Tuesday, August 4, 2020

Instacart shoppers besieged by bots that snatch lucrative orders

Apps Take Center Stage Amid Shelter-In-Place Covid-19 Guidelines

Photographer: Gabby Jones/Bloomberg

Photographer: Gabby Jones/Bloomberg

Lisa Marsh’s job shopping and delivering groceries for Instacart during the past three years has been unforgiving. Company tipping policies cut into earnings while boycotts and other labor strife created confusion, she said.

Then the global pandemic hit, transforming once mundane trips to Los Angeles grocery stores where she lives into a palpable health risk.

In recent weeks, another problem has emerged: bots that snatch the largest, most lucrative orders out of the hands of other shoppers.

Here’s how it works. Instacart pays contract workers to shop for groceries and deliver them to customers. Normally, the shoppers open the Instacart shopping app and, as orders flash by, click on the ones they want to fulfill. But in order to gain an edge, some shoppers are paying software developers who have created bots -- in the form of third-party apps -- that run alongside the legitimate Instacart app and claim the best orders for clients.

In this way, the app tilts competition between shoppers but is invisible to customers and doesn’t take business away from Instacart either. The cost of the third-party apps ranges from $250 to $600 in cryptocurrency or bank deposits, according to the darkweb research firm, DarkOwl.

When Marsh opens her Instacart shopping app, she sees promising orders disappear before she can act. “No human can click that fast,” she said. “Instacart needs to fix this. These bots are literally taking the food off my kids’ table.”

While bots aren’t a new problem for Instacart, the recent deluge is different because it comes at a time of white-knuckled expansion for the San Francisco-based startup. The company said customer demand for grocery delivery has surged more than 500% during the pandemic, notching growth its investors didn’t expect until 2025. This makes the platform, which hasn’t expanded its team as fast as its revenue, an attractive target for hustlers.

Read More: Instacart’s Frantic Dash From Grocery App to Essential Service

A spokeswoman for Instacart Inc. said the bots affect just a sliver of its more than 500,000 shoppers and that the company has already taken measures to address the issue.

“We take the integrity of the Instacart platform very seriously and have a trust and security team dedicated to monitoring the unauthorized use of the platform which includes all efforts to prevent illicit and fraudulent third-party apps from violating our terms of service,” said Natalia Montalvo, Instacart’s director of shopper engagement and communications.

Instacart said it’s combating bots by cranking up pressure against app makers and banning violators when they find them. The company said it deactivated 150 shoppers found to be misusing the platform and shut down a half dozen sites claiming to sell batches to Instacart shoppers including Instashopper.app, Sushopper, Ninja Hours and Acrobatshopper.

The developers of those apps couldn’t be located for comment.

Instacart also recently introduced new procedures such as prompting shoppers to verify their identity with a selfie and not permitting shoppers to switch devices in the middle of an order. Shoppers using the updated app can also choose to review a single order for 30 seconds before claiming it or passing it to another shopper.

“As a result of these measures, we’ve seen a dramatic reduction in the use of unauthorized third-party apps because of the hard work and dedication by our security and legal teams to protect the shopper experience,” Montalvo said. Instacart also this month enlisted the help of security platform HackerOne to battle bots by offering a bounty program, she said.

But as security experts at Amazon.com Inc. and other sites have discovered, battling rogue apps is a lot like playing whack-a-mole. As soon as a company thwarts one bot program, a new version of it emerges, usually with a new name.

“If Instacart cared -- if it was losing money -- they could devote resources to make the jobs of these automatic snipers much harder,” Bruce Schneier, a cybersecurity expert, author and lecturer at Harvard University, said there are ways for companies to detect such bots. “This is a problem that any company that makes money from automation is likely being forced to deal with. Some handle it well. Others don’t.”

In recent months, different Instacart shopper-related apps have come and gone, sometimes using slightly varied titles, such as Ninja Hours, Ninja Shoppers and Ninja Shopper. DarkOwl discovered nearly a dozen active platforms in mid-May advertising openly on YouTube and social media platforms, including Reddit. Digital breadcrumbs linked these sites back to users spanning the U.S., including New York, Savannah, Georgia and Northern California’s wine country, according to DarkOwl. Others linked to an apparent Brazilian app developer syndicate that leans heavily on YouTube ads narrated in Portuguese, the research firm concluded.

The developer of those apps couldn’t be located for comment.

Some of the apps work, others are scams, according to DarkOwl. The Bitcoin wallet linked to the site of Ninja Shoppers indicates its owners have received 76 deposits -- about $20,000 -- including many from Instacart shoppers desperate to jumpstart their stalled shopping careers.

The apps are typically available on websites published by their developers. In the case of Ninja Shoppers, the app is free to download, but users must be ‘’activated in a private group” in order to be granted permission to pay for a user authentication token, according to their website, which is published in English and Portuguese. Once logged-in, the program prompts the user to find Instacart sales available near their location, according to a YouTube video viewed more than 13,000 times since May 9.

Despite Instacart’s efforts to crack down, finding a permanent solution may be difficult. Earlier this month, one man using the Instacart shopping app, who said he’s been using a bot since March, offered to install it on another shopper’s phone for $250, plus a $130 weekly recurring fee, according to screen shots of a conversation in late July seen by Bloomberg. When reached by phone earlier this week, the man spoke first in Portuguese and then in English, confirming to Bloomberg he was selling a bot for those amounts. He declined to answer additional questions after learning that the information would likely be publicized.

Fear of getting deactivated or scammed out of money has stopped some shoppers from spending money on the apps. Others like Santa Cruz-area grandmother Ginger Colgate said she refuses to do so on moral grounds.

“It’s just not right. It’s against the rules,” said Colgate, complaining that her earnings dropped from $1,800 a week to $300 because the bots have siphoned the best work. Colgate said she still sometimes drives to Costco and opens the Instacart app, hoping for work.

“So many times I sit with tears in my eyes in the parking lot just waiting and hoping to get an order,” she said. “I’ve basically given up.”



from Hacker News https://ift.tt/3hLSkhc

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.