Bot Attacks: What They Are and How to Stop Them
Last Updated: January 03, 2023 by Florian Tanant
In recent years, an increasing number of people have become aware of online bot attacks in their diverse guises. The scale of the problem, however, is difficult to grasp. A 2022 report by Imperva found that 27.7% of all online traffic is not just bots but malicious bots specifically.
This type of attack has been found to be on the rise in certain regions, namely in Latin America, where automated bot attacks increased by 455% in just one year, per Statista figures, as well as APAC, with a 135% year-on-year increase.
Let’s dive into the facts more deeply, and look at bot attack prevention in detail.
What Are Bot Attacks?
Bot attacks are automated attacks set up by criminals and enabled by scripts (bots) that mimic human behavior and duplicate it. They are deployed against various targets, which can be a website, user, server, or even an API. In fact, there have been coordinated bot and botnet attacks against entire organizations, government agencies, and countries.
Bot attacks are a way for malevolent attackers to scale their efforts, as the automation element allows them to duplicate the actions they would have attempted manually, thus scaling up and making it easier to breach through any defenses.
Bot and botnet attacks are vastly damaging and can cost your company hefty tolls. Learn how we can help you stop them.
Book a Demo
Bot attacks may become easier to understand if you replace the word bot with another one: script. Because, like a computer programming script, a bot is an automated program that follows a set pattern of actions.
Their advantage is that they are scalable, automated, and easy to launch on a large scale. Human interaction is limited, and maintenance is quasi-non-existent.
In the context of fraud, it’s easy to launch bots and multiply attacks on thousands of websites at once – at various touchpoints, including signup, login, and checkout/payments.
Types of Bot Attacks
As the use of bots is a fraud and crime-enabling technique, there is a wide range and variety of bot attacks plaguing businesses and organizations, as well as private individuals. This is part of why it can be so difficult to detect bots. Some bot types to keep in mind include:
- Automated scripts: Every bot is an automated script, whose function is to mimic human behavior without human input. However, when we talk about automated scripts as a type of bot, these tend to be one of the simplest, most basic versions made to automate specific actions or sequences of actions at specific times or following certain triggers.
- Sophisticated bot attacks: On the opposite end of the spectrum from more rudimentary automated scripts, we have more sophisticated bot attacks, which are more convincingly human-like. As a result, they are more likely to successfully fool systems that are set up to identify bots.
- Botnet attacks: Several bots comprise a botnet, which will generally be centrally controlled, in order to make a bot attack more devastating.
- Spambot attacks: A spambot attack targets websites and takes advantage of various vulnerabilities to help a different website or page rank better and get more traffic. In the process, it is likely to result in a drop in traffic to the targeted website, because the bot’s spam content is incorrectly perceived as being created or enabled by the legitimate site’s administrators.
- Phishing bot attacks: Many phishing and other social engineering attacks are automated, as they are a numbers game – in this case, they are likely to be enabled by bots.
- Credential stuffing attacks: A brute force style of attack, credential stuffing consists of attempts to hijack online accounts by having bots automatically try long lists of illegally acquired, or otherwise leaked, credentials – username/password combinations. Successful credential stuffing attacks lead to account takeovers.
- DoS and DDoS attacks: Short for denial of service and distributed denial of service, these types of attacks overwhelm an organization’s resources so much that it is impossible to deal with legitimate requests. For example, a DDoS attack may target a website, having bots in the thousands – if not tens of thousands – load its pages or submit forms at the same time. As a result, the sever is overloaded and legitimate visitors can’t view pages or submit those forms for themselves.
- Low and slow attacks: These are a type of more strategic DoS/DDoS scheme, which attacks the server in a more subtle and less easy to identify manner. Minimal in scale but equally devastating in their potential, they become nuisances to the system, which has to dedicate resources to respond to the requests.
- Fast attacks: This term is often used to describe more traditional DDoS attacks, as opposed to low and slow methods. Strictly speaking, fast bot attacks rely on speed to achieve their purpose, firing their actions rapidly to breach through defenses.
How Do Hackers Perform Bot Attacks?
In general terms, bot attacks can be thought of as having four distinct stages: reconnaissance, setup, attack, and outcome. Of course, the particulars as well as any sub-stages differ according to the type of bot attack involved.
