Bad bots: protecting your organization from a growing threat

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock)

Not all bots are bad – there are good bots, like those used by search engines and price comparison services. But bad bots are increasingly an issue, whether they’re buying games consoles or concert tickets (I’m still cross that I missed out on AC/DC tickets), or automating attacks on corporate networks and application programming interfaces (APIs).

About the author

Chris Hill, RVP Public Cloud and Strategic Partners, Barracuda Networks.

Bots used to be an expensive investment for criminals, but now you can hire bots – and the infrastructure they need – as a complete service. Criminals are using them in all sorts of ways and classic bot attacks are still going after any sort of limited commodity.

For example, in the early stages of the COVID-19 pandemic, some online shopping services in India found delivery slots being grabbed by bots and offered for resale to desperate people. AMD graphics cards and Sony PlayStation 5's have also fallen victim to scalping bots. AMD even recommended resellers switch to manual processing of early purchases to validate that orders were genuinely from individual customers. And have I mentioned those AC/DC tickets?

However, the modern bot is far more complex and sophisticated than a simple scraper or automated online purchase tool. They are being used to probe corporate IT infrastructures all day and all night. They seek out credential weaknesses to take over user accounts. And they increasingly target APIs, either to take over accounts or as a way to bypass traditional cybersecurity set-ups.

Evolved modern bots

Today’s bot providers have evolved too – they are highly professional and well organized. They even keep standard office hours, and don’t operate just in the middle of the night.

Providers sell bots via online marketplaces and some offer money-back guarantees. Some bot sellers have 24/7 helplines if you can’t get your bot to do what you want it to do. They mimic many of the processes of professional software providers, such as automating testing of their products.

But getting hold of a bot is only half the battle. Criminals need infrastructure to run them. The last generation of bots would run from a compromised datacenter or server. This made them relatively easy to identify, and block, via an IP address.

Modern bots are often linked to apparently legitimate online identities, credentials and email accounts to bypass basic protections and the latest version of reCAPTCHA. They are linked to compromised residential internet accounts and their traffic comes from thousands of different and apparently legitimate IP addresses, making defense far tougher.

All this means that bots do a remarkably good job of hiding in standard browser traffic. This makes defending against them difficult, especially if you don’t want to irritate customers or users with onerous identity procedures or risk blocking legitimate traffic.

Ways that bad bots can harm businesses

While many organizations have traditionally been top targets, bad bots are a threat across every single industry. Just like the usual human cyber-attack, bots can harm your business in many different ways, including:

• Gift card fraud bots can abuse gift card balance checking facilities to test a huge number of possible card numbers. When a match is found, the balance is used to make fraudulent purchases online.

• Credit card fraud bots typically use stolen card details to purchase products and services online. Millions of credit card details are sold online each year, and bots can be easily used to test them at a large scale.

• Credential attacks or account takeover bots, which are similar to credit card fraud, as they use ‘credential stuffing’ attacks with stolen usernames and passwords. When a successful login occurs, the account is quickly taken over. Depending on the website attacked, compromised accounts can be used for financial fraud, spam, extortion, password reuse attacks, and other malicious activities.

• Account creation bots create free accounts to use for spam or to exploit ‘new account’ promotions.

• Scraping bots are used to steal data from websites, most often related to pricing. This technique is used by cheating organizations to help them undercut competitors or gather intelligence. In the financial sector, many hedge funds use scraping bots to collect information to inform investment decisions.

Spam bots and click bots

Spambots fall into two main categories:

• Bots that gather email addresses to add to spam mailing lists.

• Bots that abuse comment forms on blogs and websites to spread ads or malicious URLs.

Click bots are used for two primary purposes:

• In order to make money. Fraudsters can easily add pay-per-click ads to their own websites and use bots to increase click rates. 

• To target companies that pay for PPC ads. These companies pay the ad network (e.g., Google Ads) every time somebody clicks on their ads. Click bots are used to artificially inflate the cost of advertising without returning any real traffic. 

• Checkout and application abuse bots are typically highly sophisticated and used for a wide variety of malicious purposes. In e-commerce, they are often used to manipulate prices and buy products or services at reduced rates.

Defending against bots

Defending your infrastructure against bot attack needs to be considered as a crucial part of your holistic defenses. Although many security suites claim to offer bot protection as standard, you should probe a little into what you are getting.

Organizations need protection which combines built-in bot identifiers along with cloud-based AI and machine learning systems to spot bot attacks. It uses data from a massive honeypot network to spot known bots and also allows you to allow approved bots by IP or URL. It provides a clear dashboard to keep track of bot activity, where it is coming from and which applications are being targeted.

To keep businesses safe from bad bots, business leaders need full control and knowledge over the wide range of bots that access your website every day.

Known bad bots are blocked instantly, while unknown bots are identified and mitigated within five seconds on average. This is critical, as new bots are constantly developed to bypass lower-quality controls or understandings.

With the correct tools and applications, organizations can improve their security with better website performance and improved user experience for real customers, real-time defense against all bot-based malicious activities and have the power to categorize, manage, and block bots individually.

Chris Hill, RVP Public Cloud and Strategic Partners, Barracuda Networks.