Spinner Bots: Is Your Inventory Being Used Against You?
Published: 16/01/2020

Spinner Bots: Is Your Inventory Being Used Against You?

  • Netacea, Agentless Bot Management

4 minutes read

Have you ever gone to buy a ticket for a concert or the theatre to find that they’re sold out? This is a familiar story for many of us. And the kick in the teeth is seeing the very same tickets for sale elsewhere moments later, for an inflated price. The same can occur when booking flights; you want to book with your favorite airline only to find that there is no availability.

Faced with this scenario, we naturally attribute the lack of availability of not being quick enough to place our orders. In reality, behind this unusual and unfair activity lies an army of bots – spinner bots – programmed to target events and flights and hoard tickets to purposefully drive up prices.

Throughout this blog, we discuss spinner bots in a detail: what are spinner bots, why are spinner bots a threat to businesses and how can we stop them their tracks?

What are spinner bots?

Given the name, you can be forgiven for thinking that “spinner bots” sound innocuous. However, they’re problematic for a range of businesses if left unchecked.

A bot is essentially an automated set of processes applied into a single program or “bot” that carries out processes on the creator’s behalf. Spinner bots are designed to target specific web applications. Items are added to a basket and “spun”, ensuring they’re held until the bot creator decides to complete the checkout process. Alternatively, they will hold the items for a sustained period to prevent real customers from purchasing the item.

Why are spinner bots a threat to businesses?

Spinner bots typically target stock on retail, ticketing and airline platforms via their website and/or mobile app to make inventory appear sold out, or to hoard inventory and “spin” the basket with a view to resell it elsewhere for a profit. While the basket is “spinning,” the basket is prevented from timing out and the stock is held until the bot creator deems it necessary. The bot creator may have a range of objectives, including:

    • Re-listing the item on a third-party site for a profit: The bot creator will only complete the purchase when their re-listing is sold
    • Stopping real customers from purchasing items: Deliberately holding items to make them look unavailable

This isn’t a new issue, in fact, the use of bots in the ticketing industry has become so prevalent that the UK government (as well as other governments around the world) has made it illegal to use bots to purchase tickets.

Margot James, Minister of State for Digital and the Creative Industries, stated:

“Fans deserve the chance to see their favorite artists at a fair price. Too often they have been priced out of the market due to unscrupulous touts buying up huge batches of tickets and selling them on at ridiculous prices. From today I am pleased to say that we have successfully banned the bots. We are giving the power back to consumers to help to make 2018 a great year for Britain’s booming events scene.”

Published 5 July 2018 – Ticket bots ban comes into force; Gov.u

Even in the wake of this legislation, bot creators and malicious threat actors continue to target organizations that are susceptible to this form of attack.

What can your business do to combat spinner bots?

Bot creators are continually revising their tactics, techniques and procedures (TTPs) to simulate real user activity on your platform.

Rather than attempting to keep up with the arms race and firefighting the problem with legacy approaches, such as static rule sets or challenge-response techniques, companies should look to a specialist bot management vendor to determine the legitimacy of their visitors. Being able to differentiate between real and fake customers is key to responding to this threat.

By taking an analytical rather than a deterministic approach, security teams are fundamentally evaluating a different set of criteria instead of attempting to prove the legitimacy of a visitor. This arms the relevant teams with better, more prescriptive intelligence and allows for a robust response.

Talk to Netacea about our smarter approach to bot management today. Intent Analytics™ powered by machine learning quickly and accurately distinguishes bots from humans to protect websites, mobile apps and APIs from automated threats while prioritizing genuine users. Actionable intelligence with data-rich visualizations empowers you to make informed decisions about your traffic.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.