What is a bot?
A bot, or web robot, is a software application programmed to execute automated tasks over the internet. Bots often imitate human behavior and can be deployed to conduct tasks at high speed and massive scale.
If you use the internet to purchase products, research travel deals, or engage with financial services, you will encounter bots. Indeed, at any one time, more than half of all internet traffic can be attributed to bots. Here are some common examples of bots:
- Search engine web crawlers for enhanced indexing
- Chatbots for customer service
- Virtual assistants for boosting productivity
Web crawlers, chatbots, and virtual assistants are good bots. But there are also bad bots, which cybercriminals use to conduct automated attacks, such as account takeover (ATO), carding, scraping and distributed denial of service (DDoS).
Both good and bad bots can contaminate web engagement data and skew analytics. Therefore, investing in intelligent bot management strategies is critical for digital businesses to protect themselves from damaging bot attacks, and to discern between good bot and bad bot traffic.
How do bots work?
Bots can be programmed to execute various asks, such as scanning content, interacting with web pages and social media accounts, or chatting with users. Some bots are useful, such as search engine bots that use machine learning to index content, or customer service bots that help users with questions.
However, malicious bots facilitate attacks on websites and mobile applications. These bad bots are programmed to break into user accounts, scan the web for contact information to send spam, or perform other malicious activities that contribute to fraud and forms of account abuse. Increasingly sophisticated bots can mimic user behavior to evade detection and conduct high volume attacks quickly.
What makes a bot bad?
Bad bots can perform various malicious tasks that can lead to data breaches, identity theft, lost customer conversions, and other undesirable outcomes for digital businesses and web users. For example, bad bots can help fraudsters break into online accounts using stolen usernames and passwords in what is called an account takeover (ATO) attack.
Competitors might unleash bad bots looking to scrape content from your website. This content includes pricing information, competitive offers, and breaking news articles. Bad bots can also be used to spam forums with messages, create millions of fake leads, conduct abandonment campaigns on e-commerce checkout portals, distort marketing analytics, and steal store credits and gift cards. When bots make thousands of visits to a business’s website, they can cause latency and slow the web page down for genuine users.
As bot detection has matured, so have bad bots. Bots can mirror human users in their behavior, making them extremely difficult for security operations teams to detect and block. In order for digital businesses to be competitive, conventional solutions like web application firewalls (WAFs) are no longer enough. This is why demand for bot management solutions is growing at such a rapid pace.
What are the most common bot attacks?
Malicious attacks are diverse and negatively affect online organizations in various ways, including tarnishing brand reputation, undercutting online revenue, decreasing operational efficiency, and increasing the risk of a data breach. There are many bot-enabled attacks that plague digital businesses. Here are a few common bad bots and their attack techniques:
Account Takeover (ATO)
Fraudsters use various techniques to take control of user accounts, a process known as account takeover (ATO). One common method is credential stuffing, where fraudsters deploy bots armed with stolen username and password credentials to target the sign-in page of online accounts, such as an e-commerce, bank, or email account. ATO attacks affect any organization with a customer-facing login. Common targets include online gaming, retailers, financial services firms and travel merchants.
Due to the diverse forms of fraud that cybercriminals can commit from compromised accounts, ATO attacks are one of the fastest growing attack techniques. Successful ATO attacks result in data breaches, identity theft and fraudulent purchases, costing online businesses millions.
Carding and Credit Card Stuffing
In carding attacks, bots test stolen credit or debit card information on merchant sites with small purchases to avoid detection. When small purchases are successful and the card is proven valid, the card data is used to retrieve funds from associated accounts or to purchase gift cards or goods that can be quickly converted to cash. Even when fraudulent transaction attempts are unsuccessful, businesses receive charged card authorization fees for card-not-present transactions, racking up card validation costs of up to 10 cents for each transaction attempt. When you consider that carding bots initiate tens of thousands of transaction attempts, this can cost merchants a significant amount of money.
While carding attacks are similar to ATO attacks, the big difference is that ATO attacks focus on the login page using stolen usernames and passwords, while carding attacks focus on the checkout page using stolen card information.
Scraping
With scraping, or data harvesting, bots are used to crawl web pages to steal prices, content, product reviews, and inventory data. This information can be used to inform a competitor’s business strategy, or to be resold or reposted with the aim of capturing and redirecting users to another website.
Denial of Inventory
Denial of inventory is a form of product inventory hoarding, where fraudsters use automated bots to hold items in digital carts without completing the sale. This is done with the intention of making the item, usually a high-demand or limited-availability item, unavailable to others. Often, the checkout process is never completed, preventing real users from actually purchasing the item, leaving the merchant with low sales and a large inventory.
Scalping
With scalping, bots rapidly buy high-demand and limited-availability items, such as sneakers or concert tickets. The bots used in these attacks are sometimes even referred to as sneaker bots, due to their prevalent use in sought-after sneaker releases. Once a merchant’s inventory is liquidated, fraudsters sell the scarce items in secondary markets at much higher prices.
How do you know if you have a bot problem?
Effectively detecting and mitigating bad bots is critical for achieving success in the digital space. The ability to identify bad bot traffic from good is key. Telling signs that your business is falling victim to bad bots may include the following:
- Large number of login failures
If you notice a sudden spike in login failures, you are likely under attack from ATO bots. Fraudsters typically buy a list of credentials from the dark web and deploy an army of bots to test these credentials on popular travel, social media, and e-commerce sites. - Spike in account creations
An unexpected rise in new customer accounts could indicate bots, not new customers. Another type of account abuse, known as fake account creation, occurs when bots create new accounts that are not linked to real users. Fake accounts are leveraged for other attacks or fraudulent transactions. - Gift card or point validation failures
Seeing a rapid rise in gift card validation failures often indicates a carding attack. In this circumstance, bots are trying to identify which gift cards have large balances, so they can be sold on the dark web. - Increased shopping cart abandonment
If you see a spike in items left in shopping carts without completing the sale, bots may be the culprit, and you may be the victim of denial of inventory attack. - Your content on a strange website
If your content, breaking story, or promotional offer mysteriously appears on unapproved and competitive websites, then you are likely the victim of scraping bots. - Anomalous geographical traffic
If a wave of web traffic comes from locations where your customers don’t live or where you don’t offer your service, then you may be under attack. For example, if you operate primarily in the United States and start to see traffic from Iran, North Korea, or Russia, beware.
How do you get rid of bad bots?
The best way to beat bad bots is with a bot management solution. As bots grow more advanced, with the ability to mimic human users and solve reCAPTCHAs, machine learning solutions are needed to analyze and predict their behavior. Implementing an AI-based solution that excels at identifying malicious bot activity on mobile applications, websites and APIs will help ensure that you can keep pace with new bot attacks as they emerge, and effectively block them.
Bot management solutions should be:
- Fast: Able to process brute-force and ATO attacks
- Accurate: Low false positives (FP) and false negatives (FN)
- Friction-free: Does not drive away real users
- Mobile-ready: Performs well with mobile apps
- Low risk: Does not collect personally identifiable information (PII)
How does HUMAN mitigate bad bots?
The Human Defense Platform offers a suite of bot management solutions that protect your websites, mobile applications and application programming interfaces (APIs) from automated attacks. These include Account Takeover Defense, Transaction Abuse Defense, Scraping Defense, Ad Fraud Defense, and Data Contamination Defense. HUMAN leverages more than 400 advanced machine learning algorithms, behavioral analysis, and predictive methods to detect and mitigate automated attacks with exceptional accuracy.
HUMAN's bot management solutions operate asynchronously to mitigate bad bots at the edge, ensuring low latency and optimizing infrastructure costs. If required, we serve the Human Challenge, a user-friendly verification feature that protects against CAPTCHA-solving bots while maintaining a positive user experience. By stopping bad bots without adding friction, HUMAN's bot management solutions reduce risk, protect revenue and reputation, and drive operational efficiency.
Related Articles
What is account takeover? | How to detect & stop It
Carding: What it is and how to prevent It
What is scraping? | Protection from web scraping & data scraping
What is bot detection? | How to detect & block bad bots
What is bot mitigation? | 4 types of bots & botnets | How to stop bots