In recent years, an increasing number of people have become aware of online bot attacks in their diverse guises. The scale of the problem, however, is difficult to grasp. A 2022 report by Imperva found that 27.7% of all online traffic is not just bots but malicious bots specifically.
This type of attack has been found to be on the rise in certain regions, namely in Latin America, where automated bot attacks increased by 455% in just one year, per Statista figures, as well as APAC, with a 135% year-on-year increase.
Let’s dive into the facts more deeply, and look at bot attack prevention in detail.
What Are Bot Attacks?
Bot attacks are automated attacks set up by criminals and enabled by scripts (bots) that mimic human behavior and duplicate it. They are deployed against various targets, which can be a website, user, server, or even an API. In fact, there have been coordinated bot and botnet attacks against entire organizations, government agencies, and countries.
Bot attacks are a way for malevolent attackers to scale their efforts, as the automation element allows them to duplicate the actions they would have attempted manually, thus scaling up and making it easier to breach through any defenses.
Bot attacks may become easier to understand if you replace the word bot with another one: script. Because, like a computer programming script, a bot is an automated program that follows a set pattern of actions.
Their advantage is that they are scalable, automated, and easy to launch on a large scale. Human interaction is limited, and maintenance is quasi-non-existent.
In the context of fraud, it’s easy to launch bots and multiply attacks on thousands of websites at once – at various touchpoints, including signup, login, and checkout/payments.
What Are the Different Types of Bot Attacks?
Bots are essentially automated scripts, whose function is to mimic human behavior without human input. They range from the simple to the sophisticated, including those designed to respond to triggers, evade detection, or follow complex sequences of actions. Here are exampled of common bot attacks you may have to protect yourself against:
1. Credential Stuffing Bot Attacks
Credential stuffing is the automated attempt to crack someone’s account using a list of login details and passwords. It is extremely damaging for companies and their users, as it inevitably leads to account takeover fraud. Once bots have access to an account, fraudsters can cause all kinds of havoc, from identity theft to data breaches and payment fraud.
Statistically, these kinds of attacks have a low success rate, averaging around 0.1%, according to Cloudflare. This explains why fraudsters automate them using bots, which saves time and resources
2. DoS and DDoS Attacks
DDoS attacks, or denial of service and distributed denial of service attacks, are designed to overwhelm an organization’s resources so much that it is impossible to deal with legitimate requests. For example, a DDoS attack may target a website, having bots in the thousands – if not tens of thousands – load its pages or submit forms at the same time. As a result, the sever is overloaded and legitimate visitors can’t view pages or submit those forms for themselves.
These types of attacks would be impossible to perform manually, which is why bots are written. The attacks tend to fall into two categories:
- low and slow DDoS: where bots attack the server in a more subtle and less easy to identify manner. Minimal in scale but equally devastating in their potential, they become nuisances to the system, which has to dedicate resources to respond to the requests.
- Fast attacks: This term is often used to describe more traditional DDoS attacks, as opposed to low and slow methods. Strictly speaking, fast bot attacks rely on speed to achieve their purpose, firing their actions rapidly to breach through defenses.
3. Phishing Bot Attacks
Many phishing and other social engineering attacks are automated as they are a numbers game: fraudsters need to send thousands upon thousands of messages in order to successfully find a victim. Here are examples of phishing bots you may encounter online:
- Email phishing: to bypasss spam filters, fraudsters can create bots that automatically create new email addresses in order to message unsuspecting victims.
- Marketplace phishing: fraudsters launch scripts that automatically answer online ads by asking for the seller’s details. They can then find more information by using their name and address as a starting point.
- Social media phishing: Bots automatically send messages to users in order to get them to sign up to a service or reveal their personal information. This is popular both on traditional social media platforms, and messengers and VoIP services such as Telegram or Discord.
- Online dating phishing: bots are designed to replicate potential dating partner’s behavior on services such as Tinder. This can be the beginning of a romance scam or catfishing attempt.
4. Spambot Attacks
A spambot attack targets websites and takes advantage of various vulnerabilities to help a different website or page rank better and get more traffic. In the process, it is likely to result in a drop in traffic to the targeted website, because the bot’s spam content is incorrectly perceived as being created or enabled by the legitimate site’s administrators.
