When you think about cyberattacks, you probably imagine a hooded hacker sitting in a darkened room and typing furiously on their keyboard. However, this isn’t the reality of most cyberattacks.Instead, many attacks are targeted, initiated, and conducted automatically using pre-programmed bots. These bots can perform common cyberattacks faster and at a much greater scale than human hackers — and they can be extremely hard to detect.
For these reasons, organizations all over the world are searching for ways to block bots from damaging their websites and applications.
A bot (short for ‘robot’) is a computer program designed by a human programmer to complete repetitive tasks. Common examples of bots are web crawlers — programs used by search engines to discover, analyze, and catalog web pages and content.
If you haven’t been exposed to data on bots in the past, it might surprise you to know that bots account for more than half of all Internet traffic. Bot traffic first surpassed human-generated traffic in 2016 and has only risen in the years since.
Of course, not all bots are built for legitimate purposes. For years now, bad actors have used bots to automate actions that are either illegal or contravene an online platform’s terms of service. For example:
While social media and spambots are annoying, they don’t cause significant problems for a typical organization. However, these ‘low-level’ bots aren’t the only bad bots around. Today’s hackers use bots to complete a wide range of malicious activities, many of which are extremely difficult to detect.
These bots — which target mainly websites and web applications — fall into two main categories:
Both categories of bots are highly prevalent throughout the Internet and pose a substantial threat to any organization that relies on its online infrastructure. According to Osterman Research figures, a typical organization with 1,000+ employees experiences over 3,700 bot attacks each week — that’s 530+ attacks every day.
In general, bots that identify and exploit vulnerabilities are reasonably easy to spot and block — for example, using a Web Application Firewall (WAF). On the other hand, bots that abuse business logic are much harder to detect because their activity isn’t obviously malicious.
It’s one thing to know that bad bots can abuse business logic in a website or application. But what exactly can they do?
Some of the most common bot attacks include:
Bots imitate genuine API calls to abuse API functionality. Once an API is compromised, attackers can use it to conduct large-scale API calls, either to disrupt a service (as in a Denial of Service attack) or to perform another type of attack, e.g., account takeover.
Also known as ‘inventory hoarders,’ these bots target e-commerce sites by repeatedly adding products to a shopping cart, often using multiple fake accounts. Since most e-commerce sites temporarily list a stock item as unavailable while it is in a customer’s cart, these attacks block legitimate customers from buying targeted items.
These bots are mainly used by organizations (particularly in the financial sector) to gather intelligence about competitors, most often related to pricing and investments.
ATO bots aim to compromise legitimate user accounts by ‘credential stuffing’ with stolen usernames and passwords. Since many people reuse the same credentials on multiple accounts, this tactic can be effective even if the targeted website or application has never been compromised.
These bots try to access confidential information by sending a large number of automated server requests that try to ‘guess’ the correct inputs. The most common example of this is a password guessing attack.
Noticed that many e-commerce sites no longer allow customers to check their gift card balances using an automated online form? That’s because malicious bots can abuse these forms to test a vast number of possible card numbers and make fraudulent purchases when they find a match.
Sophisticated bots are able to quickly create a large number of negative blog comments, social media posts, and entries on review sites about a specific company, causing damage to its reputation. This is often used to extort a ransom payment from targeted organizations.
Bots are routinely used to create free accounts for spam (e.g., email or social media accounts) or exploit ‘new account’ promotions on e-commerce or SaaS websites.
Millions of credit card details are sold online each year, and bots are used to test them at scale. When they find a match, compromised card details are used to purchase products and services online fraudulently.
E-commerce and SaaS websites are frequently targeted by sophisticated bots that abuse various functions and services. These bots can be used to manipulate prices and buy products or services at reduced rates, often for resale elsewhere.
At first glance, there are a handful of security measures that seem like they should solve the bad bot problem once and for all. However, while these measures can be effective to some degree, they all have limitations.
For instance, some of the bot attacks described above can be prevented with on-page changes, such as secure coding practices. However, this approach has two drawbacks:
Most business websites and applications are under constant development, and issues are only picked up after they go live. Bots are a constant threat, so any website or application issues are likely to be quickly found and exploited.
Similarly, Web Application Firewalls (WAFs) help protect against bots that directly attack a website or application, for example, vulnerability scanning and attack bots. Unfortunately, many available WAF solutions are ineffective against bots that abuse legitimate business logic. As you’ll see from the list above, this accounts for a large proportion of bad bots.
Instead, modern organizations need a way to determine the nature of every bot that visits its websites and applications and distinguish in real-time between good and bad bots.
Link11’s advanced bot mitigation service uses proprietary AI and Machine Learning algorithms to distinguish between good and bad bots in real-time — with zero human intervention — and block bots only if they pose a threat.
Bots that are known to be malicious are blocked instantly, while new, unknown bots are identified and mitigated in under 10 seconds on average. This is essential for full protection, as new bots are under continual development to bypass lower-quality controls.
As a result, your organization gets: