Want to prevent bot attacks? Make sure you understand them first.

Businesses are confused about bot attacks. This, perhaps, isn’t really their fault. For one thing, we use the term “bot” to describe more than one thing. Ask the general public what is meant by a bot attack and social media bots sowing misinformation are likely to be the first that come to mind. They are also likely to think that these bots are run by nation states, as part of a disinformation campaign.

These social media bots are very much real, but they are not the bots most businesses should be worried about. Instead, they should be focusing on the bots attempting to scrape content, buy goods before any of their customers can, or use lists of stolen passwords to take over accounts.

Our research revealed that many of these bot attacks go undiscovered for as long as 16 weeks, and that all types of attack are on the rise. Bot operators are shifting their tactics to make sure they avoid detection, attacking APIs and mobile apps as well as websites.

There’s a reason that Sun Tzu’s paraphrased advice to “know your enemy” has survived the centuries: it’s true. Unfortunately, our research found that businesses know little more than the general public when it comes to separating bot myth from bot fact.

What businesses believe about bot attacks

When asking businesses what they knew about bot attacks, there were several myths that stood out, and were believed more than others.

WAFs will stop sophisticated bots. While Web Application Firewalls (WAFs) are vital tools that help mitigate against many attacks, they do not mitigate against bots. Firewalls are there to prevent breaches and attacks that target specific vulnerabilities, but bots do not attack in this way. For example, a “scalper bot” will buy goods in much the same way as an ordinary customer, but will do it so much faster. In this situation, a WAF won’t help as it’s the core functionality of the application that has been exploited. However, basic bot mitigation can sometimes be purchased as a bolt on to a WAF solution, which may be the source of this confusion.

DDoS protection will stop all bot attacks. DDoS protection, unsurprisingly, protects against DDoS attacks, not against bot attacks. This confusion likely arises because DDoS attacks are performed using a network of compromised devices, also known as a botnet. This activity is very different from a bot attack, and DDoS protection is no use against scalper bots, scraper bots, and the rest.

Bot attacks only come from Russia and China. In fact, Netacea’s research found that just over a third of businesses have detected threats from Russia and China. Meanwhile, around half of the respondents detected threats from the US and the UK, and many more have been detected from throughout Europe. This myth may be down to a misunderstanding between the words “bot” and “botnet”.

All bots are bought on the dark web. This was true once, but no longer. Bot operators are looking to expand their operations, and selling their bots “as a service” to a wider audience means using the clear web rather than the dark web. Increasingly we see not just bots but data dumps of usernames and passwords made available on the “clear web” and accessible to anyone. The Genesis Market, a prolific underground marketplace for stolen credentials, may be password protected, but anyone can visit.

All bot users are criminals. Some bot attack techniques are illegal, such as card cracking (checking stolen credit card details using bots) and account takeover (using leaked passwords to steal and sell accounts). But many are not. More and more, we see everyday consumers using scalper bots to buy limited edition products faster than any human. While there are legislators who are interested in making this illegal, this is not against the rules at the moment.

Tackling misconceptions

These myths are common and a big problem. If businesses do not fully understand the threat they face, then they will find it very difficult to do anything about it. Businesses don’t necessarily need to know every detail about the threats they are trying to stop, but they do need to understand the basics so that they can bring the right technology to bear.

If businesses, for example, think that they are fully protected against bots because they have a WAF and DDoS protection, they are in for a rude awakening. Or, worse, they will be none the wiser when bots cause havoc, partly explaining why bot attacks are going undiscovered for weeks. Our research found that, on average, bots cost businesses around 3.2% of online revenue, for some this can mean the difference between profit and loss.

Not every business faces exactly the same risk. Online retailers are more likely to be targeted by scalper bots. Streaming media services may face challenges with account takeover attacks, as bot operators look to steal and sell accounts. It’s therefore vital that businesses understand exactly how they are being targeted and what can be done to prevent these attacks.

If an organization does not resolve this knowledge gap, we already know the potential consequences—customers are dissatisfied, report lower satisfaction rates, and may move elsewhere. Meanwhile, the business takes a financial hit when it loses customers and serves bots rather than legitimate consumers. Businesses need to know what they are facing and deploy the right tools to stave off attacks.

Ab Initio partners with BT Group to deliver big data

Luke Conrad • 24th October 2022

AI is becoming an increasingly important element of the digital transformation of many businesses. As well as introducing new opportunities, it also poses a number of challenges for IT teams and the data teams supporting them. Ab Initio has announced a partnership with BT Group to implement its big data management solutions on BT’s internal...

WAICF – Dive into AI visiting one of the most...

Delia Salinas • 10th March 2022

Every year Cannes held an international technological event called World Artificial Intelligence Cannes Festival, better known by its acronym WAICF. One of the most luxurious cities around the world, located on the French Riviera and host of the annual Cannes Film Festival, Midem, and Cannes Lions International Festival of Creativity. 

Bouncing back from a natural disaster with resilience

Amber Donovan-Stevens • 16th December 2021

In the last decade, we’ve seen some of the most extreme weather events since records began, all driven by our human impact on the plant. Businesses are rapidly trying to implement new green policies to do their part, but climate change has also forced businesses to adapt and redefine their disaster recovery approach. Curtis Preston,...