WP The Anatomy of a Scalping Bot: NSB Was Copped! | Imperva

The Anatomy of a Scalping Bot: NSB Was Copped!

The Anatomy of a Scalping Bot: NSB Was Copped!

In recent years, scalping bots have become a growing concern for online retailers. In this two-part blog series, we will analyze the inner workings of the Nike Shoe Bot (NSB) scalping bot, one of the most dangerous scalping bots around. We will take a closer look at the components of NSB, how we investigated the bot, its evasion techniques, and its unique features. Based on the analysis, we hope you’ll learn how to protect your business from this type of advanced bad bot.

In this post, we will present the bot and show how we deobfuscated its source code.

Scalping impact on eCommerce websites

Before we start, let’s talk about scalping in general.

Scalping is an automated threat, defined by the OWASP as “acquisition of goods or services using the application in a manner that a normal user would be unable to undertake manually.” Put simply, it is the use of bots to gain an unfair advantage over legitimate users and to acquire highly sought-after services or physical products. Concert and sporting event tickets, sneakers, limited edition and collectors’ items are just a few examples.

Why are bot operators motivated to acquire these goods and services? They want to sell them to the highest bidder at a significant markup.

While this might not sound harmful or threatening for a business, scalping bots have a detrimental effect on customer experience and a business’ bottom line. By automating the purchase of highly sought-after products, scalping bots make these items inaccessible to human users.

Below are just a few ways that bad bots can negatively impact businesses and consumers:

  • Damaged brand reputation 
  • Loss of revenue
  • Loss of brand loyalty
  • Increased infrastructure costs
  • Slower website speed
  • Distorted web metrics

When successful, scalpers proudly share it on the Internet. Human users have become so frustrated with this unfair game that some are even seeking the assistance of scalper bots.

NSB Blog Post Pt 1 - Shoe Collection

Example of user showing a shoes collection built on automation

 

NSB Blog Post Pt 1 - Scalper Bot Advert

A member of a popular underground forum requesting service for scalping

For more information, read this article about scalping bots.

A leader in the sneaker bot market

For the past eight years, NSB has been used by bot operators to acquire limited edition and hard-to-find items from over 100 online shops. It has a reputation for successfully “copping” releases from Shopify, Nike, Footsites, Demandware, and Supreme. NSB is considered one of the best scalping bots available on the market, with an annual price of $499 for dedicated scalpers.

NSB

NSB components

NSB is composed of six components, organized in separate tabs.

  • The “Tasks” dashboard shows the current tasks running in the bot. It can also be used to create new tasks. Monitors are additional windows aimed at creating an alert or triggering a purchase task whenever a new item matching a specific keyword appears in a shop. 
  • The “Proxies” dashboard can be used to add new proxies, an intermediate machine that can be used as a hop to hide one’s own identity.
  • The “Billing” dashboard offers a list of billing information of the user that can be attached to any scalping task.
  • The “CAPTCHA” dashboard manages third-party service anti-CAPTCHA keys. It gives users the ability to associate the bot with several Gmail accounts, enabling the bot to use them to solve CAPTCHA challenges. Behind the scenes, the bot uses Capmonster and can be integrated with AYCD Autosolve.
  • The “Profile” dashboard contains generic information about the bot instance, like license key and bot version.
  • The “Copped” tab is list of successful purchases made by the user.
NSB Blog Post Pt 1 - Task dashboard of NSB (advanced scalping bot)

Task dashboard of NSB

Recovery of the source code 

This bot is written in JavaScript with Electron framework. As such, it’s possible to extract the asar archive and recover the source code of the bot.

NSB Blog Post - Pt 1 - First layer of the folder structure of NSB

First layer of the folder structure of NSB

Main file deobfuscation

When viewed in a text editor, the contents of the main.js JavaScript file appear to be unreadable.

NSB Blog Post Pt 1 - main.js JavaScript file appear to be unreadable.

There is a lengthy array of base 64 encoded data at the start of the code. Upon further examination, it appears to be an array of encrypted strings. We will show later how to actually recover the clean strings.

The code looks like it was obfuscated with a tool similar to ObfuscatorIO. The first step I followed in the analysis of this code was to format it with a tool like js-beautify. Unfortunately, no online deobfuscation tool I tested were able to recover the source code.

I encountered the following error message when I tried to run my newly formatted code in the popular debugger, VSCode.

NSB Blog Post Pt 1 Error Message

 

Something strange was going on here. Why couldn’t I debug the code?

This time, I started to debug the source code from the beginning by inserting breakpoints. I eventually reached the following line:

NSB Blog Post Pt 1 - source code break points

The code was filled with pieces of regular expressions like the one above.

Actually, there were others in the source code like the one below:

NSB Blog - Pt 1 - Source Code

After spending more time debugging, I understood that the code was executing those regular expression patterns against the string representation of basic JavaScript objects.

For example, the first regular expression executed was the following:

NSB Blog Pt 1 - regular expression

This pattern was executed against the following string:

NSB Blog Post - pattern string

And if the code is beautified (like during manual analysis), the function code string representation turned into:

NSB Blog Post Pt 1 - string representation

The test fails, the regex doesn’t match, and the flow is redirected to the below setCookie function, which is an infinite loop disguised.

NSB Blog Pt 1 - infinite loop disguised

So, the code implemented an anti-debugging technique using regular expressions!

Below is a summary of each regular expression matched against a JavaScript object.

NSB Blog Pt 1 - summary of each regular expression

In addition to that, another regular expression was defined:

NSB Blog Pt 1 - another regular expression

But, it was not used. This section of code was actually a feint to hide a mechanism to rotate the encrypted strings array via the following function:

NSB Blog Pt 1 - rotate the encrypted strings

Finally, by disabling the regular expression checks, I could debug the code without leading to a crash.

Apart from this anti-debugging feature came the string decryption procedure.

All strings from the code were replaced with the following pattern:

NSB Blog Pt 1 - string decryption procedure

The first number corresponds to the index of the desired string in the rotated array of encrypted strings, and the second argument is the RC4 encryption key used for this specific string.

NSB Blog Post Pt 1 - RC4 decryption section

RC4 decryption section

Eventually, I was able to overcome the first obfuscation layer of the bot source code as you can see in the picture below:

NSB Blog Post Pt 1 - Source code of NSB before first layer deobfuscation

Source code of NSB before first layer deobfuscation

NSB Blog Pt 1 - Source code of NSB after first layer deobfuscation

Source code of NSB after first layer deobfuscation

Because a second obfuscation layer was added, the obtained source code was composed of multiple blocks (highlighted in red) that still need to be reordered and the strings need to be replaced, but the hard work was done.

Finally, to finish the de-obfuscation, the blocks (see in red in the above picture) can be reordered according to the pipe separated string at the top of the function definition:

NSB Blog Pt 1 - The variable a[‘VBjgk’] contains the right order of the blocks

The variable a[‘VBjgk’] contains the right order of the blocks

After full de-obfuscation, this is how the above snippet of code looks like:

NSB Blog Pt 1 - Snippet of code after complete deobfuscation

NSB Blog Pt 1 - Snippet of code after complete deobfuscation

Snippet of code after complete deobfuscation

Conclusion 

In this blog post, we examined NSB scalping bot, showed its main components, and had an interesting journey of JavaScript deobfuscation.

In the next blog post, we will go over what can be understood from this code and how the bot avoids detection.