"Why can't I get the coupon?"
A real-life story of an automated attack on a shopping app
"I clearly set an alarm, but the moment I logged in, it was already closed?"
Similar inquiries began repeatedly coming into a shopping app's customer service center. They included first-come-first-served discount coupons, live commerce-exclusive points, and limited-quantity events. Strangely, only a few users were consistently successful, while most were always a step behind.
At first, I thought it was simply a surge in traffic. The server was slow due to the high traffic during the event.
But something was off.
Always at the same time, always with similar accounts, always at speeds that humans couldn't handle.
That's when the operations team realized,
"This isn't just a traffic issue."
Why are shopping apps so lucrative for attackers?
Shopping apps aren't just content apps.
• Discount coupons
• Points
• Payment information
• Shipping information
• Seller transaction data
All of these are directly linked to real-world monetary value.
Therefore, from an attacker's perspective, a successful shopping app is a target that immediately generates revenue. Among these, the first to be targeted were monetary resources like discounts, coupons, and points.
Actual Attack Methods
The problem was fully revealed after log analysis.
Confirmed Attack Patterns
• Mass collection of coupons using automated clicks and macros
• Abnormal, repeated calls to the event participation button
• Modification of the app to bypass point deduction logic
On the surface, it appeared to be a legitimate app user, but in reality, an automated tool and a modified app were being used simultaneously.
Where was the security vulnerability?
This shopping app had a single problem:
"We couldn't distinguish between normal and abnormal user behavior."
• The server only received requests.
• The app trusted the execution environment.
• There was no standard for distinguishing automation from modification.
This is where app security became necessary.
LIAPP: The First Line of Defense Against Monetary Resource Attacks
Detecting Automated Input and Script-Based Attacks
LIAPP doesn't just look at what the user entered, but how they entered it. • Touch interval
• Input speed
• Repeat cycle
• Event call pattern
Input rhythms that humans cannot achieve ultimately reveal themselves as automated attacks.
Automated click and macro accounts began to be detected using this method.
App forgery and tampering detection
Some attackers were more sophisticated.
• They repackaged legitimate apps,
• modified the point deduction logic,
• and participated in events as legitimate users.
LIAPP's forgery and tampering detection identifies the execution of tampered apps based on changes to
• code
• resources
• and app structure.
Tampered apps targeting coupons and points were no longer able to enter the normal flow.
"Coupons weren't the only problem."
Why LISS and LIKEY emerged
As the investigation progressed, another truth emerged:
Attackers don't just target coupons.
LISS – Remote Support Tool Detection
Screen manipulation using remote support apps was detected in some operations and seller accounts. Through LISS, we:
• detected remote support and remote control tools
• blocked external manipulation risks of critical accounts.
LIKEY – Account and Input Information Protection
Another weakness was the login input section.
By implementing LIKEY's secure keypad,
• we neutralized keylogger-based input theft
• and strengthened the protection of administrator and seller accounts.
What changed after implementation?
Changes occurred faster than expected after implementing security.
• Normalized coupon and point distribution
• Naturally shifted the distribution of event-related accounts
• Reduced customer complaints
• Reduced operational team response burden
The most important change was this:
We shifted from focusing solely on the server when a problem arose to focusing on both the app execution environment and user behavior.
Lessons from this case
The biggest misconception in shopping app security is this: "Just block the server."
However, actual attacks originate in the app, mimicking user behavior and quietly stealing financial resources.
So, what's needed?
• Automation and forgery detection → LIAPP
• External manipulation detection → LISS
• Input information protection → LIKEY
By clearly dividing roles, security becomes less complex and more effective.
#ShoppingAppSecurity#MobileSecurity#CouponAbusiveUse#EventSecurity#MacroDetection#AutomatedAttacks#AppForgery#RASPSecurity#E-CommerceSecurity#SellerAppSecurity#AccountProtection#FintechSecurity#MobileAppSecurity#SecurityCases#SecurityTrends#LIAPP#LISS#LIKEY
