What Bad Bots Do (and How You Can Stop Them)

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
5 Min read

Bad bots scrape data from sites without permission in order to reuse it (e.g., pricing, inventory levels) and gain a competitive edge. The truly nefarious ones undertake criminal activities, such as fraud and outright theft.

The Open Web Application Security Project (OWASP) provides a list of the different bad bot types in its Automated Threat Handbook.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

Bad bots are evolving and are more sophisticated than ever. Increasingly they’re mimicking real human workflows across web applications to “behave” like real users. Bots are obfuscating their activity by reverse engineering detection systems. Advanced attackers now show definitive behavior that they know about the technology they’re trying to defeat, and they’re continuously learning how to adapt their tactics.

For example, there are more occurrences of globally distributed botnet attacks, using tactics like single request attacks, user agent rotation, random mouse movements, and page scrolling, to name a few.

In this article we take a look at what bad bots do when they target your website, how their actions hurt your website, and how you can stop them.

what bad bots do

Bad Bot problem #1 – Price scraping

How it hurts the business 

  • Competitors scrape your prices to beat you in the marketplace .
  • You lose business because your competitor wins the SEO search on price .
  • Lifetime value of customers worsens .

Signs you have a problem – Declining conversion rates . Your SEO rankings drop and you experience unexplained website slowdowns and downtime, usually caused by aggressive scrapers.

Industries targeted – All businesses that show prices.

  • Ecommerce
  • Gambing
  • Airlines
  • Travel

Bad Bot problem #2 – Content scraping

How it hurts the business – Proprietary content is a part of your business . When others steal your content they are a parasite on your efforts . Duplicate content also damages your SEO rankings .

Signs you have a problem – Your content appears on other sites . Unexplained website slowdowns and downtime, usually caused by aggressive scrapers, similar to price scraping scenario.

Industries targeted – Similar to price scraping, but in addition:

  • Job boards
  • Classifieds
  • Marketplaces
  • Digital Publishing
  • Real Estate

Bad Bot problem #3 – Account Takeover

(a.k.a. credential stuffing, credential cracking)

How it hurts the business – Stolen credentials are tested on your site . If successful, the ramifications are account lockouts, financial fraud, and increased customer complaints affecting customer loyalty and future revenue.

Signs you have a problem – Increase in failed logins . Increase in customer account lockouts and customer service tickets . Increase in fraud (lost loyalty points, stolen credit cards, unauthorized purchases). Increase in charge backs.

Industries targeted – Any business with a login page requiring username and password.

Bad Bot problem #4 – Account Creation

How it hurts the business – Free accounts used to spam messages or amplify propaganda. Bat bots will exploit any new account promotion credits (money, points, free plays) .

Signs you have a problem – Abnormal increases in new account creation and increased comment spam. Also look for drop in conversion rates of new accounts to paying customer.

Industries targeted – Messaging platforms

  • Social media
  • Dating sites
  • Communities

Promotion Abuse

  • Gambling
what bad bots do

Image Source

Bad Bot problem #5 – Credit Card Fraud

(a.k.a. carding, card cracking, cashing out)

How it hurts the business – This attacks refers to criminals testing credit card numbers to identify missing data (exp. date, CVV). It damages the fraud score of the business and increases service costs by processing chargebacks.

Signs you have a problem – Rise in credit card fraud. Increase in customer support calls and an increase in chargebacks processed.

Industries targeted – any site with a payment processor.

Bad Bot problem #6 – Denial of service

How it hurts the business – Slows the website performance causing slowdowns or downtime. This leads to lost revenue from unavailability of website and damages business’ reputation in the eyes of customers.

Signs you have a problem – Abnormal, and unexplained spikes in traffic on particular resources (login, signup, product pages, etc) . Increase in customer service complaints .

Industries targeted – all industries.

Bad Bot problem #7 – Gift Card Balance Checking

How it hurts the business – Bad bots steal money from gift card accounts that contain a balance.This leads to poor customer reputation
and loss of future sales.

