Search Learning Center for

Ticket Scalping Bots

AppSec, Attack Tools, Essentials, Threats 1.1k views

What are Ticket Scalping Bots

Scalping in its modern iteration, also known as bulk or automated buying, is a threat to eCommerce and ticketing websites selling sought-after products and services. Scalpers are bad actors who purchase tickets or product units using scalable methods that are not available to ordinary users. Ticket bots are automated software used to purchase tickets in bulk.

In most markets, over 40% of all online ticket booking is now done by automated software, in order to be resold later, despite laws being passed specifically to tackle the situation. This makes scalping, and specifically bot-driven scalping, a major concern for sellers.

The Ticket Scalping Industry

Scalping is usually associated with tickets sold to events, but scalper robots can also be used to purchase physical products in bulk for resale.

Scalping is a profitable business that has existed since the 1800s. As more scalpers transition to using automated tools, the scope of the problem is growing. Scalping bots are cheap, easy to run, and provide very high return on investment for scalpers.

There is limited regulatory control and virtually no prosecution of scalpers, allowing them to operate uninterrupted. Scalpers prefer to operate from small countries with little regulatory overhead, as well from tax havens like the Isle of Man. Ticket import is an industry generating $15 billion per year in global revenues.

Scalpers study upcoming events and product launches weeks or months in advance, to prepare for a job. When there is an Internet sale, scalping bots are ready to purchase a popular product or tickets for an event within milliseconds of its launch. Scalpers outcompete individual buyers, gathering inventory and causing a shortage for regular consumers, driving up market prices.

How Automated Scalping Attacks Work

Scalpers use ticket bots to attack websites in three stages:

  1. Monitoring target websites and creating accounts—also known as drop checking or spinning, scalpers use bots to constantly probe retailer websites, event sites and even Twitter and other social media feeds, to identify interesting new launches. In parallel scalpers use bots to automatically create fake accounts, or .
  2. Add to cart—the scalper bots need to be the first to add the desired item to the shopping cart. To be able to make multiple purchases without being detected blocked, scalper bots need to bypass safety controls like inventory limitations, Captchas, and more. They generally rely on residential proxy networks so each request comes from a completely different, legitimate IP address. Advanced operators shave additional milliseconds from the acquisition process, by distributing servers, placing them nearer to retailer or event websites to minimize latency.
  3. Automated checkout—finally, scalper bots automate the actual purchase. They log in to create new accounts, or input all the required information to use a guest account, and input payment via a rotating list of credit cards. To avoid detection, they use different billing profiles for each purchase, and blend credentials, names and address formats.
Ticket Scalping Bots

Ticket scalping bot attack process

DIY Defense Strategies Against Ticket Bots

You can use the following strategies to defend your event or eCommerce site against ticket bots:

  • Block obsolete browser versions, or apply powerful CAPTCHA protection, because most bots use virtualized browsers with outdated versions.
  • Set rate limits for APIs, mobile applications and websites to prevent automated abuse.
  • Block hosting providers and proxies commonly used by scalpers, such as Digital Ocean, OVH SAS, OVH Hosting, and Choopa.
  • Watch for unsuccessful logins, which often indicate bot activity.

Advanced Defense Techniques

The following techniques provide more comprehensive protection against bad bots in general, and ticket bots in particular.

Device fingerprinting

Bots that are attempting scalping need to operate at scale, and cannot change their device every time. They’ll need to change browsers, clear their cache, or use incognito browser mode, use virtual machines or emulators. Device fingerprinting can help identify a set of browser and device parameters that remain the same between sessions, which probably means the same entity is connecting again and again.

Browser validation

Some malicious bots may pretend to be running a particular browser, then cycle through user agents to prevent being detected. Browser validation involves confirming that every user browser is really what it claims to be. For example, this can be done by checking that the browser has the anticipated JavaScript agent, is making calls in expected ways, and exhibits behavior patterns expected from human users.

Reputation Analysis

There are known software bots with predictable behavioral and technical patterns, or even identifying IPs. Having access to a database of bot patterns lets you identify known bots accessing your site. Traffic which may appear at first glance to be a true human user, can be easily identified as a bot by cross-referencing it with known bad bot patterns.

Machine learning behavior analysis

Human users of a payment site have predictable behavior patterns. Bots will typically behave differently, but in ways that you cannot always specify or identify in advance. Behavioral analysis of metrics like URLs requested, website engagement, mouse movements and mobile swipes, makes it possible to discover users or transactions that are anomalous or suspicious. This can help identify bad bots.

Progressive Challenges


Whenever you suspect a bot, you should have several ways of verifying if the traffic is really human. In order to avoid disruption to real users, it is best to try several progressively difficult challenges, so that all but the most advanced bots will fail at earlier stages of the challenge:

  • Cookies—check if the user / bot accepts cookies (invisible to real users)
  • JavaScript—checks if the bot can render Javascript (slightly slows down the page for a user)
  • CAPTCHA—checks if the bot can perform a complex user action (disruptive for users)

See how Imperva Advanced Bot Protection can help you with protectiong against ticket scalping bots.

Imperva Bot Management

Imperva’s Advanced Bot Protection solution can protect against ticket bots by using all the advanced security measures covered above, letting you identify bad bots with minimal disruption to real user traffic:

  • Device fingerprinting
  • Browser validation
  • Behavioral analysis
  • Reputation analysis
  • Progressive challenges

In addition, Imperva covers the additional security measures that complement a defensive bot strategy. It offers multi-factor authentication and API security – ensuring only desired traffic can access your API endpoint, and blocks exploits of vulnerabilities.

Beyond bot protection, Imperva provides multi-layered protection to make sure websites and applications are available, easily accessible and safe, including:

  • DDoS Protection—maintain uptime in all situations. Prevent any type of DDoS attack, of any size, from preventing access to your website and network infrastructure.
  • CDN—enhance website performance and reduce bandwidth costs with a CDN designed for developers. Cache static resources at the edge while accelerating APIs and dynamic websites.
  • WAF—cloud-based solution permits legitimate traffic and prevents bad traffic, safeguarding applications at the edge. Gateway WAF keeps applications and APIs inside your network safe.
  • Account takeover protection—uses an intent-based detection process to identify and defends against attempts to take over users’ accounts for malicious purposes.
  • RASP—keep your applications safe from within against known and zero‑day attacks. Fast and accurate protection with no signature or learning mode.