Bot detection and mitigation firm Netacea on August 11 announced its research reveals that businesses are paying a high price because of the expanding use of malicious bot traffic deployed against them.
Automated bots operated by malicious actors are costing businesses an average of 3.6 percent of their annual revenue. For the 25 percent worst affected businesses, this equates to at least US$250 million every year.
A key warning sign for retail sector businesses shifting much of their customer-facing activities online since the pandemic is that mobile apps are under attack more than websites. Retailers have been online for quite some time now and have followed their customers to mobile channels.
These businesses may have a long history of dealing with bot attacks on their websites. But the expanded exposure through mobile apps makes them a more attractive attack vector.
Even more concerning is the time it takes to discover these attacks. On average, more than 14 weeks pass between a successful attack and its detection. This makes it difficult to limit the damage done to a business’s customer satisfaction, reputation, and bottom line.
Researchers surveyed 440 businesses across the travel, entertainment, e-commerce, financial services, and telecom sectors in the United States and the UK.
They found that every sector had a substantial bot problem, with two-thirds of businesses detecting website attacks.
Almost half (46 percent) of respondents reported mobile apps had been attacked. Nearly one-quarter (23 percent) — mostly in the financial services — said bots had attacked their application programming interface or APIs.
“Last year, a particularly tough one for legitimate businesses already operating with razor-thin margins thanks to an economic slump, was a bumper year for those who use bots to leech off of those businesses — especially from bad actors who looked to take advantage of a significant shift to online working and retail,” said Andy Still, Netacea’s CTO.
Businesses are affected by all types of bots. The report — titled “The Bot Management Review: What are bots costing your business?” — revealed the prominence of one main type of malicious bot. Scalper bots automate the purchase of inventory such as game consoles and other limited availability goods. These bots work faster than is possible for any legitimate user.
Other mainstream attack bots include the account checker bot, which uses stolen usernames and passwords to take over accounts. Account checker bots take advantage of data breaches and leaked passwords to compromise customer accounts.
Also noteworthy are the sniper bot and the scraper bot.
The most common example of sniper bot utilization is last-second bidding on auction items on sites like eBay.
Scraper bots automate the collection of large volumes of data from web pages and apps, such as product descriptions, pricing, inventory levels, and other public-facing information. That data is then used by nefarious actors to undercut deals, divert visitors or steal clicks.
Big Impact on CX
Over 80 percent of businesses reported that customer satisfaction had been negatively affected by bot activity. In particular, scalper and sniper bots were behind much of this customer dissatisfaction.
Typical businesses are not equipped to fend off these growing bot attacks which are more than minor nuisances. Malicious bots are taking a big bite from retailers’ bottom lines.
Few business security budgets are dedicated to bot mitigation, though for larger firms it is a little higher, at up to 20 percent, according to Netacea.
“While there is a greater awareness of the threat than in previous years, only five percent of security budgets is being used to target the problem. Businesses need to realize that bots are not a mere nuisance, but a genuine security threat, especially when a business is already struggling because of other factors,” observed Still.
Netacea’s previous research around the Genesis Market, an underground marketplace for stolen credentials, shows how sophisticated the industry is becoming.
Those operating bots do so at a professional level, with consultants, help desks, and highly specialized infrastructure providers accessible through covert forums, making bots widely available, according to Still.
For retailers, the bot assaults let the bad guys rig the buying and selling game. Looking at just one online marketplace like Amazon shows how bot attacks can hurt sellers.
It looks like a retail arbitrage (RA) game on steroids. If RAs can quickly purchase items on Amazon Deals or deep coupon discounts, then they can resell them for a profit, according to Jason Boyce, CEO and founder of Avenue7Media.
“In my opinion, it is not a long-term branding strategy, so I would never recommend it to anyone. Amazon’s system is fairly sophisticated about identifying scrapers to its website, but at the end of the day, it is a difficult challenge for them to completely block this activity,” he told the E-Commerce Times.
After all, they need shoppers to be able to easily search their website and buy from it. Limiting access to bots could harm their sales. They have to walk the tightrope here, he added.
Losing the Fight
Bots have been a part of internet life since the days of IRC (internet relay chat) and have impacted everyone who uses the internet, observed Bruce Snell, vice president of security strategy and transformation at NTT. People love those challenges to click each picture that has a boat in it to log into a website, he quipped.
“You can thank bots for that. Most of the time, bots are just annoyances, grabbing all the good seats when concert tickets go on sale or buying out all of a new sneaker release,” he told The E-Commerce Times. “However, bots are also used for a malicious activity like trying to log in to banking sites using leaked user credentials found in a data breach.”
Snell’s personal email address was in a recent data breach. For the past couple of weeks, he has been getting five or six emails a day from Instagram with a link to reset his password because a bot is trying to log in as him.
“Multifactor authentication can go a long way towards keeping bots from successfully compromising someone’s account, but at the end of the day, most bots look like regular traffic and can be difficult to identify by standard security tools,” he said.
Unfortunately, he does not see an end in sight because ultimately bots end up being a numbers game. A cybercriminal can use a bot to try logging into 500 different sites with stolen credentials. While many sites have fraud and spam detection measures in place, there are enough out there without protection that it makes a low-effort tool like a bot worthwhile to the bad guys, he explained.