What Are Bad Bots?
The 2021 report from Imperva released interesting figures on how much bad bots have improved their attacks on individuals and organizations. Stats show APBs—Advanced Persistent Bot—are responsible for 57.1% of bad bot traffic.
These bots are harder to track and detect—they include both sophisticated and moderate bad bots. In their attacks last year, they targeted these 5 industries:
- Telecoms and ISPs—45.7%
- Computing and IT—41.4%
- Business Services—29.7%
Bad bot are now focusing attention on mobile. Bad bots launched from mobile ISPs reached 15.1%, 10.8% from Amazon ISPs, and 28.1% from mobile user agents like Chrome and Safari.
These stats show bad bots are wrecking every industry they attack. Before we further discuss the effects of bad bots in recent years—what are bad bots?
What is a Bad Bot?
Bad bots are automated programs running malicious attacks on websites, web apps, mobile apps, and databases. They perform a range of attacks from typical fraud to a complete system crash of websites and apps.
In a Help Net Security report, it was found that 64% of internet traffic is bot-automated with bad bots controlling 39% while good bots control the other 25%.
Much of this traffic from bots isn’t exactly “traffic” but rather, attacks. According to the report, bots have advanced in recent years making them difficult to detect and also prevent. A handful of these attacks were noticed on commercial websites and websites with database credentials, i.e., requiring user logins to allow access.
Help Net noticed most of the bad bots are from the traffic coming from 6 locations:
- North America— 67%
- South America—0.8%
The number of bad bots isn’t decreasing any time soon, with each year bringing new numbers higher than the last. On a larger scale, bad bots go as far as damaging a company’s reputation, sales, or completely crashing the company.
According to Kasada’s report from “2021 State of Bot Mitigation,” 83% of companies surveyed say they’ve experienced at least one bot attack within the past year.
In the same report, 77% say they lost 6% of their revenue due to a bad bot attack, and 39% lost 10% or more.
A quarter of all surveyed respondents says a single attack costs their organizations $500,000 or more.
For these companies to mitigate the bad bots attack, 77% say they spent $250,000 or more in the past year alone— while 27% spent at least $1 million.
In most of these attacks, research shows five common bad bot attacks.
5 Common Bad Bot Attacks
1. Ad fraud
Bad bots cost publishers and advertisers an average of $100 million every year.
With several bad bots committing these attacks, their standard operation model is by repeatedly clicking ads. These fraudulent clicks lead to fake impressions, engagement, high bounce rates, low or no CTRs, all of which drain advertisers' budget.
Related — The Complete Guide to Ad Fraud
2. DDoS Attacks
A DDoS (Distributed Denial of Service) attack is a malicious attempt to disrupt the regular traffic with fake traffic by overloading it with multiple requests in a short time period. For example, a typical DDoS attack can request its botnet to reload the homepage of a website 100,000 times in 10 seconds. Once this happens, the server overloads with overwhelming requests and can’t process requests from real users. Eventually, the server crashes, and the website goes down, costing businesses money.
Some of the common ways to identify DDoS attacks are:
- Spike at odd hours repeatedly in the same pattern
- A sudden surge in traffic on a single page
- Massive traffic from a single IP address, geolocation, browser, or device
3. Web Scraping and Harvesting
While some services have the legal right to collect and scrape your data, others don’t, and bad bots are on the other end of being an illegal web scraper. This type of attack is common in e-commerce—especially among competitors in the same niche.
Example: Competitor A used a web scraping bot to scrape and harvest all the product and price information from Competitor B. With this information, Competitor A can choose to undercut the prices of Competitor B. Doing this creates an imbalance in the market of Competitor A and possibly costs the business a chunk of their revenue due to loss in customers.
4. Credit Card Fraud
Bad bots steal users' credit information and try to “guess” key data such as CVV and the last 4 digits to crack the credit card and use it for online transactions. In a broader sense, they use these bots for different phishing scams in an attempt to steal credit card information from unsuspecting account owners.
5. Credential Stuffing
Credential stuffing is a form of cyberattack that attempts to access a “credential-based” platform by trying different log-in combinations.
