Follow Us! ThumbsUp 20 3997 6090
Bot Attacks: What They Are and How to Stop Them

Bot Attacks: What They Are and How to Stop Them

Author avatar

by Florian Tanant

Following the 2016 US presidential election, an increasing number of people have become aware of online bot attacks.

The scale of the problem, however, is hard to imagine for a common web user. In the financial industry, for instance, bots can make up to 42% of the total traffic. Elsewhere, their activity accounts for 1 in 5 website requests.

But what exactly are bots, and how do they damage online businesses? And more importantly, how do we prevent them from attacking organizations? 

How Does a Bot Attack Work?

Bot attacks are easy to understand if you replace the word bot with another one: script. Put simply, a bot is a script: an automated program that follows a set pattern of actions. 

An example scenario would be:

  1. A fraudster has access to 5,000 stolen credit card numbers.
  2. They go on an ecommerce website and purchase an item.
  3. A script (or bot) automatically cycles through all the credit card numbers at checkout so they can find one that works.

Of course, there is a high chance that they will be flagged by the online store. Especially if they log out and log back in using the same computer.

This is how they can improve their strategy: by creating another bot that: 

  • reconnects to the website using a proxy (to hide their IP address)
  • automatically fills out the checkout info using the name of the cardholder

Success! Our fraudster can now try all their stolen credit card numbers, and the second script makes it look like they are a different user each time. 

That is, unless the store they are attacking uses sophisticated fraud prevention and bot detection software.

Automating for Mass Attacks

Bots, also known as internet robots, spiders, crawlers, and web bots are essentially programs designed to perform repetitive jobs. Good ones can index a search engine. Bad ones, however, will infect computers and send back gathered data such as passwords, logged keystrokes, or captured packets. They can also be used to multiply attempts at infiltrating a website.

Their advantage is that they are scalable, automated, and easy to launch on a large scale. Human interaction is limited, and maintenance is quasi-non-existent. In the context of fraud, it’s therefore easy to launch bots and multiply attacks on thousands of websites at once in order to do the following, at various touchpoints:

  • at signup: create fake user registrations (account farming)
  • at logins: perform account takeovers (ATO attacks)
  • at the checkout: pay with stolen credit card numbers

Here, you can see the origins of automated traffic around the world for the second half of 2021:

Map of Automated Traffic

Increasing Sophistication

An important thing to note about bots is that they tend to involve considerable investments in time, resources, and financial cost. These are not cheap to develop, and are therefore the work of organized fraud rings with vast available resources.

This is particularly true since their sophistication needs to increase with every detection. As fraudsters play a constant game of cat and mouse with fraud-prevention teams, the bots need to evolve, becoming more complex, agile, and harder to stop.

Breaking Down a Fraudulent Bot Attack

Every fraudulent bot attack comes in two stages. The first step involves building a database of legitimate user information. 

These are generally acquired on the dark net, and can require a large investment. To multiply their success rates, fraudsters have to acquire many thousands of data points. These can be:

  • FullZ: packages containing a first name, last name, date of birth and address. Optionally they can include a pre-created email address and credit card information
  • Stolen credit card details: gathered from fake websites or phishing attack
  • Login information: an email/username and password combination. Usually acquired from large data breaches

Once they have built their database, fraudsters will use bots to replicate the behavior of a legitimate user. Once again, this involves significant resources designed to:

  • Spoof devices: Because it would be inefficient to use a singular PC or smartphone for each attempt, fraudsters will use software that can emulate multiple browsers, operating systems, and devices. Each attempt will tweak minor parameters to appear like a new device ID in order to avoid blacklisting and detection from velocity rules. Sometimes they just completely ignore any JavaScript or Cookie storing, which is a red flag as well.
  • Fake IPs: IP spoofing is usually done through server type of ISPs, VPNs or TOR server connections. However, more sophisticated attacks can use genuine residential connections from official proxy services, infected computers, or companies that specialize in selling bulletproof residential networks.
  • Replicate human behavior: The most sophisticated bots will have a set of pre-programmed actions, such as pages to visit and specific cursor movements designed to make them look like genuine user interactions.

Captchas vs Digital Footprint Analysis

Historically, the immediate solution to flag suspicious online behavior was to implement a captcha. An acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart, captchas usually show distorted texts and images, and ask you to type what you read, something computers were bad at solving themselves. In short, they used to be a great way to separate human traffic from automated traffic.

“Fraudsters caught up with the technology. There are now hundreds of captcha solvers on the market that will defeat the security measure.”

These days, however, fraudsters are all caught up with the technology: there are now hundreds of captcha solvers on the market that will defeat the security measure.

Selling captcha solvers for a cut of the sale to mask bot attacks
A service selling solved captchas – or allowing you to solve them for a cut of the sale.

The other – and only – solution is therefore to create a full digital footprint of your users. Risk assessment needs to cover as many data points as possible in order to provide a clear picture of who is accessing your website. This can be done via a combination of tactics, such as:

  • Email lookup: measuring things like address validity, domain quality and social media links is a great step in creating an accurate profile of the user.
  • Device fingerprinting: creating hashes based on numerous parameters can reveal the true nature of your users’ connections.
  • Data enrichment: Cross-referencing gleaned data against known databases of stolen ID, social media profiles, or even shared blacklists.
  • Machine Learning: Feeding all the data gathered from the aforementioned tools into an AI-powered system can automate the generation of rules. They can also improve over time as you gather more data and refine your online protection measures.

Key Bot Attacks Takeaway: No One-Size-Fits-All Solution

As criminal rings pour more and more resources into their bot attacks, it becomes increasingly challenging to detect them. And the problem is growing for a number of verticals, including ticketing, where 39% of all traffic comes from bad bots, or gambling and gaming (25.9%).

Sadly, the magic bullet that once was the captcha isn’t effective anymore for bot attacks. These days, organizations have to multiply their fraud detection tools at login, signup and checkout in order to flag bots. 

Hopefully, combining multiple tools such as email analysis, device fingerprinting, data enrichment and machine learning, you should be able to detect bots and block future bot attacks from damaging your business.

You might also be interested in reading about:


  • TechCrunch: Bots distorted the 2016 Election. Will the midterms be a sequel?
  • Finadium: Financial services tops list for “bad bot” attacks
  • Krebs on Security: The Rise of “Bulletproof” Residential Networks
  • Finadium: Financial Services Top List for “Bad Bot” Attacks

Share article

See a live demo of our product

Click here

Author avatar
Florian Tanant

Communication Specialist | Florian helps tech startups and global leaders organise their thoughts, find their voices, and connect with customers worldwide.

Sign up for our newsletter

The top stories of the month delivered straight to your inbox