If your website has a public-facing tool such as an online form, a blog with open comments, or a shopping basket, you may be a the mercy of spambot attacks.
5. Scalper and Ticketing Bot Attack
Selling and buying tickets should be a straightforward affair. That’s until ticket scalpers realized they could buy the entire supply for a sold-out event and resell tickets at a higher price.
Of course, manually purchasing hundreds or thousands of tickets is physically impossible – especially when time is of the essence. This is where scalper and ticketing bots become a problem.
Fraudsters use automated scripts to purchase all the tickets as soon as possible. This has led to dissatisfied punters, and ticketing platforms scrambling for quick fixes.
6. Inventory Denial Bot Attack
The same concept as scalper bots also applies to ecommerce, where it is often known as an inventory denial attack. The fraudsters and unscrupulous competitors launch bots to deplete inventories often have no intention of actually purchasing everything, which leads to rising cases of return fraud in ecommerce.
Why do they do this? Sometimes, it’s because they work for competitors. Other times, they just want to take advantage of low prices and then inflate the price before they resell. The increasing popularity of “drop”-based marketing makes these bots even more popular for resellers, so much so that these scripts are often called “sneaker bots”. There is no shortage of clever schemes to take advantage of legitimate businesses and consumers.
Bot and botnet attacks are vastly damaging and can cost your company hefty tolls. Learn how we can help you stop them.
Ask an Expert
How Do Hackers Perform Bot Attacks?
In general terms, bot attacks can be thought of as having four distinct stages: reconnaissance, setup, attack, and outcome. Of course, the particulars as well as any sub-stages differ according to the type of bot attack involved.
Let’s take a look at the typical stages:
Stage 1 | Recon | The criminal will identify the target(s) and investigate the system for vulnerabilities. They may also procure new tools, software and stolen credentials (fullz) to enable their schemes. |
Stage 2 | Setup | This stage allows the attacker to plan for and set up the exact automated flow of the attack. What will be its frequency? What will be the method? When will it be conducted? Should it stop automatically and if so, when? |
Stage 3 | Attack | With the means of attack all set up, the attack takes place in earnest. Depending on the scheme, this may continue for days, even months or years, with adjustments made as the attacker learns what works and what doesn’t. |
Stage 4 | Outcome | The attacker may manage to reach their desired outcome, such as a DDoS outage or successful acquisition of several individuals’ credentials through phishing. Depending on the success of the outcome, the fraudster could choose to make adjustments and try again, or scrap the scheme altogether. |
What Is the Difference Between Bot Attacks and Botnet Attacks?
If bots allow fraudsters to automate specific schemes and workflows to scale up, botnets supersize these attacks by controlling dozens, hundreds – or even thousands – of zombie devices to wreak havoc.
In general terms, the closely related concept of botnet attacks involves several malicious bots attacking at the same time. This is to overwhelm the target’s defenses or otherwise make the attack more likely to succeed. These are often controlled centrally. A botnet functions as an army of bots, while an individual bot can be a more simple one-device tool that is designed to perform repetitive tasks without the need for human input.
Who Do Bot Attacks Target?
Bot attack targets are diverse and varied, just like victims of fraud or cybercrime. In general terms, the following are often targeted by bad bots:
- Websites: A bot may target websites for DDoS attacks, web content scraping, and so on.
- Online shops: There are plenty of reasons for criminals to want to target ecommerce and other companies that accept online payments. These include card testing, which is used to see which stolen card numbers are still valid, and account takeovers, which are increasingly more harmful due to shoppers storing their card numbers in their accounts for faster payments.
- Fintechs: Fintechs, online lenders, as well as companies in the BNPL sector, are prime targets for bot attacks. Some fraudsters want to carry out schemes that involve such things as automated and repeated attempts at loan applications, and account opening with stolen IDs.
- Individuals: Some fraudsters use bots and automation to target individuals, both private and professional. Perhaps predictably, these include obtaining personal information for identity theft and the creation of synthetic IDs. This is in addition to phishing for account passwords and further information to defraud others.
Why Are Bot Attacks Dangerous?
Bot attacks can harm their targets in a myriad of ways, depending on how they are deployed and the nature of the scheme.
