When executives think of the worst cybersecurity threat today, many think of system breaches or DDoS attacks. Most don’t realize that some of the worst threats today come from bots, and this misconception can be very costly for their organizations.
Web robots (or ‘bots’ for short) are automated programs that are deployed across the Internet to do various tasks. On average across different verticals, bots comprise about 62% of a website’s traffic, 24% of which would be deemed safe. For example, search engines deploy Internet bots called “spiders” that visit sites and collect information to be stored and used for indexing. Without them, Google and other search engines would not be able to display the proper results in real-time to users.
The other 38%, however, are hostile. In other words, more than one-third of an average site’s traffic typically consists of harmful bots. Almost all web attacks use bots to one degree or another, and even human hackers often send out vulnerability-scanning bots to find sites that they know they can penetrate. Since bots are the basis of almost all web attacks today, site owners must understand and mitigate the potential risks.
One of the most dramatic forms of bot attack is Distributed Denial of Service (DDoS), which consists of waves of automated traffic from attackers attempting to overwhelm the victim’s resources through sheer volume. While DDoS attacks are harmful, they typically only last a short time. Also, most organizations today are aware of these threats, so they have implemented the proper solutions to defend against them. Unfortunately the same can’t always be said of other forms of bot threats. More subtle attacks often fly under the radar and can be much more damaging over the long term.
Below are the top five bot attacks companies should be aware of today – and five clear reasons to pay close attention to bot mitigation, in order to keep harmful automated traffic out of company sites and away from customers.
Credit card fraud
Payment card numbers are valuable, and can be sold on the dark web. If a site accepts and stores card numbers, the organization can expect vulnerability scanning bots to visit it regularly. If a vulnerability is ever found, hackers will arrive immediately. They want to breach the site, harvest the card numbers, and sell them for a profit.
Even if an organization doesn’t store payment card data, bots can still abuse a website. When selling card numbers, those known to be valid are much more valuable. Hackers validate card numbers by sending bots to a site; the bots add items to their shopping carts, and enter numerous card numbers to start to “pay” for the purchases. The numbers that are accepted are valid, and are then sold. Bots will also just use the numbers directly to make fraudulent purchases.
If this malicious activity occurs unchecked on a website, that company can expect chargebacks, problems with merchant accounts (including cancellations), and even potential fines from regulatory authorities.
For some products and services, items are removed from available inventory as soon as someone begins an online purchase process. For example, when someone visits an airline website and begins to reserve a flight, the web application immediately removes a seat from the available space on the plane.
These sites are vulnerable to “inventory denial” attacks. Bots visit the site, pretending to be normal shoppers. They begin to “purchase” something, but they never complete the transaction. Usually, the website will timeout a transaction after a certain time (10 minutes is a common amount), and make the items available again. But for that entire period, the items are denied to actual customers. They’ll also only be available again for a short time—until the bot starts a new “purchase,” which will be a small window after the normal timeout period has passed.
Some industries are plagued by inventory denial bots. If a site’s bot defenses are not up to date, it can lose large amounts of revenue, merely because legitimate customers are prevented from buying.
Most people think that online data theft only occurs when a hacker breaches a system and steals data. But there’s another large source of data theft: bots that never breach the systems that they steal from. This includes scraper bots that visit sites and copy their content. Some verticals – such as data aggregators – gather and sell data and content. For these verticals, scrapers are a direct threat to their business model.
Other verticals are threatened indirectly. For example, eCommerce sites are frequently scraped by bots which gather pricing data. Competitors use this data to undercut the victim’s prices, causing the victim to lose sales.
If a site relies on advertising to generate revenue, it is vulnerable to click fraud – which occurs when bots are sent to “click” on ads. The immediate victim is the advertiser who spends money for false clicks and does not receive the ROI that was expected from the ad budget. The subsequent effect on companies occurs when ad networks discover the fraud, and reverse their payments.
If click fraud continues to happen on a site, advertising networks will also eventually blacklist that company. In worst case scenarios, click fraud can eliminate an entire category of potential revenue from a company’s site.
Cybercriminals can break into a site and steal data without even breaching it. They use bots to “stuff” credentials into login forms and hijack customer accounts. The credentials are sometimes generated via brute force, where bots create different combinations of letters and numbers to see which combinations are valid logins.
Or, a more common approach is for bots to cycle through lists of emails and passwords that were stolen from other sites. Most web users today still use the same credential sets across multiple sites. Their accounts will be vulnerable to takeovers by stuffing bots.
Don’t underestimate the threat
Hostile bots are used to wage a wide variety of web attacks today and cybercriminals are constantly improving their attack tools. They continue to invest a lot of time and money into enhancing the quality of their bots. Today’s bot traffic is a mixture of old and new programs, and although the older bots are easier to identify and remove, the latest bots are much more sophisticated. They mask their identities and spoof their environments. They masquerade effectively as humans using web browsers, mimicking human behavior by sending a credible stream of interactive events (mouse clicks, scrolls, taps, zooms, etc.) to the targeted web application. As a result, they have become very difficult to detect.
One-third of an average website's traffic is generated by malicious bots attempting #cyberattacks or scanning for issues that they can exploit. #respectdata Click to Tweet
Along with the five bot attacks explored above, there are numerous others that exist today, and new actors and threats are emerging every day. In this increasingly challenging environment, it has become evermore crucial for sites, web applications, and APIs to be protected against malicious traffic. For companies, this requires defenses that are effective, comprehensive, up-to-date, and sophisticated enough to combat these growing threats to their business.