Web applications which offer online purchasing or reservations are vulnerable to inventory hoarding (a.k.a. “Denial of Inventory”). In this attack, hostile bots make inventory unavailable to legitimate customers. For example, bots attack retail sites by adding products to shopping carts, but never completing the purchases.
In some industries, inventory hoarding attacks occur frequently. For example, travel sites and applications are often attacked by bots that abuse time-to-checkout policies (which usually allow 15 minutes or so for customers to complete their transactions), continually looping and booking reservations without ever purchasing tickets. This prevents actual customers from purchasing, but other financial damage can occur as well.
Travel sites and applications often get their data from aggregators. Each time a “customer” searches for flights, a small financial liability (a data lookup fee) is created. If the customer buys a ticket, the aggregator gets a commission on the sale; otherwise, the fee is charged. Since bots never buy tickets, their continual data requests can accrue significant expenses for site owners.
In effect, inventory hoarding is an Application-Layer Denial-of-Service attack. It can result in direct loss of revenue because legitimate customers cannot make purchases. Products that expire (e.g., tickets to an event) can go unsold. Sellers can accrue expenses such as data-lookup fees. Consumer goodwill and trust can be damaged.