For businesses in particular, the harmful effects of bot attacks include:
- revenue drop from lost sales or reputational damage
- website and/or server downtime
- increased chargeback requests, also affecting chargeback rates and relationships with payment processors
- organizational or customer data breaches
- compliance fines, such as those for anti-money laundering and GDPR – or even criminal charges
- decreases in stock price if a major attack is made public
- Google and other search engine ranking penalties for the website
Companies must do their best to prevent bot attacks, regardless of whether they are enabling fraud, cyberattacks, account takeovers, application fraud, or simply unscrupulous shopping.
Bot and botnet attacks can be hugely damaging and will cost your company in lost revenue, funds and reputation. SEON can stop them.
Ask an Expert
What Are Botkits?
Simply put, a botkit isn’t necessarily linked to malicious bots – it is any SDK (software development kit), often open-source, that allows its users to build or customize a bot. However, when botkits are used to enable cybercriminals to conduct bot attacks, they are bad news. Because of their customizability, they allow more tech-savvy fraudsters to work more efficiently.
The dark web as well as parts of the clearweb are rife with fraudsters helping each other and providing free or paid-for fraud enablement tools such as botkits, which can make bot attacks more devastating. Vigilance is key to bot attack prevention.
How to Prevent Bot Attacks using Bot Prevention Techniques
Bot attack prevention calls for a combination of strategies, tools and even bot detection software and fraud prevention vendors, depending on the type of attack a business tends to (or might) attract.
Monitoring traffic in real-time or regularly is key. Sophisticated fraud prevention solutions can be adjusted to do this at certain touchpoints, including signup, onboarding, transactions or even other requests filed online. For web traffic attacks, a firewall is also key.
At signup, it is wise to try to gather as much information about a user as possible. If you use a system like SEON to enrich the data that the user gives you (such as their email address) to figure out more about their online digital footprint, you might notice traffic that lacks a convincing online presence. Information like this is key to becoming better equipped to identify malicious bots.
Enabled by fraud prevention systems, velocity checks can check data points like browser hashes, device hashes, or particular patterns in transaction behavior to passively identify a device to pinpoint hidden connections between users. This will help catch bots that cycle through different IP addresses and browsers – for example, in their efforts to appear as if they are separate, legitimate users every time.
Multi-factor authentication (MFA) at login can stop credential-stuffing bots in their tracks, as well as those attempting brute-force password cracking.
In terms of accepting card payments, strong customer authentication (SCA), even when it is not mandated by law, will make the attempts of bot-wielding criminals less successful.
Sometimes, simple steps taken at specific touchpoints can reduce bot attack risk for a company. A commonly cited example of this is the use of CAPTCHA forms to stop bots from overwhelming websites via form submission. However, this particular example is one to avoid: In fact, fraudsters have come up with CAPTCHA solver bots to overcome this obstacle.
Finally, we would be remiss not to mention machine learning in the fight against bot attacks. This type of artificial intelligence is highly effective at identifying new, suspicious patterns in behavior that might indicate automation, or bot-like connections between accounts. These are patterns that might be hard or impossible to detect by a human analyst. Because of this, a bot attack prevention system that includes machine learning can be excellent at catching new attack trends and previously unseen schemes.
How SEON Can Help You Prevent Bot Attacks
Bot attack prevention is becoming a central pain point for a number of verticals, including ticketing, where 39% of all traffic comes from bad bots, or gambling and gaming (25.9%). This is why SEON flags and blocks bot activity at several touchpoints and in real-time, always informed by fraud trends and industry needs.
By combining multiple tools such as powerful velocity checks, unique digital footprinting from 90+ online sources, device fingerprinting, and many other insights, SEON allows you to detect bots and block their attacks from damaging your business.
Importantly, SEON provides detailed reporting and modular APIs, and allows you to fine-tune and adjust your bot prevention and other fraud detection strategy based on your own needs and risk appetites. To discover how our fraud-fighting platform can help your organization, you can sign up for SEON for free.
You might also be interested in reading about:
- SEON: Bot Detection: How to Detect Bots
- SEON: Guide to Bot Mitigation
- SEON: Credential Stuffing: Prevention & Best Practices for Defense
Sources