What is a Bot?
A bot, short for web robot, is a software application programmed to execute automated tasks over the internet. Bots often imitate human behavior and can be deployed to conduct tasks at high speed and enormous scale.
At any one time, more than half of all internet traffic can be attributed to bots. Whether you realize it or not, bots are a part of nearly everyone's daily life. If you use the internet to purchase products, research travel deals or engage with financial services, you will encounter bots. Here are some examples:
- Search engine web crawlers for enhanced indexing
- Chatbots for customer service
- Virtual assistants for boosting productivity
Web crawlers, chatbots, and virtual assistants are good bots. But bots can also be bad. Malicious bots are used by cybercriminals to conduct automated attacks, such as account takeover (ATO), carding, web scraping and distributed denial of service (DDoS). Both good and bad bots can contaminate web engagement data and skew analytics. Therefore, investing in intelligent bot management strategies is critical for digital businesses to protect themselves from damaging bot attacks, and to discern between good bot and bad bot traffic.
How Do Bots Work?
Bots can be programmed to execute a number of tasks, such as scanning content, interacting with web pages and social media accounts, or chatting with users. Some bots are useful, such as search engine bots that use machine learning to index content, or customer service bots that help users with questions.
However, malicious bots facilitate attacks on websites and mobile applications. These bad bots are programmed to break into user accounts, scan the web for contact information to send spam, or perform other malicious activities that contribute to fraud and forms of account abuse. Increasingly sophisticated bots can mimic user behavior to evade detection and conduct high volume attacks very quickly.
What Makes a Bot Bad?
Bad bots are built to perform a variety of malicious tasks that can result in data breaches, identity theft, lost customer conversions and other undesirable outcomes for digital businesses and web users. For example, bad bots can help fraudsters hack into online accounts using stolen usernames and passwords in what is called an account takeover (ATO) attack.
Bad bots can be sent from competitors looking to scrape content from your website. This content includes pricing information, competitive offers and breaking news articles. They can be used to spam forums with messages, create millions of fake leads, conduct abandonment campaigns on e-commerce checkout portals, distort marketing analytics, and steal store credits and gift cards. When bots make thousands of visits to a business’s website, they can cause latency and slow the web page down for genuine users.
As bot detection has advanced, so have bad bots. Bots can mirror human users in their behavior, making them extremely difficult for security operations teams to detect and block. In order for digital businesses to be competitive, conventional solutions like web application firewalls (WAFs) are no longer enough. This is why demand for bot management solutions is growing at such a rapid pace.
What Are the Most Common Bot Attacks?
Malicious attacks are diverse and negatively affect online organizations in various ways, including tarnishing your brand reputation, impacting online revenue, decreasing operational efficiency, and increasing the risk of a data breach. There are many bot-enabled attacks that plague digital businesses. Here are a few common bad bots and their attack techniques:
Account Takeover (ATO)
Fraudsters deploy bots armed with stolen username and password credentials to target the sign-in page of online accounts, such as an e-commerce, bank, or email account. This is sometimes referred to as credential stuffing. ATO attacks affect any organization with a customer-facing login. Common targets include online gaming, retailers, financial services firms and travel merchants.
Due to the diverse forms of fraud that cybercriminals can commit from compromised accounts, ATO attacks are one of the fastest growing attack techniques. Successful ATO attacks result in data breaches, identity theft and fraudulent purchases, costing online businesses millions.
Carding and Credit Card Stuffing
In carding attacks, bots test stolen credit or debit card information on merchant sites with small purchases to avoid detection. When small purchases are successful and the card is proven valid, the card data is used to retrieve funds from associated accounts or to purchase gift cards or goods that can be quickly converted to cash. Even when fraudulent transaction attempts are unsuccessful, businesses are charged card authorization fees for card-not-present transactions, racking up card validation costs of up to 10 cents for each transaction attempt. When you consider that carding bots initiate tens of thousands of transaction attempts, this can cost merchants a significant amount of money.