Let’s take a look at the typical stages:
|Stage 1||Recon||The criminal will identify the target(s) and investigate the system for vulnerabilities.|
They may also procure new tools, software and stolen credentials (fullz) to enable their schemes.
|Stage 2||Setup||This stage allows the attacker to plan for and set up the exact automated flow of the attack.|
What will be its frequency? What will be the method? When will it be conducted? Should it stop automatically and if so, when?
|Stage 3||Attack||With the means of attack all set up, the attack takes place in earnest.|
Depending on the scheme, this may continue for days, even months or years, with adjustments made as the attacker learns what works and what doesn’t.
|Stage 4||Outcome||The attacker may manage to reach their desired outcome, such as a DDoS outage or successful acquisition of several individuals’ credentials through phishing.|
Depending on the success of the outcome, the fraudster could choose to make adjustments and try again, or scrap the scheme altogether.
What Are Botkits?
Simply put, a botkit isn’t necessarily linked to malicious bots – it is any SDK (software development kit), often open-source, that allows its users to build or customize a bot. However, when botkits are used to enable cybercriminals to conduct bot attacks, they are bad news. Because of their customizability, they allow more tech-savvy fraudsters to work more efficiently.
The dark web as well as parts of the clearweb are rife with fraudsters helping each other and providing free or paid-for fraud enablement tools such as botkits, which can make bot attacks more devastating. Vigilance is key to bot attack prevention.
What Is the Difference Between Bot Attacks and Botnet Attacks?
If bots allow fraudsters to automate specific schemes and workflows to scale up, botnets supersize these attacks by controlling dozens, hundreds – or even thousands – of zombie devices to wreak havoc.
In general terms, the closely related concept of botnet attacks involves several malicious bots attacking at the same time. This is to overwhelm the target’s defenses or otherwise make the attack more likely to succeed. These are often controlled centrally. A botnet functions as an army of bots, while an individual bot can be a more simple one-device tool that is designed to perform repetitive tasks without the need for human input.
Who Do Bot Attacks Target?
Bot attack targets are diverse and varied, just like victims of fraud or cybercrime. In general terms, the following are often targeted by bad bots:
- Websites: A bot may target websites for DDoS attacks, web content scraping, and so on.
- Online shops: There are plenty of reasons for criminals to want to target ecommerce and other companies that accept online payments. These include card testing, which is used to see which stolen card numbers are still valid, and account takeovers, which are increasingly more harmful due to shoppers storing their card numbers in their accounts for faster payments.
- Fintechs: Fintechs, online lenders, as well as companies in the BNPL sector, are prime targets for bot attacks. Some fraudsters want to carry out schemes that involve such things as automated and repeated attempts at loan applications, and account opening with stolen IDs.
- Individuals: Some fraudsters use bots and automation to target individuals, both private and professional. Perhaps predictably, these include obtaining personal information for identity theft and the creation of synthetic IDs. This is in addition to phishing for account passwords and further information to defraud others.
Why Are Bot Attacks Dangerous?
Bot attacks can harm their targets in a myriad of ways, depending on how they are deployed and the nature of the scheme. For businesses in particular, the harmful effects of bot attacks include:
- revenue drop from lost sales or reputational damage
- website and/or server downtime
- increased chargeback requests, also affecting chargeback rates and relationships with payment processors
- organizational or customer data breaches
- compliance fines, such as those for anti-money laundering and GDPR – or even criminal charges
- decreases in stock price if a major attack is made public
- Google and other search engine ranking penalties for the website
Companies must do their best to prevent bot attacks, regardless of whether they are enabling fraud, cyberattacks, account takeovers, application fraud, or simply unscrupulous shopping.
Bot Attack Examples
While common fraudulent bot activities include DDoS and phishing attacks, fraudsters also use bots to automate plenty of other processes related to fraud.
1. Scalper and Ticketing Bot Attack
Selling and buying tickets should be a straightforward affair. That’s until ticket scalpers realized they could buy the entire supply for a sold-out event and resell tickets at a higher price.
Of course, manually purchasing hundreds or thousands of tickets is physically impossible – especially when time is of the essence. This is where scalper and ticketing bots become a problem.
Fraudsters use automated scripts to purchase all the tickets as soon as possible. This has led to dissatisfied punters, and ticketing platforms scrambling for quick fixes.
2. Inventory Denial Attack Bot Attack
The same concept as scalper bots also applies to ecommerce, but there’s one added problem…
The fraudsters and unscrupulous competitors who launch bots to deplete inventories often have no intention of actually purchasing everything, which leads to rising cases of return fraud in ecommerce.
