Follow Us! ThumbsUp
info@seon.io+44 20 3997 6090
Bot Detection: How to Detect Bots

Fraudsters are just as tech-savvy as they are lazy. How can they multiply attacks to target your business? Through the use of bots.

Thankfully, bot detection is easier than you might first think.

What Is Bot Detection?

Bot detection is any process designed to identify the presence of bot traffic on a website, server, network, etc. It is made to detect individual bots and scripts, as well as botnets comprised of several bots, which can be in the thousands. The idea is to be able to tell human traffic from bot traffic.

In general terms, you may want to block your average bot. But they’re not all malicious bots – but there are also useful bots out there that you will certainly want to allow, such as Google’s spiders, which index web pages.

In the context of fraud detection, bot traffic always has a negative connotation, as fraudsters will attempt to use bots in order to automate and scale their attempts against a business or organization.

Why Detect Bot Traffic?

As a business, your goal is to ensure web traffic comes from legitimate users, so you’ll want to detect bots and block their access to all or certain parts of your infrastructure. This is because fraudsters rely on bots to automate actions such as taking over user accounts, making payments with stolen credit cards, or digital onboarding with fake identity details

To make matters worse, bot attacks are on the rise globally. Cybersecurity firm Spamhaus identified a 23% increase in botnet traffic in Q4 2021 compared with the previous quarter. 

Here is a map of where this automated traffic comes from:

Map of Automated Traffic
Map courtesy of Spamhaus
Let’s Stop Bot Fraud Together

Explore a demo with us today and find out how we can help you together.

Book a Demo

3 More Examples of Fraud Bots

The most common fraudulent bots will execute DDoS, also known as Distributed Denial of Service attacks, as part of a botnet – a network of bots. They’re designed to overwhelm a website, application, or network, essentially taking it down. 

However, fraudsters use bots to automate all kinds of processes related to fraud, such as:

1. Scalper and Ticketing Bots

Selling and buying tickets was supposed to be a straightforward affair. That’s until ticket scalpers realized they could buy the entire supply for a sold-out event and resell tickets at a higher price. 

Of course, manually purchasing hundreds or thousands of tickets is physically impossible – especially when time is of the essence. This is where scalper and ticketing bots become a problem. 

Put simply, fraudsters use automated scripts to purchase all the tickets as soon as possible. This has led to dissatisfied punters, and ticketing platforms scrambling for quick fixes.

Bot Detection

2. Inventory Denial Attack Bots

The same concept as scalper bots also applies to ecommerce, but there’s one added problem…

The fraudsters and unscrupulous competitors who launch bots to deplete inventories often have no intention of actually purchasing everything, which leads to rising cases of return fraud.  

3. Credential Stuffing Bots

Credential stuffing is the automated attempt to “crack” someone’s account using a list of login details and passwords. 

Statistically, these kinds of attacks have a low success rate, averaging around 0.1%, according to Cloudflare. This explains why fraudsters would rather get bots to perform them. 

In spite of the low success rate, credential stuffing is extremely damaging for companies and their users, as it inevitably leads to an account takeover. Once they have access to an account, fraudsters can cause all kinds of havoc, from identity theft to data breaches.

Why Is Bot Detection So Difficult?

When it comes to the detection of basic bots, adding a few rudimentary technical hurdles will work. For instance, CAPTCHA is known to reduce bot-driven form submissions by 88%.

Things get more challenging when you deal with bots designed to replicate human behavior

Referral fraudsters, for instance, utilize sophisticated automation designed to trigger affiliate rewards.

This is an example of what this kind of bot can do:

  1. A fraudster signs up for a pay-per-lead program
  2. They launch bots to automatically click on the link
  3. Automatically fill in all the details using synthetic or made-up user data
  4. Deposit money using a stolen credit card number
  5. Trigger the signup reward
  6. Change the IP and device settings, and repeat

As you can imagine, complex sequences of events are harder to detect than simple fraud attacks – especially if they’re designed to pass off as a human. 

That is, of course, unless you have the right bot detection tool at your disposal.

Common Bot Detection Techniques

Bot detection techniques commonly in use to find and stop bot traffic include flagging suspicious tools that enable bots, as well as privacy-focused browsers and other known software and apps. There is, of course, much more:

  • Device fingerprinting: This technique allows the software to gather non-identifiable information about each visitor’s software and hardware, in order to identify any use of suspicious tools and software that could hint at a bot or script.
  • Device hashes: In the case of bots set up to commit multi-accounting abuse, creating and comparing device hashes will allow us to identify returning users and bots, even if they attempt to pass off as different people.
  • Real-time monitoring: It’s important for high-risk organizations to continually monitor this traffic rather than at regular intervals, if the aim is to catch and stop bad bots.
  • Firewalls and blocklists: Depending on the needs, infrastructure, and risk appetite of the business, you may find that a Web Application Firewall (WAF) or Access Control List (ACL) is sufficient. This will observe and filter traffic, blocking unknown users, including bots.
  • CAPTCHAs: For bots set up to automate the creation of multiple accounts, including for bonus abuse and other pain points, sometimes the addition of a CAPTCHA “prove that you’re human” step to onboarding is enough to stop them.
  • MFA and 2FA: To mitigate against bot-enabled account takeovers, user awareness goes a long way – including encouraging or forcing users to user multi-factor authentication.

How to Detect Bots with SEON

At SEON, we understand that bot detection only works if you have enough data at your disposal. 

This is how we break it down on our platform.

Data Enrichment

The first step is to learn more about our “user”. We can start with easily obtainable information, such as their IP address.

IP Detection

We can already get some interesting information. Here, the user seems to be connecting using a VPN and datacenter proxy

While this is not enough to be marked as a bot, we can wonder why they would need to hide their connection details, flagging a potential risk to fraud and risk managers.

Device Fingerprinting

Let’s now dive deeper into how the user is connecting to your site. Are they spoofing their device information? Are they using an emulator? 

Device Fingerprinting

Automatically creating a device hash is particularly useful. It helps us identify each device seen on a site, based on information such as:

  • installed plugins
  • web browser version
  • browser window size
  • screen resolution
  • language used 
  • etc…

Why is this important? It will come in handy when we look at the user’s online behavior, via velocity rules.

Using Velocity Rules to Identify Spikes In Traffic or Actions

Velocity rules, or velocity checks, allow you to monitor user actions over time. It’s the closest thing you have to understanding behavior through data.

Velocity Rules

Here’s an example that could be relevant to us in the context of bot detection. Let’s say we are an online store selling high-end electronics, and this happens:

  1. A new user lands directly on a specific product page.
  2. They add the product to their cart and check out within 1 minute.
  3. They enter three different card numbers within 1 minute.

Once again, we could give them the benefit of the doubt. It’s possible that they had previously abandoned checkout and knew exactly which product they wanted. It’s also possible that they accidentally auto-filled two wrong card numbers before finding the right one.

So what we get here is an idea of who could be a suspicious user. But the picture becomes much clearer when you take all of the above into account and start looking at connections between suspicious users.

Spotting Connections Between Users

The thing with bots is that fraudsters rarely use just one. It only makes sense to reuse the same bot to perform the same action numerous times. 

This works in our favor. If we’ve managed to find true information about the user (rather than the information they want us to believe), we can start highlighting connections. 

Customer Connections

With bots, we should be looking at similar devices, proxies, or patterns in the email addresses. 

For instance, users registering with email addresses that include a name and a random combination of letters, such as john4567@email.com and david6676@email.com, could point to lazily implemented bots. 

In fact, this is precisely how one of SEON’s Customer Success agents managed to block a fraud ring for an iGaming client. 

Conner Keele

Our fraud manager Conner noticed that:

  • several hundred users were signing up using outlook.com email addresses
  • from the same Internet Service Provider (ISP)
  • with email names following the aforementioned structure (johndoe1234@outlook.com)
  • using the exact same security question (mother’s maiden name)

By filtering through all the data points, Conner realized that he was indeed looking at a fraud ring that was using bots to sign up and claim rewards (a practice known as bonus abuse).

Stop Bot Fraud for Good

Join us for a demo to discuss your needs and see how SEON’s powerful engine can help.

Book a Demo

An End-to-End Fraud Detection Platform

SEON is a full end-to-end risk mitigation platform that enables fraud detection and bot mitigation through powerful APIs, machine learning and custom rules.

Uniquely, it also harnesses the power of data enrichment, gathering information from 50+ social media and online sources in real-time to learn more about users. Specifically:

  • IP lookup: Does the user connect using a VPN or proxy? How far is the connection from what their shipping address says?
  • Email address lookup: Is the email address from a free provider? Is it used to register to social media profiles such as Facebook, Twitter, or even Airbnb?
  • Phone number lookup: Does the phone number point to a virtual SIM card? Is it registered to WhatsApp, Viber, or any other mobile-first platforms?
  • BIN card lookup: Is the card type consistent with what you’d expect? A prepaid US card for a customer in Greece could raise suspicions. 

On top of that, you also get device fingerprinting to learn exactly how users connect to your site – especially good for highlighting emulators and virtual machines for better bot management.

The key to good bot detection is to combine all of the above in order to model what’s good or suspicious behavior. 

It’s precisely what our velocity checks allow you to do. You can even leverage the power of machine learning to suggest the best bot mitigation rules specifically for your business. 

Bot Detection & Prevention FAQs

How do you deploy bot detection?

Bot detection starts with gathering data about your user’s behavior and connection. By looking at whether they connect with proxies, VPNs, or Tor, you can increase suspicions. Emulators and virtual machines should also raise red flags. Then you need to compare such data and user actions with others to spot patterns. 

How do you know if an IP is a bot?

An IP address isn’t usually enough to let you know if you’re dealing with a bot or not. However, you can assess whether it points to a VPN, proxy or Tor browser. This can help you raise red flags, depending on the user’s behavior. 

How do I find a bot?

The easiest way to block bots is to enable CAPTCHAs. However, it won’t stop the more sophisticated bots. To block those, you need to enable a combination of data enrichment (to learn more about how they connect to your site) and velocity rules (to understand their online behavior).

Sources

  • Spamhaus: Spamhaus Botnet Threat Update: Q4-2021
  • Cloudflare: What is Credential Stuffing?
  • Forbes: CAPTCHAs reduced bot-driven submissions to website forms by 88%

Share article

See a live demo of our product

Click here

Author avatar
Tamas Kadar

Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.


Sign up for our newsletter

The top stories of the month delivered straight to your inbox