What is a Bot?
A bot, short for web robot, is a software application programmed to execute automated tasks over the internet. Bots often imitate human behavior and can be deployed to conduct tasks at high speed and enormous scale. Whether you realize it or not, bots are a part of nearly everyone's daily life. If you use the internet to purchase products, research travel deals or engage with financial services, you will encounter bots. Here are some examples:
- Search engine web crawlers for enhanced indexing
- Chat bots for customer service
- Virtual assistants for boosting productivity
Bots are used in very diverse ways. They can be helpful good bots, such as those that provide website metrics and improve website performance, and they can be sinister bad bots, such as those behind automated attacks including account takeover (ATO), carding, web scraping and distributed denial of service (DDoS). Therefore, investing in intelligent bot management strategies is critical for digital businesses to protect themselves from damaging bot attacks and to discern between good bot and bad bot traffic.
How Do Bots Work?
At any one time, more than half of all internet traffic can be attributed to bots. For some e-commerce storefronts, bot traffic can be even higher than 90%. Bots scan content, interact with web pages and social media accounts, or chat with users.
Some bots are useful, such as search engine bots that use machine learning to index content, or customer service bots that help users with questions. However, other bots facilitate attacks on websites and mobile applications. These bad bots are programmed to break into user accounts, scan the web for contact information to send spam, or perform other malicious activities that contribute to fraud and forms of account abuse.
What Makes a Bot Bad?
Bad bots are built to perform a variety of malicious tasks that can result in data breaches, identity theft, lost customer conversions and other undesirable outcomes for digital businesses and web users. For example, bad bots can help fraudsters hack into online accounts using stolen usernames and passwords in what is called an account takeover (ATO) attack.
Bad bots can be sent from competitors looking to scrape content from your website. This content includes pricing information, competitive offers and breaking news articles. They can be used to spam forums with messages, create millions of fake leads, conduct abandonment campaigns on e-commerce checkout portals, distort marketing analytics and steal store credits and gift cards. When bots make thousands of visits to a business’s webpage, they can cause latency and slow the web page down for genuine users.
As bot detection has advanced, so have bad bots. Bots can mirror human users in their behavior, making them extremely difficult for digital merchants and security operations teams to detect and block. In order for digital businesses to be competitive, conventional solutions like web application firewalls (WAFs) are no longer enough. This is why demand for bot management solutions is growing at such a rapid pace.
Read The Forrester New Wave™: Bot Management, Q1 2020 report for a complete evaluation of 13 bot management providers.
Most Common Bot Attacks
Malicious attacks are diverse and negatively affect online retailers in various ways including tarnishing your brand reputation, impacting online revenue, decreasing operational efficiency and increasing the risk of a data breach. There are many bot-enabled attacks that plague digital businesses from sign-in to check-out. Here are a few common bad bots and their attack techniques:
Account Takeover (ATO)
Fraudsters deploy bots armed with stolen user name and password credentials to target the sign-in page of online accounts, such as an e-commerce, bank or email account. This is sometimes referred to as credential stuffing. ATO attacks affect any organization with a customer-facing login. Common targets include online gaming, retailers, financial services firms and travel merchants.
Due to the diverse forms of fraud that cybercriminals can commit from compromised accounts, ATO attacks are one of the fastest growing attack techniques. Successful ATO attacks result in data breaches, identity theft and fraudulent purchases, costing online businesses millions.
Carding and Credit Card Stuffing
In carding attacks, bots test stolen credit or debit card information on merchant sites with small purchases to avoid detection. When small purchases are successful and the card is proven valid, the card data is used to retrieve funds from associated accounts or to purchase gift cards or goods that can be quickly converted to cash. Even when fraudulent transaction attempts are unsuccessful, businesses are charged card authorization fees for card-not-present transactions, racking up card validation costs of up to 10 cents for each transaction attempt. When you consider that carding bots initiate tens of thousands of transaction attempts, this can cost merchants a significant amount of money.
While carding attacks are similar to ATO attacks, the big difference is that ATO attacks focus on the login page using stolen usernames and passwords, while carding attacks focus on the checkout page using stolen card information.
With web scraping, or web harvesting, bots are used to crawl web pages to steal prices, curated content, product reviews and inventory data with the aim of capturing and redirecting a digital business’s customers to another website.
Denial of Inventory
Denial of Inventory is a form of inventory hoarding where fraudsters use automated bots to hold items in e-commerce baskets without completing the sale. This is done with the intention of making the item, usually a high-demand or limited-availability item, unavailable to others. Often, the checkout process is never completed, preventing real users from actually purchasing the item and leaving the merchant with low sales and a large inventory.
With scalping, bots are used to rapidly buy high-demand and limited-availability items, such as sneakers or concert tickets. The bots used in these attacks are sometimes even referred to as sneaker bots due to their prevalent use in sought-after sneaker releases. Once a merchant’s inventory is liquidated, fraudsters sell the scarce items in secondary markets at much higher prices.
Carding attacks add up. Learn how much money you can save with a bot management solution.
Effective bot detection is critical for achieving success in the digital marketplace. The ability to identify bad bot traffic from good is key. Telling signs that your businesses is falling victim to bad bots may include:
- Increased login failures
If you notice a sudden spike in login failures, you are likely under attack from ATO bots. Fraudsters typically buy a list of credentials from the Dark Web and deploy an army of bots to test these credentials on popular travel, social media and e-commerce sites.
- Increased spike in account creations
An unexpected rise in new customer accounts could indicate bots, not new customers. Another type of account abuse, known as fake account creation, happens when bots create new accounts that are not linked to real users. Fake accounts are leveraged for other attacks or fraudulent transactions.
- Increased gift card or point validation failures
Seeing a rapid rise in gift card validation failures often indicates a carding attack. In this circumstance bots are trying to identify which gift cards have large balances so they can be sold on the Dark Web.
- Increased shopping cart abandonment
If you see a spike in items left in shopping carts without completing the sale, bots may be the culprit, and you may be the victim of denial of inventory attack.
- Your content on a strange website
If your content, breaking story or promotional offer mysteriously appears on unapproved and competitive websites, then you are likely the victim of scraping bots.
- Anomalous geographical traffic
If a wave of web traffic comes from locations where your customers don’t live or where you don’t offer your service, then you may be under attack. For example if you operate primarily in the United States and you start to see traffic from Iran, North Korea or Russia, beware.
The best bot management solutions are accurate and easy to deploy. As bots grow more advanced with the ability to mimic human behavior and solve reCAPTCHAs, bot detection solutions need to advance as well. Selecting an AI-based solution that excels at identifying malicious bot activity on mobile applications, websites and APIs will help ensure that you can keep pace with new bot attacks as they emerge, and effectively block them.
Bot management solutions should be:
- Fast: Able to process brute-force and ATO attacks
- Accurate: Low false positives (FP) and false negatives (FN)
- Friction-free: Does not drive away real users
- Mobile-ready: Performs well with a mobile apps
- Low risk: Does not collect personally identifiable information (PII)
See a live bot attack and learn how you can defend against these sophisticated bot attacks at scale.