Want to prevent bot attacks? Make sure you understand them first.
Businesses are confused about bot attacks. This, perhaps, isn’t really their fault. For one thing, we use the term “bot” to describe more than one thing. Ask the general public what is meant by a bot attack and social media bots sowing misinformation are likely to be the first that come to mind. They are also likely to think that these bots are run by nation states, as part of a disinformation campaign.
These social media bots are very much real, but they are not the bots most businesses should be worried about. Instead, they should be focusing on the bots attempting to scrape content, buy goods before any of their customers can, or use lists of stolen passwords to take over accounts.
Our research revealed that many of these bot attacks go undiscovered for as long as 16 weeks, and that all types of attack are on the rise. Bot operators are shifting their tactics to make sure they avoid detection, attacking APIs and mobile apps as well as websites.
There’s a reason that Sun Tzu’s paraphrased advice to “know your enemy” has survived the centuries: it’s true. Unfortunately, our research found that businesses know little more than the general public when it comes to separating bot myth from bot fact.
What businesses believe about bot attacks
When asking businesses what they knew about bot attacks, there were several myths that stood out, and were believed more than others.
WAFs will stop sophisticated bots. While Web Application Firewalls (WAFs) are vital tools that help mitigate against many attacks, they do not mitigate against bots. Firewalls are there to prevent breaches and attacks that target specific vulnerabilities, but bots do not attack in this way. For example, a “scalper bot” will buy goods in much the same way as an ordinary customer, but will do it so much faster. In this situation, a WAF won’t help as it’s the core functionality of the application that has been exploited. However, basic bot mitigation can sometimes be purchased as a bolt on to a WAF solution, which may be the source of this confusion.
DDoS protection will stop all bot attacks. DDoS protection, unsurprisingly, protects against DDoS attacks, not against bot attacks. This confusion likely arises because DDoS attacks are performed using a network of compromised devices, also known as a botnet. This activity is very different from a bot attack, and DDoS protection is no use against scalper bots, scraper bots, and the rest.
Bot attacks only come from Russia and China. In fact, Netacea’s research found that just over a third of businesses have detected threats from Russia and China. Meanwhile, around half of the respondents detected threats from the US and the UK, and many more have been detected from throughout Europe. This myth may be down to a misunderstanding between the words “bot” and “botnet”.
All bots are bought on the dark web. This was true once, but no longer. Bot operators are looking to expand their operations, and selling their bots “as a service” to a wider audience means using the clear web rather than the dark web. Increasingly we see not just bots but data dumps of usernames and passwords made available on the “clear web” and accessible to anyone. The Genesis Market, a prolific underground marketplace for stolen credentials, may be password protected, but anyone can visit.
All bot users are criminals. Some bot attack techniques are illegal, such as card cracking (checking stolen credit card details using bots) and account takeover (using leaked passwords to steal and sell accounts). But many are not. More and more, we see everyday consumers using scalper bots to buy limited edition products faster than any human. While there are legislators who are interested in making this illegal, this is not against the rules at the moment.
Tackling misconceptions
These myths are common and a big problem. If businesses do not fully understand the threat they face, then they will find it very difficult to do anything about it. Businesses don’t necessarily need to know every detail about the threats they are trying to stop, but they do need to understand the basics so that they can bring the right technology to bear.
If businesses, for example, think that they are fully protected against bots because they have a WAF and DDoS protection, they are in for a rude awakening. Or, worse, they will be none the wiser when bots cause havoc, partly explaining why bot attacks are going undiscovered for weeks. Our research found that, on average, bots cost businesses around 3.2% of online revenue, for some this can mean the difference between profit and loss.
Not every business faces exactly the same risk. Online retailers are more likely to be targeted by scalper bots. Streaming media services may face challenges with account takeover attacks, as bot operators look to steal and sell accounts. It’s therefore vital that businesses understand exactly how they are being targeted and what can be done to prevent these attacks.
If an organization does not resolve this knowledge gap, we already know the potential consequences—customers are dissatisfied, report lower satisfaction rates, and may move elsewhere. Meanwhile, the business takes a financial hit when it loses customers and serves bots rather than legitimate consumers. Businesses need to know what they are facing and deploy the right tools to stave off attacks.