might come as little comfort if you’ve seen these kinds of attacks on your own business, but take heart – there are ways to defeat bots that can provide a good level of protection against BaaS. 

Bernard Brode

About Bernard Brode

Bernard Brode is a product researcher at Microscopic Machines and eternally curious about where the intersection of AI, cybersecurity, and nanotechnology will eventually take us.

Leave a Reply

Your email address will not be published. Required fields are marked *