According to CPO Magazine, The storage of plaintext passwords was responsible for most credential spills at 42.6%. Unsalted SHA-1 passwords followed at about 20%, bcrypt 16.7%, salted SHA-2, 0.8%, and MD5 at 0.4%. Surprisingly, using MD5, which is known as a weak algorithm, was still common but responsible for fewer spills.
Organizations were also slow in detecting cyber intrusions, with an average time for discovering credential spills being 327 days. The median time was 120 days, while the longest period was six and a half years (2,335 days).
A handful of credential stuffing is due to a major breach on the network or database of the responsible party.
What Are The Types of Bad Bots
There are several types of bad bots used to commit ad fraud and other malicious cyberattacks. Here are 5 of the most common ones.
Scraper bots, also known as “miner bots” unlawfully scrape or mine information about unsuspecting individuals and/or organizations and resell it to interested parties. These bots maliciously attack the database of victims and immediately have access to private information. This can be through their mobile apps, plugins, extensions, website cookies, etc.
A considerable part of the data obtained by the scraper bots is used to commit several cybercrimes, such as ad fraud and identity theft.
Spy bots are often called “monitoring bots," and monitor users' activities for malicious purposes. Often, spy bots work together with scraper bots to identify critical information in a database before successfully attacking it. These spy bots work best by accessing users’ cookies, webcams, and keyloggers.
Click bots are specifically programmed to execute multiple click impressions, known as click fraud. These bots work by accessing a website or different websites and clicking the desired link as often as the fraudster wants it. These bots are the easiest to detect and prevent due to their distinguishable behavior and navigation pattern on websites.
Download bots are programmed bots that carry out multiple mobile app or software downloads to manipulate download statistics. Mobile marketplace like the Google play store and Apple app store is often on the receiving end of fake downloads on their platform.
In a report from Datavisor, “The Underworld of App Install Advertising,” they discovered some interesting stats.
- 5.3% of app installs from non-premium ad networks are fraudulent, costing mobile marketers up to $300 million in ad spend every year
- Over time, fraud rates can fluctuate by more than 50% within an ad network
- 29% of fraudulent installs have day 2 retention events, 18% have day 7 retention events
- UA Fraud has 3X higher use of cloud services compared to social or financial fraud
- Android devices are used for fraud 5x more often than IOS devices
- Installs from devices released before 2015 are 2.5x times more likely to be fraudulent.
Imposter bots, also known as “impersonator bots,” are fraudulent bots that mimic the behavior of real users to bypass online security verification. Think click bots, but worse. These bots mask their identity and change their pattern from that of a bot to that of humans, making them difficult to discover. According to data from Imperva, imposter bots are responsible for 24.3% of the overall web traffic.
This data shows imposter bots are on the run for 5 years in a row of being the worst, covering up to 84% of all bad bots attacks.
How To Prevent Bad Bots
1. Detect Behavioral Patterns
Regardless of how bad bots have evolved in the past 10 years—one thing remains—they have the same behavioral pattern. Run an analysis on your website or app and check for user interactions such as:
- Mouse clicks
- Screen scrolls
- Scrolling frequency and visual behavior
- User pattern
- Requests made
- Traffic source
Your goal here is to understand how real users interact with the platform. A recommended way to do this is to Integrate with a machine-learning algorithmic system. Once you have your data, set up your system to log out or stop the “unidentified or unknown” session without the approved properties.
2. User Security Verification
In some instances, publishers like Google and Apple don’t allow creators to access their user data to avoid breaches or misuse of data. For cases like this, creators can only protect users by providing different security measures. A biometrics security verification on mobile phones is one of the best ones to protect users. With users' biometric ID stored in the system, users only have to scan their fingerprints or face to enable access.
3. Using Edgemesh For Bad Bot Prevention
Manually preventing bad bots intrusions and attacks on websites and apps limits how far they can detect these attacks. A recent report from Imperva shows a survey of 100,000 domains. Of these domains, 94.2% suffered at least one bot attack within a 90-day period.
The best solution to keep you ahead in bad bot prevention and detection is with a fraud detection vendor. And that’s what Edgemesh does. We recently released a new ad fraud feature that allows you to detect, prevent and eliminate any bot attack within a matter of minutes on your website. This feature uses behavioral analysis and machine learning to track all incoming traffic to your website, including clicks, traffic sources, backend lookup, IP monitoring, etc.