Bad Bots

  • Fabian Sinner
  • May 5, 2023

Table of content

    Bad Bots

    How To Protect Your Business Website from Bad Bots

    Every organization understands the threat posed by DDoS attacks. It is 2020, after all. DDoS flooding attacks against big name brands have made media headlines for more than two decades. However, what many organizations don’t yet understand is that not all bot attacks originate from botnets.

    In fact, many bot attacks aren’t flooding attacks at all. These attacks pose a huge threat to organizations and website owners… but few are aware of the risks.

    Bad Bots vs. Botnets: What’s the Difference?

    DDoS flooding attacks are simple things. A malicious actor uses malware to take control of tens or hundreds of thousands of Internet-connected devices. Once control is established, these devices become the ‘bots’ in a botnet, which is often used to flood a target website with connection requests until it can no longer cope with the load. But devices enslaved into the ranks of a botnet are just one of many types of bot.

    An incredible 37.9% of all Internet traffic is made up of bot activities — 17.5% from good bots, and 20.4% from bad bots.¹

    Good bots help web users find relevant businesses, products, and services. They include search engine crawlers and price comparison bots.

    Bad bots are used by malicious actors to automate attacks, reconnaissance, and fraudulent activities. These bots can negatively affect website performance, damage the experience of legitimate customers, and directly attack your business.

    How Bad Bots Harm Your Business

    While ticketing, e-commerce, and financial services organizations have traditionally been top targets, bad bots are a threat across all industries.

    Just like human cyber attacks, bots can harm your business in many different ways:

    • Credit card fraud bots use stolen card details to purchase products and services online. Millions of credit card details are sold online each year, and bots are used to test them at scale.
    • Gift card fraud bots abuse gift card balance checking facilities to test a huge number of possible card numbers. When a match is found, the balance is used to make fraudulent purchases.
    • Credential attacks/account takeover bots. Similar to credit card fraud, these bots conduct ‘credential stuffing’ attacks with stolen usernames and passwords. When a successful login occurs, the account is quickly taken over. Depending on the website attacked, compromised accounts can be used for financial fraud, spam, extortion, password reuse attacks, and other malicious activities.
    • Account creation bots create free accounts to use for spam or to exploit ‘new account’ promotions.
    • Inventory hoarding bots repeatedly add products to carts (particularly products in high demand) preventing legitimate customers from purchasing them. This is sometimes done to disrupt operations but is mainly used to ‘hold’ products while they are resold elsewhere at higher prices. The e-commerce and ticketing industries are the most common targets for inventory hoarding attacks.
    • Scraping bots are used to steal data from websites, most often related to pricing. This technique is used by unscrupulous organizations to help them undercut competitors or gather intelligence. In the financial sector, many hedge funds use scraping bots to collect information to inform investment decisions. Financial management consultancy Opimas estimates that around 5% of all Internet traffic is created by investment scraping bots.
    • Spambots fall into two main categories:
      • Bots that gather email addresses to add to spam mailing lists.
      • Bots that abuse comment forms on blogs and websites to spread ads or malicious URLs.
    • Vulnerability scanners and attack bots are used to identify websites that are vulnerable to simple attacks like SQL injection (SQLi) and cross-site scripting (XSS). Some bots are able to conduct attacks against vulnerable websites, while others report targets back to human hackers.
    • Click bots are used for two primary purposes:
      • To make money. Fraudsters add pay-per-click ads to their own websites and use bots to increase click rates.
      • To target companies that pay for PPC ads. These companies pay the ad network (e.g., Google Ads) every time somebody clicks on their ads. Click bots are used to artificially inflate the cost of advertising without returning any real traffic.
    • Checkout and application abuse bots are typically highly sophisticated and used for a wide variety of malicious purposes. In e-commerce, they are often used to manipulate prices and buy products or services at reduced rates. Similar bots are used to target decentralized currency exchanges and manipulate the price of cryptocurrencies.

    What is Bot Mitigation?

    With so many different bad bots to contend with, it’s natural to want to fight back.

    However, bots are often hard to detect. Even the simplest bots impersonate traffic from normal sources like common web browsers and mobile devices, which makes them hard to block. At the other end of the scale, sophisticated bots are able to evade static controls like Captcha forms by mimicking human behavior. This makes them almost impossible to detect using standard web technologies.

    To make matters worse, you can’t depend on a Web Application Firewall (WAF) to weed out bad bots. While a WAF may be able to detect or block some specific bot attacks, the majority of bots don’t directly attack your website. Instead, they abuse legitimate functions to achieve malicious objectives. Equally, a WAF won’t do anything to lessen the flow of bad bots targeting your website.

    This is where bot mitigation services come in.

    Bot mitigation isn’t about completely blocking bot activity. Remember, around half of all bots are good. Instead, it’s about determining the nature of every bot that visits your website and preventing the activities of bad bots only.

    For this to be possible, a bot mitigation service must be able to:

    1. Rapidly identify and mitigate bad bots (even when they aren’t using flooding techniques).

    2. Identify and manage unknown bots in real-time.

    Note that bot mitigation is not part of a typical DDoS mitigation service. Bots come in many forms, and can’t be detected using the techniques DDoS mitigation services use to protect websites from flooding attacks.

    Protect Your Website from Bad Bots

    To keep your organization safe from bad bots, you need a bot mitigation service that gives you full control over the wide range of bots that access your website every day.

    At Link11, our bot mitigation service uses proprietary AI and Machine Learning algorithms to distinguish between good and bad bots in real-time — with zero human intervention.

    Known bad bots are blocked instantly, while unknown bots are identified and mitigated within five seconds on average. This is critical, as new bots are constantly developed to bypass lower-quality controls.

    As a result, your organization gets:

    • Better website performance and improved user experience for real customers.
    • Real-time defense against all bot-based malicious activities, including common, high volume attacks.
    • The power to categorize, manage, and block bots individually.
    • A drastic reduction in cyber risk caused by bad bots — one of the top threats to websites, web applications, and online services.

    To find out more about our industry-leading bot mitigation capabilities, visit our bot mitigation service page.

    Learn more about Link11 Bot Mitigation

    ECJ overrules “Privacy Shield” – What actions should be taken now
    DDoS Extortions against thousands of firms by alleged Phantom Squad