What Bad Bots Do (and How You Can Stop Them)

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots

10th May, 2019 5 Min read

Bad bots scrape data from sites without permission in order to reuse it (e.g., pricing, inventory levels) and gain a competitive edge. The truly nefarious ones undertake criminal activities, such as fraud and outright theft.

The Open Web Application Security Project (OWASP) provides a list of the different bad bot types in its Automated Threat Handbook.

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Bad bots are evolving and are more sophisticated than ever. Increasingly they’re mimicking real human workflows across web applications to “behave” like real users. Bots are obfuscating their activity by reverse engineering detection systems. Advanced attackers now show definitive behavior that they know about the technology they’re trying to defeat, and they’re continuously learning how to adapt their tactics.

For example, there are more occurrences of globally distributed botnet attacks, using tactics like single request attacks, user agent rotation, random mouse movements, and page scrolling, to name a few.

In this article we take a look at what bad bots do when they target your website, how their actions hurt your website, and how you can stop them.

Bad Bot problem #1 – Price scraping

How it hurts the business 

• Competitors scrape your prices to beat you in the marketplace .
• You lose business because your competitor wins the SEO search on price .
• Lifetime value of customers worsens .

Signs you have a problem – Declining conversion rates . Your SEO rankings drop and you experience unexplained website slowdowns and downtime, usually caused by aggressive scrapers.

Industries targeted – All businesses that show prices.

• Ecommerce
• Gambing
• Airlines
• Travel

Bad Bot problem #2 – Content scraping

How it hurts the business – Proprietary content is a part of your business . When others steal your content they are a parasite on your efforts . Duplicate content also damages your SEO rankings .

Signs you have a problem – Your content appears on other sites . Unexplained website slowdowns and downtime, usually caused by aggressive scrapers, similar to price scraping scenario.

Industries targeted – Similar to price scraping, but in addition:

• Job boards
• Classifieds
• Marketplaces
• Digital Publishing
• Real Estate

Bad Bot problem #3 – Account Takeover

(a.k.a. credential stuffing, credential cracking)

How it hurts the business – Stolen credentials are tested on your site . If successful, the ramifications are account lockouts, financial fraud, and increased customer complaints affecting customer loyalty and future revenue.

Signs you have a problem – Increase in failed logins . Increase in customer account lockouts and customer service tickets . Increase in fraud (lost loyalty points, stolen credit cards, unauthorized purchases). Increase in charge backs.

Industries targeted – Any business with a login page requiring username and password.

Bad Bot problem #4 – Account Creation

How it hurts the business – Free accounts used to spam messages or amplify propaganda. Bat bots will exploit any new account promotion credits (money, points, free plays) .

Signs you have a problem – Abnormal increases in new account creation and increased comment spam. Also look for drop in conversion rates of new accounts to paying customer.

Industries targeted – Messaging platforms

• Social media
• Dating sites
• Communities

Promotion Abuse

• Gambling

Image Source

Bad Bot problem #5 – Credit Card Fraud

(a.k.a. carding, card cracking, cashing out)

How it hurts the business – This attacks refers to criminals testing credit card numbers to identify missing data (exp. date, CVV). It damages the fraud score of the business and increases service costs by processing chargebacks.

Signs you have a problem – Rise in credit card fraud. Increase in customer support calls and an increase in chargebacks processed.

Industries targeted – any site with a payment processor.

Bad Bot problem #6 – Denial of service

How it hurts the business – Slows the website performance causing slowdowns or downtime. This leads to lost revenue from unavailability of website and damages business’ reputation in the eyes of customers.

Signs you have a problem – Abnormal, and unexplained spikes in traffic on particular resources (login, signup, product pages, etc) . Increase in customer service complaints .

Industries targeted – all industries.

Bad Bot problem #7 – Gift Card Balance Checking

How it hurts the business – Bad bots steal money from gift card accounts that contain a balance.This leads to poor customer reputation
and loss of future sales.

Signs you have a problem – Spike in requests to gift card balance. Increase in customer service calls about lost balances.

Industries targeted – ecommerce.

Bad Bot problem #8 -Denial of Inventory

How it hurts the business – Bots hold items in shopping carts, preventing access by valid customers. This results in damaged customer reputation because unscrupulous middlemen hold all inventory until resold elsewhere.

Signs you have a problem – Increase in abandoned items held in shopping carts. Decrease in conversion rates. Increase in customer service calls about lack of availability of inventory.

Industries targeted – Scarce or time sensitive items.

• Airlines
• Tickets

How to stop Bad Bots

Protecting your business from Bad Bots is an ongoing, complex task. Since every industry is different, and Bad Bots carry out various types attacks, as we’ve shown above, there is no one-size-fits-all solution.

There are some steps you can take to protect yourself from bad bots:

Understand your vulnerabilities – Businesses must continually evaluate and evolve their security measures to stay ahead of hackers. It’s crucial to understand the nature of the threat and have a clear plan of action to patch and protect their vulnerabilities online.

Detect, categorize, and control – Detecting bot traffic is the first step. Once bot traffic has been identified, the next step is to categorize the type of traffic. If it’s known bot traffic – like that of search engine bots – it should be allowed to pass. But known malicious bots, or bots of unknown intent, shouldn’t be allowed to pass. Finally, the malicious bot traffic must be controlled.

Evaluate a Bot Mitigation Solution – The bot problem is an arms race. Bad actors are working hard every day to attack websites across the globe. The tools used constantly evolve, traffic patterns and sources shift, and advanced bots can even mimic human behavior. Hackers using bots to target your site are distributed around the world, and their incentives are high. In early bot attack days you could protect your site with a few tweaks; but those days are long gone. Today it’s almost impossible to keep up with all of the threats on your own.

Conclusion

As you can see from this post,  Bad Bots are an increasing threat to enterprises worldwide. They’re often difficult to detect, and the damage they do can cripple a business. Companies need to stay on top of these trends to adequately protect themselves and their users’ data from malicious attacks.

Click here to access our Bad Bot Report 2019 and learn more about bad bots landscape in 2019, and how to protect yourself from malicious bots. If you suspect bad bot abuses you should always turn to experts like GlobalDots to quickly turn the tables.