Fraudsters are just as tech-savvy as they are lazy. How can they multiply attacks to target your business? Through the use of bots.
Thankfully, bot detection is easier than you might first think.
What Is Bot Detection?
Detection includes any kind of process designed to identify web traffic from bots. In some cases, you may want to block that bot traffic. In others, you want to allow certain useful bots.
In the context of fraud detection, bot traffic always has a negative connotation. Your goal is to ensure web traffic comes from legitimate users.
To make matters worse, bot attacks are on the rise globally. Cybersecurity firm Spamhaus identified a 23% increase in botnet traffic in Q4 2021 compared with the previous quarter.
Here is a map of where this automated traffic comes from:
How Does a Bot Attack Work?
Bot attacks are easy to understand if you replace the word bot with another one: script. Put simply, a bot is a script: an automated program that follows a set pattern of actions.
An example scenario would be:
- A fraudster has access to 5,000 stolen credit card numbers
- They go on an ecommerce website and purchase an item
- A script (or bot) automatically cycles through all the credit card numbers at checkout so they can find one that works.
Of course, there is a high chance that they will be flagged by the online store. Especially if they log out and log back in using the same computer.
This is how they can improve their strategy, by creating another bot that:
- reconnects to the website using a proxy (to hide their IP address)
- automatically fills out the checkout info using the name of the cardholder
Success! Our fraudster can now try all their stolen credit card numbers, and the second script makes it look like they are different users each time.
Explore a demo with us today and find out how we can help you together.
Book a Demo
3 More Examples of Fraud Bots
The most common bot attacks are DDoS, or Distributed Denial of Service attacks. They’re designed to overwhelm a website, application, or network, essentially “taking it down”.
However, fraudsters use bots to automate all kinds of processes related to fraud, such as:
1. Scalper and Ticketing Bots
Selling and buying tickets was supposed to be a straightforward affair. That’s until ticket scalpers realized they could buy the entire supply for a sold-out event and resell tickets at a higher price.
Of course, manually purchasing hundreds or thousands of tickets is physically impossible – especially when time is of the essence. This is where scalper and ticketing bots become a problem.
Put simply, fraudsters use automated scripts to purchase all the tickets as soon as possible. This has led to dissatisfied punters, and ticketing platforms scrambling for quick fixes.
2. Inventory Denial Attack Bots
The same concept as scalper bots also applies to ecommerce, but there’s one added problem…
The fraudsters and unscrupulous competitors who launch bots to deplete inventories often have no intention of actually purchasing everything, which leads to rising cases of return fraud.
3. Credential Stuffing Bots
Credential stuffing is the automated attempt to “crack” someone’s account using a list of login details and passwords.
Statistically, these kinds of attacks have a low success rate, averaging around 0.1%, according to Cloudflare. This explains why fraudsters would rather get bots to perform them.
In spite of the low success rate, credential stuffing is extremely damaging for companies and their users, as it inevitably leads to an account takeover. Once they have access to an account, fraudsters can cause all kinds of havoc, from identity theft to data breaches.
Why Is Bot Detection so Difficult?
When it comes to the detection of basic bots, adding a few rudimentary technical hurdles will work. For instance, CAPTCHA is known to reduce bot-driven form submissions by 88%.
Things get more challenging when you deal with bots designed to replicate human behavior.
Referral fraudsters, for instance, utilize sophisticated automation designed to trigger affiliate rewards.
This is an example of what this kind of bot can do:
- A fraudster signs up for a pay-per-lead program
- They launch bots to automatically click on the link
- Automatically fill in all the details using synthetic or made-up user data
- Deposit money using a stolen credit card number
- Trigger the signup reward
- Change the IP and device settings, and repeat
As you can imagine, complex sequences of events are harder to detect than simple fraud attacks – especially if they’re designed to pass off as a human.
That is, of course, unless you have the right bot detection tool at your disposal.
How to Detect Bots with SEON
At SEON, we understand that bot detection only works if you have enough data at your disposal.
This is how we break it down on our platform.
The first step is to learn more about our “user”. We can start with easily obtainable information, such as their IP address.
We can already get some interesting information. Here, the user seems to be connecting using a VPN and datacenter proxy.
While this is not enough to be marked as a bot, we can wonder why they would need to hide their connection details, flagging a potential risk to fraud and risk managers.
Let’s now dive deeper into how the user is connecting to your site. Are they spoofing their device information? Are they using an emulator?
Automatically creating a device hash is particularly useful. It helps us identify each device seen on a site, based on information such as:
- installed plugins
- web browser version
- browser window size
- screen resolution
- language used
Why is this important? It will come in handy when we look at the user’s online behavior, via velocity rules.
Using Velocity Rules to Identify Spikes In Traffic or Actions
Velocity rules, or velocity checks, allow you to monitor user actions over time. It’s the closest thing you have to understanding behavior through data.
Here’s an example that could be relevant to us in the context of bot detection. Let’s say we are an online store selling high-end electronics, and this happens:
- A new user lands directly on a specific product page.
- They add the product to their cart and check out within 1 minute.
- They enter three different card numbers within 1 minute.
Once again, we could give them the benefit of the doubt. It’s possible that they had previously abandoned checkout and knew exactly which product they wanted. It’s also possible that they accidentally auto-filled two wrong card numbers before finding the right one.
So what we get here is an idea of who could be a suspicious user. But the picture becomes much clearer when you take all of the above into account and start looking at connections between suspicious users.
Spotting Connections Between Users
The thing with bots is that fraudsters rarely use just one. It only makes sense to reuse the same bot to perform the same action numerous times.
This works in our favor. If we’ve managed to find true information about the user (rather than the information they want us to believe), we can start highlighting connections.
With bots, we should be looking at similar devices, proxies, or patterns in the email addresses.
For instance, users registering with email addresses that include a name and a random combination of letters, such as firstname.lastname@example.org and email@example.com, could point to lazily implemented bots.
In fact, this is precisely how one of SEON’s Customer Success agents managed to block a fraud ring for an iGaming client.
Our fraud manager, Conner, noticed that:
- Several hundred users were signing up using outlook.com email addresses
- From the same Internet Service Provider
- With email names following the aforementioned structure (firstname.lastname@example.org)
- Using the exact same security question (mother’s maiden name)
By filtering through all the data points, Conner realized that he was indeed looking at a fraud ring that was using bots to sign up and claim rewards (a practice known as bonus abuse).
An End-to-End Fraud Detection Platform
SEON is a full end-to-end fraud detection platform, which includes powerful data enrichment modules, such as:
- IP lookup: Does the user connect using a VPN or proxy? How far is the connection from what their shipping address says?
- Email address lookup: Is the email address from a free provider? Is it used to register to social media profiles such as Facebook, Twitter, or even Airbnb?
- Phone number lookup: Does the phone number point to a virtual SIM card? Is it registered to WhatsApp, Viber, or any other mobile-first platforms?
- BIN card lookup: Is the card type consistent with what you’d expect? A prepaid US card for a customer in Greece could raise suspicions.
On top of that, you also get device fingerprinting to learn exactly how users connect to your site – especially good for highlighting emulators and virtual machines.
The key to good bot detection is to combine all of the above in order to model what’s good or suspicious behavior.
It’s precisely what our velocity checks allow you to do. You can even leverage the power of machine learning to suggest the best bot mitigation rules for your business.
Ready to learn more about how you can reduce fraudulent bot traffic today?
Join us for a demo to discuss your needs and see how SEON’s powerful engine can help.
Book a Demo
Bot Detection & Prevention FAQs
Bot detection starts with gathering data about your user’s behavior and connection. By looking at whether they connect with proxies, VPNs, or Tor, you can increase suspicions. Emulators and virtual machines should also raise red flags. Then you need to compare such data and user actions with others to spot patterns.
An IP address isn’t usually enough to let you know if you’re dealing with a bot or not. However, you can assess whether it points to a VPN, proxy or Tor browser. This can help you raise red flags, depending on the user’s behavior.
The easiest way to block bots is to enable CAPTCHAs. However, it won’t stop the more sophisticated bots. To block those, you need to enable a combination of data enrichment (to learn more about how they connect to your site) and velocity rules (to understand their online behavior).
Showing all with `` tag
See a live demo of our product
Tamás Kádár is the Chief Executive Officer and co-founder of SEON. His mission to create a fraud-free world began after he founded the CEE’s first crypto exchange in 2017 and found it under constant attack. The solution he built now reduces fraud for 5,000+ companies worldwide, including global leaders such as KLM, Avis, and Patreon. In his spare time, he’s devouring data visualizations and injuring himself while doing basic DIY around his London pad.
Sign up for our newsletter
The top stories of the month delivered straight to your inbox