With many countries experiencing huge levels of increased traffic due to the lockdown protocols put in place, the focus for many companies managing this increase in demand is on continuing to deliver great experiences for the end-user.
However, dig beneath the surface and all may not be as it seems. There’s no doubt more people are consistently online more than ever, but 40% or more of a websites’ activity could be coming from something billions of people will be completely unaware of: the bot.
Bots help enable the internet to be a powerful and valuable tool but, like most technologies out there, while they were built with good intentions, such as website crawling for search engines, they can present a threat when created by hackers to exploit networks. As the internet expands, and bots become more essential to maintaining it, a key challenge facing businesses is telling bots from humans, let alone distinguishing “good” bots from “bad” bots.
Distinguishing humans from bots
Bot activities are seriously difficult to distinguish from innocent visitors on a network level, with bad actors having developed powerful disguising techniques to target websites by essentially masquerading as humans. Hackers will use public cloud infrastructure or malware-infected computers to launch their attacks, making it an uphill struggle for companies to locate these bad actors and stop breaches.
It’s at the edge of the network where users on the internet first make contact with a company, and this is exactly where bots engage too. Therefore, it is vital that companies have clear sight of their edge to understand the threats they face.
Empowered with this visibility, businesses can begin to understand the complex techniques, tactics, and strategies “bot herders” deploy and learn how the threat is changing.
The stuff(ing) of nightmares
Bad bots are evolving constantly - and at rapid speed, too - which is why it’s vital for businesses to understand the attacks they could be facing imminently. Over the last two years, credential stuffing has emerged as a major attack pattern through bot technology.
Credential stuffing attacks take usernames and passwords captured (or purchased) by hackers from past data breaches and feeds them to a network of bots. These bots will then try and use these credentials to log into accounts across various sites, ranging from online shops to banking, and everything in between.
As people tend to use the same passwords across multiple sites, most of these automated login attempts – and we’re talking hundreds of millions – will be unsuccessful; but it only takes one to land to cause massive damage.
In addition, it’s crucial to remember that even one per cent – a fairly average success rate for this attack - of this huge volume equates to tens of thousands of successful hacks, so it’s a significant threat which can affect companies in a number of ways.
Firstly, customers can suffer from fraudulent transactions, abuse of credit and gift cards or loyalty points and long-term data and identity theft. For the business, the sheer amount of attacks can easily bring websites down, knocking companies offline, as well as exposing their own systems should employees’ log in credentials be exposed.
Credential stuffing has a devastating financial and fraud impact, leading to disruption, fines and reputational damage, with the average business losing $4 million from this type of attack each year.
The dimension of this threat is staggering: across all industries worldwide, Akamai registered over 55 billion credential stuffing attacks between November 2017 and March 2019. The video, media and entertainment sectors have been particularly targeted, with attacks jumping from 133 million to more than 200 million in 2018 alone.
Sleep tight, don’t let the bad bots bite
Bots are big money makers for cyber-criminals. If anything, we’re going to see more weaponization and diversity from hackers as they constantly evolve to circumvent new defenses. However, an overly aggressive defense that doesn’t distinguish between good and bad bots will have a devastating impact on the business.
Additionally, there are bots that might not pose a direct security risk, but instead sniff out your latest pricing or inventory for a competitor. While not technically an attack, this type of activity might be just as bad for your business as a full-blown breach.
Stopping the bad bots, while keeping the good bots on side, is a balancing act – and the best way to maintain the right balance is through visibility and technology like bot management tools, which are sophisticated enough to spot the difference.
Bot management is arguably the most powerful security tool that a modern-day business can have in its arsenal. It can effectively sense if something is a bot or a human based on how they interact on a site; for example, a human can’t physically move a mouse in a perfectly straight line in a normal manner.
But companies shouldn’t stop at mitigating credential stuffing attacks. For more visibility into online threats, bot management tools should integrate into a company’s wider security strategy. A complete security solution that includes a WAF, protection from distributed denial of service (DDoS) attacks, and bot management will help better identify the true nature of threats against a company’s network.
It’s clear that bots are here to stay and, given the positive role they can play for businesses, they should be. However, bad bots present a significant ongoing threat to businesses, forming a large proportion of the traffic coming to their site, so having a thorough understanding of the different shapes and sizes they come in and negative impact they can have is essential.
Businesses must remain vigilant and, crucially, always prepared to mitigate the evolving risks associated with bots, protecting their networks and customers in the process.