Over half of all internet traffic is generated by bots — some legitimate, some malicious. Competitors and adversaries alike often deploy “bad” bots that leverage different methods to achieve nefarious objectives. This includes account takeover, scraping data, denying available inventory and launching denial-of-service attacks with the intent of stealing data or causing service disruptions. Sophisticated, large-scale attacks often go undetected by conventional mitigation systems and strategies.
Types of attack by ‘Bad Bots’
- Account Takeover – Millions of compromised credentials are available on hacker dump sites, black markets and hacktivist forums. Attackers use automated bots and brute-force attacks to use these credentials, and programmatically attempt to login to target websites and applications. Such loss of customer’s sensitive information impacts brand reputation, in addition to the huge bot traffic slowing down the website or application performance.
- Gift Card Fraud – Accepting stolen-credit-cards lead to chargebacks and penalties. Excessive chargebacks result in termination of merchant’s account. Businesses struggle to prevent carding attacks because such attacks go unnoticed by conventional application security measures.
- Application DDoS – The application layer in an enterprise infrastructure stack directly impacts the user experience. Layer 7 Distributed Denial of Service (DDoS) attacks pose a business continuity threat, strain web applications, and create service performance degradation. Layer 7 attacks also cause downtime in the event of distributed and coordinated DDoS attacks.
- Competitive Espionage – Bots are being used to compile competitive intelligence of time-sensitive content like “Product Prices” on the e-commerce portals. This stolen competitive intelligence is being used to out-price the products and impact the competitiveness of the business.
- Content Scraping – For online business, Content is the king. Uniqueness of content, differentiates the business from the competition. Bots are capable of killing the uniqueness of the content by scraping and making it available on other sites. This impacts the competitiveness of the business
- Digital Ad Fraud – Bots perform invalid activity on the publisher’s website. Automated traffic causes dummy impressions and adversely impacts CTR (click-through rate). Bots undermine publisher’s efforts to help advertisers run successful ad campaigns. Existing security measures are ineffective to filter human-like bots.
- Skewed Analytics – Web crawlers, aggregators, and malicious bots cause noisy data. Non-human visitors impact conversion rates and other revenue metrics such as the look-to-book ratio. Automated traffic skews user engagement and retention metrics. The presence of bots also creates unexpected changes in your conversion funnel.
- Form Spam – Spammers are trawling the web on the lookout for forms in order to spam them. Form spams bring down the productivity of teams as it is cumbersome to differentiate the real enquiry from the spam enquiries. For specific businesses that capture lead information through forms, spam leads become a huge challenge to manage.
The core challenge for any bot management solution, is to detect every visitor’s intent to help differentiate between human and malicious non-human traffic. As more bad bot developers incorporate artificial intelligence (AI) to make human-like bots that can sneak past security systems, any effective counter measures must also leverage AI and machine learning (ML) techniques to accurately detect the most advanced bad bots.
Left unaddressed, bad bots cause serious problems thereby harming the success or even the continuance of an organisation. Automation abuse is happening 24×7 round the year, and it is critical to be alert and protected as the Bots are there for a purpose!
The best approach, therefore, is to block bad traffic before it ever reaches the public cloud, so you don’t get charged for cloud infrastructure services. Check your terms to see if you’re covered against such attacks and consider how you can protect yourself.
By Nikhil Karan Taneja, Managing Director-India, SAARC & Middle East, Radware