Why do they do this? Sometimes, it’s because they work for competitors. Other times, they just want to take advantage of low prices and then inflate the price before they resell. The increasing popularity of “drop”-based marketing makes these bots even more popular for resellers, so much so that these scripts are often called “sneaker bots”. There is no shortage of clever schemes to take advantage of legitimate businesses and consumers.
3. Credential Stuffing Bot Attacks
Credential stuffing is the automated attempt to crack someone’s account using a list of login details and passwords.
Statistically, these kinds of attacks have a low success rate, averaging around 0.1%, according to Cloudflare. This explains why fraudsters would rather get bots to perform them.
In spite of this, credential stuffing is extremely damaging for companies and their users, as it inevitably leads to an account takeover. Once they have access to an account, fraudsters can cause all kinds of havoc, from identity theft to data breaches.
Bot and botnet attacks can be hugely damaging and will cost your company in lost revenue, funds and reputation. SEON can stop them.
Book a Demo
How to Prevent Bot Attacks using Bot Prevention Techniques
Bot attack prevention calls for a combination of strategies, tools and even software and fraud prevention vendors, depending on the type of attack a business tends to (or might) attract.
Monitoring traffic in real-time or regularly is key. Sophisticated fraud prevention solutions can be adjusted to do this at certain touchpoints, including signup, onboarding, transactions or even other requests filed online. For web traffic attacks, a firewall is also key.
At signup, it is wise to try to gather as much information about a user as possible. If you use a system like SEON to enrich the data that the user gives you (such as their email address) to figure out more about their online digital footprint, you might notice traffic that lacks a convincing online presence. Information like this is key to becoming better equipped to identify malicious bots.
Enabled by fraud prevention systems, velocity checks can check data points like browser hashes, device hashes, or particular patterns in transaction behavior to passively identify a device to pinpoint hidden connections between users. This will help catch bots that cycle through different IP addresses and browsers – for example, in their efforts to appear as if they are separate, legitimate users every time.
Multi-factor authentication (MFA) at login can stop credential-stuffing bots in their tracks, as well as those attempting brute-force password cracking.
In terms of accepting card payments, strong customer authentication (SCA), even when it is not mandated by law, will make the attempts of bot-wielding criminals less successful.
Sometimes, simple steps taken at specific touchpoints can reduce bot attack risk for a company. A commonly cited example of this is the use of CAPTCHA forms to stop bots from overwhelming websites via form submission. However, this particular example is one to avoid: In fact, fraudsters have come up with CAPTCHA solver bots to overcome this obstacle.
Finally, we would be remiss not to mention machine learning in the fight against bot attacks. This type of artificial intelligence is highly effective at identifying new, suspicious patterns in behavior that might indicate automation, or bot-like connections between accounts. These are patterns that might be hard or impossible to detect by a human analyst. Because of this, a bot attack prevention system that includes machine learning can be excellent at catching new attack trends and previously unseen schemes.
How SEON Can Help You Prevent Bot Attacks
Bot attack prevention is becoming a central pain point for a number of verticals, including ticketing, where 39% of all traffic comes from bad bots, or gambling and gaming (25.9%). This is why SEON flags and blocks bot activity at several touchpoints and in real-time, always informed by fraud trends and industry needs.
By combining multiple tools such as powerful velocity checks, unique digital footprinting from 50+ online sources, device fingerprinting, and many other insights, SEON allows you to detect bots and block their attacks from damaging your business.
Importantly, SEON provides detailed reporting and modular APIs, and allows you to fine-tune and adjust your bot prevention and other fraud detection strategy based on your own needs and risk appetites. To discover how our fraud-fighting platform can help your organization, you can sign up for SEON for free.
You might also be interested in reading about:
- SEON: Bot Detection: How to Detect Bots
- SEON: Guide to Bot Mitigation
- SEON: Bot Detection & Mitigation Software
Showing all with `` tag
AML & CFT: Combating Money Laundering & Financial Terrorism Financing
What You Need to Know About KYC for Online Lending
How to Detect Money Laundering in Ecommerce
What Is Layering In Money Laundering & How Does It Work?
See a live demo of our product
Communication Specialist | Florian helps tech startups and global leaders organise their thoughts, find their voices, and connect with customers worldwide.
Sign up for our newsletter
The top stories of the month delivered straight to your inbox