Signs you have a problem – Spike in requests to gift card balance. Increase in customer service calls about lost balances.

Industries targeted – ecommerce.

Bad Bot problem #8 -Denial of Inventory

How it hurts the business – Bots hold items in shopping carts, preventing access by valid customers. This results in damaged customer reputation because unscrupulous middlemen hold all inventory until resold elsewhere.

Signs you have a problem – Increase in abandoned items held in shopping carts. Decrease in conversion rates. Increase in customer service calls about lack of availability of inventory.

Industries targeted – Scarce or time sensitive items.

  • Airlines
  • Tickets

How to stop Bad Bots

Protecting your business from Bad Bots is an ongoing, complex task. Since every industry is different, and Bad Bots carry out various types attacks, as we’ve shown above, there is no one-size-fits-all solution.

There are some steps you can take to protect yourself from bad bots:

Understand your vulnerabilities – Businesses must continually evaluate and evolve their security measures to stay ahead of hackers. It’s crucial to understand the nature of the threat and have a clear plan of action to patch and protect their vulnerabilities online.

Detect, categorize, and control – Detecting bot traffic is the first step. Once bot traffic has been identified, the next step is to categorize the type of traffic. If it’s known bot traffic – like that of search engine bots – it should be allowed to pass. But known malicious bots, or bots of unknown intent, shouldn’t be allowed to pass. Finally, the malicious bot traffic must be controlled.

Evaluate a Bot Mitigation Solution – The bot problem is an arms race. Bad actors are working hard every day to attack websites across the globe. The tools used constantly evolve, traffic patterns and sources shift, and advanced bots can even mimic human behavior. Hackers using bots to target your site are distributed around the world, and their incentives are high. In early bot attack days you could protect your site with a few tweaks; but those days are long gone. Today it’s almost impossible to keep up with all of the threats on your own.


As you can see from this post,  Bad Bots are an increasing threat to enterprises worldwide. They’re often difficult to detect, and the damage they do can cripple a business. Companies need to stay on top of these trends to adequately protect themselves and their users’ data from malicious attacks.

Click here to access our Bad Bot Report 2019 and learn more about bad bots landscape in 2019, and how to protect yourself from malicious bots. If you suspect bad bot abuses you should always turn to experts like GlobalDots to quickly turn the tables.

Latest Articles

Announcing New Anti-Fraud Tool to Detect, Categorize and Bust Fraudulent Activity

Online fraud is destroying customer trust and corroding revenue. Data from the Federal Trade Commission show the full extent of today’s problem: fraud losses in the US rose to $5.9 billion in 2021, an increase of 436% from 2017. Further research conducted by PWC shows that it’s not just individuals being duped by these global […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
30th March, 2023
The New Ways Cyber Criminals are Attacking Travel Companies

Cyber breaches seem to make headlines every day, with Uber, InterContinental Hotels Group and Marriott International among the major travel brands to have recently fallen victim to attackers. Whether it’s a multinational corporation or a small startup, no travel company is immune to the threat of cybercriminals and fraudsters. Travel and leisure is one of […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
19th October, 2022
The Horrendous Impact of DDoS Attacks on Enterprise Organizations

Distributed Denial of Service (DDoS) is usually performed by bombarding the targeted computer or resource with unnecessary requests to overload systems and prevent some or all legitimate requests from being completed. However, there is some good news: you can definitely mitigate the risk. Learn more here: How One AI-Driven Media Platform Cut EBS Costs for […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
14th June, 2022
How to Defeat Bad Bots in 2022 (and Why It’s Still So Hard)

Introduction  Bots today outnumber human users in eCommerce sites: From 15% in 2017, to 30% in 2019, to 64% in 2021. Some extreme cases we’ve witnessed peaked in 90-99.8% bot traffic. But perhaps the more concerning bit is the traffic share of bad bots: an approximate 39% of all internet traffic in 2021.   Hackers are […]

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
9th January, 2022

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential