Bot Detection: How to Detect & Prevent Bots

Fraudsters are just as tech-savvy as they are lazy. How can they multiply attacks to target your business? Through the use of bots.

Thankfully, bot detection is easier than you might first think.

What Is Bot Detection?

Bot detection is any process designed to identify the presence of bot traffic on a website, server, network, etc. It is made to detect individual bots and scripts, as well as botnets comprised of several bots, which can be in the thousands. The idea is to be able to tell human traffic from bot traffic.

In general terms, you may want to block your average bot. But they’re not all malicious bots – but there are also useful bots out there that you will certainly want to allow, such as Google’s spiders, which index web pages.

In the context of fraud detection, bot traffic always has a negative connotation, as fraudsters will attempt to use bots in order to automate and scale their attempts against a business or organization.

Why Detect Bot Traffic?

As a business, your goal is to ensure web traffic comes from legitimate users, so you’ll want to detect bots and block their access to all or certain parts of your infrastructure. This is because fraudsters rely on bots to automate actions such as taking over user accounts, making payments with stolen credit cards, or digital onboarding with fake identity details. 

To make matters worse, bot attacks are on the rise globally. Cybersecurity firm Spamhaus identified a 23% increase in botnet traffic in Q4 2021 compared with the previous quarter. 

Here is a map of where this automated traffic comes from:

Why Is Bot Detection So Difficult?

When it comes to the detection of basic bots, adding a few rudimentary technical hurdles will work. For instance, CAPTCHA is known to reduce bot-driven form submissions by 88%.

Things get more challenging when you deal with bots designed to replicate human behavior. 

Referral fraudsters, for instance, utilize sophisticated automation designed to trigger affiliate rewards.

This is an example of what this kind of bot can do:

1. A fraudster signs up for a pay-per-lead program
2. They launch bots to automatically click on the link
3. Automatically fill in all the details using synthetic or made-up user data
4. Deposit money using a stolen credit card number
5. Trigger the signup reward
6. Change the IP and device settings, and repeat

As you can imagine, complex sequences of events are harder to detect than simple fraud attacks – especially if they’re designed to pass off as a human. 

That is, of course, unless you have the right bot detection tool at your disposal.

Common Bot Detection Techniques

Bot detection techniques commonly in use to find and stop bot traffic include flagging suspicious tools that enable bots, as well as privacy-focused browsers and other known software and apps. There is, of course, much more:

• Device fingerprinting: This technique allows the software to gather non-identifiable information about each visitor’s software and hardware, in order to identify any use of suspicious tools and software that could hint at a bot or script.
• Device hashes: In the case of bots set up to commit multi-accounting abuse, creating and comparing device hashes will allow us to identify returning users and bots, even if they attempt to pass off as different people.
• Real-time monitoring: It’s important for high-risk organizations to continually monitor this traffic rather than at regular intervals, if the aim is to catch and stop bad bots.
• Firewalls and blocklists: Depending on the needs, infrastructure, and risk appetite of the business, you may find that a Web Application Firewall (WAF) or Access Control List (ACL) is sufficient. This will observe and filter traffic, blocking unknown users, including bots.
• CAPTCHAs: For bots set up to automate the creation of multiple accounts, including for bonus abuse and other pain points, sometimes the addition of a CAPTCHA “prove that you’re human” step to onboarding is enough to stop them.
• MFA and 2FA: To mitigate against bot-enabled account takeovers, user awareness goes a long way – including encouraging or forcing users to user multi-factor authentication.

How to Detect Bots with SEON

At SEON, we understand that bot detection only works if you have enough data at your disposal. 

This is how we break it down on our platform.

Data Enrichment

The first step is to learn more about our “user”. We can start with easily obtainable information, such as their IP address.

We can already get some interesting information. Here, the user seems to be connecting using a VPN and datacenter proxy. 

While this is not enough to be marked as a bot, we can wonder why they would need to hide their connection details, flagging a potential risk to fraud and risk managers.

Device Fingerprinting

Let’s now dive deeper into how the user is connecting to your site. Are they spoofing their device information? Are they using an emulator? 

Automatically creating a device hash is particularly useful. It helps us identify each device seen on a site, based on information such as:

• installed plugins
• web browser version
• browser window size
• screen resolution
• language used 
• etc…

Why is this important? It will come in handy when we look at the user’s online behavior, via velocity rules.

Using Velocity Rules to Identify Spikes In Traffic or Actions

Velocity rules, or velocity checks, allow you to monitor user actions over time. It’s the closest thing you have to understanding behavior through data.

Here’s an example that could be relevant to us in the context of bot detection. Let’s say we are an online store selling high-end electronics, and this happens:

1. A new user lands directly on a specific product page.
2. They add the product to their cart and check out within 1 minute.
3. They enter three different card numbers within 1 minute.

Once again, we could give them the benefit of the doubt. It’s possible that they had previously abandoned checkout and knew exactly which product they wanted. It’s also possible that they accidentally auto-filled two wrong card numbers before finding the right one.

So what we get here is an idea of who could be a suspicious user. But the picture becomes much clearer when you take all of the above into account and start looking at connections between suspicious users.

Spotting Connections Between Users

The thing with bots is that fraudsters rarely use just one. It only makes sense to reuse the same bot to perform the same action numerous times. 

This works in our favor. If we’ve managed to find true information about the user (rather than the information they want us to believe), we can start highlighting connections. 

With bots, we should be looking at similar devices, proxies, or patterns in the email addresses. 

For instance, users registering with email addresses that include a name and a random combination of letters, such as john4567@email.com and david6676@email.com, could point to lazily implemented bots. 

In fact, this is precisely how one of SEON’s Customer Success agents managed to block a fraud ring for an iGaming client. 

Our fraud manager Conner noticed that:

• several hundred users were signing up using outlook.com email addresses
• from the same Internet Service Provider (ISP)
• with email names following the aforementioned structure (johndoe1234@outlook.com)
• using the exact same security question (mother’s maiden name)

By filtering through all the data points, Conner realized that he was indeed looking at a fraud ring that was using bots to sign up and claim rewards (a practice known as bonus abuse).

An End-to-End Fraud Detection Platform

SEON is a full end-to-end risk mitigation platform that enables fraud detection and bot mitigation through powerful APIs, machine learning and custom rules.

Uniquely, it also harnesses the power of data enrichment, gathering information from 50+ social media and online sources in real-time to learn more about users. Specifically:

• IP lookup: Does the user connect using a VPN or proxy? How far is the connection from what their shipping address says?
  
• Email address lookup: Is the email address from a free provider? Is it used to register to social media profiles such as Facebook, Twitter, or even Airbnb?
  
• Phone number lookup: Does the phone number point to a virtual SIM card? Is it registered to WhatsApp, Viber, or any other mobile-first platforms?
  
• BIN card lookup: Is the card type consistent with what you’d expect? A prepaid US card for a customer in Greece could raise suspicions. 

On top of that, you also get device fingerprinting to learn exactly how users connect to your site – especially good for highlighting emulators and virtual machines for better bot management.

The key to good bot detection is to combine all of the above in order to model what’s good or suspicious behavior. 

It’s precisely what our velocity checks allow you to do. You can even leverage the power of machine learning to suggest the best bot mitigation rules specifically for your business. 

Bot Detection & Prevention FAQs

Sources

• Spamhaus: Spamhaus Botnet Threat Update: Q4-2021
• Forbes: CAPTCHAs reduced bot-driven submissions to website forms by 88%