According to the 2022 Imperva Bad Bot Report, 27.7% of online traffic came from bad bots. For retail websites, it’s 23.6%. Bots routinely target retail sites with scalping and denial of inventory attacks, as well as fraud, gift card fraud, and account takeovers. The problem that many organizations are facing today is how to distinguish bad bot traffic from good bot or human traffic when bad bots have become sophisticated enough to blend right in. In fact, according to the Imperva report, 70.3% of bots attacking the travel industry and 31.7% of bots attacking the retail industry were categorized as advanced bad bots. These are the two highest across all industries surveyed, indicating significant need within our sector for bot defenses that can combat advanced techniques.
What are Bad Bots?
Bad bots are defined as software applications that run automated tasks with malicious intent, which can range from fraud to DDoS attacks to scalping activities. This is in contrast to good bots, such as the bot that Google uses to index search results. Apps need to be able to differentiate between good bots and bad ones to benefit from bot services without putting their site at risk.
Types of Bot Attacks
Account Takeover (ATO)
Account takeover is when a threat actor attempts to gain access to a user’s account for malicious purposes. This is generally done through brute force login techniques, such as credential stuffing or dictionary attacks, which are tedious for a human but easy to conduct at scale with bots.
Gift Card Fraud
Similar to credential stuffing, bots are able to try combinations of digits, the length of a company’s gift card number, until they hit a viable gift card with a balance that they can use. These attacks are known as gift card cracking.
Scalping
Let’s say you’re a retail company dropping a hot new product. There is money to be made for criminals who are able to buy mass quantities of these in-demand items and resell them at a higher price when you, the retailer, run out of inventory. These bots are commonly known around the holidays as grinch bots but can also be named for the item they’re targeting, such as sneakerbots. These attacks are detrimental to your brand’s reputation, but they are not currently illegal. Attempts to legislate the practice have been stalled by opposition from third-party selling platforms that may become liable for the source of their goods.
Denial of Service Attacks
Denial of service attacks flood your website with traffic causing website load time delays or a complete crash of the site. These attacks are bad for your brand and also result in loss of business as people are unable to reach your site.
Web Scraping
Bots can also be used to gain information about your business, such as prices, inventory data, and reviews, that can be valuable to competitors.
Detecting Bad Bots
As previously mentioned, bots are becoming harder to block because they mimic human behavior. Ideally, you want to be able to block bots before they are able to get through and cause damage. But there are signs that you can look for that indicate that malicious bot traffic is getting through, which indicate a need to invest in better bot defenses.
- Session Analytics: Monitor your website’s session analytics, such as bounce rate and traffic source. Bots will often be listed as direct traffic without a legitimate referral source such as Google or your advertising.
- Failed Login Attempts: Attackers that are using brute force methods to attempt an ATO attack will cause an uptick in failed login attempts as they try combinations that don’t work.
- Increase in Account Creation: Bots are also often used to create fake accounts, which are used for fraudulent transactions. A significant uptick in account creation may be a sign of bot traffic.
- Depletion of Inventory: Look for indications that attackers are using bots to quickly scoop up newly released merchandise or they are conducting denial of inventory attacks by keeping items in carts to prevent legitimate purchases.
- Gift card validation failures: Like failed login attempts, this is a sign that attackers are trying to brute force gift card redemption.
Blocking Bad Bots
For years the solution to combating bots was simply to use CAPTCHA, the succinct name for the Completely Automated Public Turing Test To Tell Computers and Humans Apart, which was first invented in 1997. The fact that it has been around for 25 years should be your first indication that this technology is no longer the gold standard it once was. Today’s bots have advanced to the point where they can use artificial intelligence to solve these puzzles correctly, and the puzzles can’t be made any harder without a negative impact on the user experience which prompts increased abandonment rates.
So how do you mitigate the impact of today’s bots?
Blocking Known Signatures
Web application firewalls (WAFs) are not your best bet for stopping advanced bots. WAFs’ bot defenses are based on the ability to block known malicious traffic, which today’s sophisticated bots can fool through IP address rotation. However, according to Imperva’s Bad Bot Report, 39.2% of bots attacking the retail industry are still simple bots, so blocking suspicious IPs, inconsistent OS/browser claims, and linear mouse movements can eliminate some low-hanging fruit. Other traditional tactics such as enabling MFA, monitoring traffic and login attempt volume, and blocking anonymous proxy servers can also all still be used as the first line of defense.
Use a Bot Mitigation Platform
If you’re experiencing a significant volume of sophisticated bot attacks, it may be worth investing in a dedicated bot mitigation solution. These technologies are specifically designed to stop advanced bots by using machine learning and automation to combat the bots’ machine learning and automation. In the past, bot detection would look for signs like mouse movement to identify a bot. Now bots can mimic human mouse movements, so bot mitigation solutions instead have to inspect traffic for the presence of the technologies, such as headless browsers and automation frameworks, that bots use to evade detection.
Many bot mitigation platforms collect this information by injecting Javascript into the browser. The goal is to move detection to the client-side before a session is generated, so you’re taking a proactive approach and not waiting to build a profile after the bot is already on your site. This Javascript method has been criticized because of the potential for attackers to reverse engineer it and send back fake data, which has the negative result of both letting in bad bots and messing up your pattern of behavior for what a bot looks like. This is how request bots are able to obtain a human token. They reverse engineer the detection logic and send back the data that would result in granting a human token, that way they don’t need to use browser-based bots at all.
Modern bot mitigation solutions have attempted to overcome these challenges in detecting request bots with obfuscation, randomizing the structure of scripts, and dynamic detection logic, with the goal of preventing reverse engineering.
Interested in learning more about bot detection? RH-ISAC members can access archived webinars, such as The Underground Bot Supply Chain and reports, such as A Complete Guide to Protecting Your Digital Business From Bot Attacks, on Member Exchange. Not an RH-ISAC member? Learn more about how being a part of the RH-ISAC’s member community can benefit you.