While carding attacks are similar to ATO attacks, the big difference is that ATO attacks focus on the login page using stolen usernames and passwords, while carding attacks focus on the checkout page using stolen card information.
With web scraping, or web harvesting, bots are used to crawl web pages to steal prices, curated content, product reviews, and inventory data. This information can be used to inform a competitor’s business strategy, or be resold or reposted with the aim of capturing and redirecting users to another website.
Denial of Inventory
Denial of Inventory is a form of inventory hoarding where fraudsters use automated bots to hold items in digital carts without completing the sale. This is done with the intention of making the item, usually a high-demand or limited-availability item, unavailable to others. Often, the checkout process is never completed, preventing real users from actually purchasing the item and leaving the merchant with low sales and a large inventory.
With scalping, bots are used to rapidly buy high-demand and limited-availability items, such as sneakers or concert tickets. The bots used in these attacks are sometimes even referred to as sneaker bots due to their prevalent use in sought-after sneaker releases. Once a merchant’s inventory is liquidated, fraudsters sell the scarce items in secondary markets at much higher prices.
How Do You Detect Bad Bots?
Effectively detecting and mitigating bad bots is critical for achieving success in the digital space. The ability to identify bad bot traffic from good is key. Telling signs that your businesses is falling victim to bad bots may include:
- Increased login failures
If you notice a sudden spike in login failures, you are likely under attack from ATO bots. Fraudsters typically buy a list of credentials from the dark web and deploy an army of bots to test these credentials on popular travel, social media and e-commerce sites.
- Increased spike in account creations
An unexpected rise in new customer accounts could indicate bots, not new customers. Another type of account abuse, known as fake account creation, happens when bots create new accounts that are not linked to real users. Fake accounts are leveraged for other attacks or fraudulent transactions.
- Increased gift card or point validation failures
Seeing a rapid rise in gift card validation failures often indicates a carding attack. In this circumstance bots are trying to identify which gift cards have large balances so they can be sold on the dark web.
- Increased shopping cart abandonment
If you see a spike in items left in shopping carts without completing the sale, bots may be the culprit, and you may be the victim of denial of inventory attack.
- Your content on a strange website
If your content, breaking story, or promotional offer mysteriously appears on unapproved and competitive websites, then you are likely the victim of scraping bots.
- Anomalous geographical traffic
If a wave of web traffic comes from locations where your customers don’t live or where you don’t offer your service, then you may be under attack. For example if you operate primarily in the United States and you start to see traffic from Iran, North Korea or Russia, beware.
How Do You Get Rid of Bad Bots?
The best way to beat bad bots is with a bot management solution. As bots grow more advanced with the ability to mimic human users and solve reCAPTCHAs, machine learning solutions are needed to analyze and predict their behavior. Implementing an AI-based solution that excels at identifying malicious bot activity on mobile applications, websites and APIs will help ensure that you can keep pace with new bot attacks as they emerge, and effectively block them.
Bot management solutions should be:
- Fast: Able to process brute-force and ATO attacks
- Accurate: Low false positives (FP) and false negatives (FN)
- Friction-free: Does not drive away real users
- Mobile-ready: Performs well with a mobile apps
- Low risk: Does not collect personally identifiable information (PII)
How Does HUMAN Mitigate Bad Bots?
The Human Defense Platform offers a suite of bot management solutions that protect your websites, mobile applications and APIs from automated attacks. These include Account Takeover Defense, Transaction Abuse Defense, Scraping Defense, Account Fraud Defense, Programmatic Ad Fraud Defense, and Data Contamination Defense. HUMAN leverages more than 350 advanced machine learning algorithms, behavioral analysis, and predictive methods to detect and mitigate automated carding attacks with exceptional accuracy.
HUMAN's bot management solutions operates asynchronously to mitigate bad bots at the edge, ensuring low latency and optimizing infrastructure costs. If required, we provide the Human Challenge, a user-friendly verification feature that protects against CAPTCHA-solving bots while maintaining a positive user experience. By stopping bad bots without adding friction, HUMAN's bot management solutions reduce risk, protects revenue and reputation, and drives operational efficiency.