03 September 2020
For businesses, understanding who is visiting their website is crucial when it comes to making decisions about how best to position and sell their products and services. However, many focus on trying to find out more about the type of person scrolling their pages – where they live, what their interests are – and overlook the fact that the majority of web traffic is comprised of automated bots.
On the whole, the bot operator’s objective isn’t to spread misinformation or make socio-political statements about the power of technology – they’re trying to make money. And there’s a few different ways bad actors can use bots to attack a site and turn a hefty profit.
One of the most popular techniques is credential stuffing. Taking advantage of people reusing passwords, the bots attempt to takeover accounts by inputting usernames and passwords that have been stolen elsewhere. Other bots use huge lists of stolen credit card numbers with the aim of finding those yet to be cancelled, while more sophisticated bots will buy up limited edition items and then re-sell them at a large markup.
Businesses believe they’ve got this problem under control. They know that bots exist and must be stopped. However, they don’t realise the sheer scale of the bot problem. This limited awareness increases the bot operator’s chances of success, and all the financial and reputational fallout that is likely to ensue.
Awareness is key
In some ways, our recent research investigating how aware businesses are of the threat of bots was reassuring. Most have bot solutions in place, they’ve allocated budgets to deal with the problem, they understand bot capabilities, and they know what would happen if things were to go wrong. However, there is one striking problem. When asked how much of their website traffic is comprised of bot activity, the majority of businesses said between 10%-19%. This is far from the truth. Only 1% believed bots were making up over 50% of their web application resources—a far more realistic estimate based on both our own experience of bots and wider research.
This shows that for every bot a business detects, there is at least one other flying beneath the radar. Bot creators go to great lengths to disguise their activities. There are even bots which test the rate-limiting capabilities of a site, then, once it has found this, it will operate in a way which stays just below this limit. Other bots hide behind randomized activity attempting to look less “bot-like” or try to copy human behaviour to evade detection. The more sophisticated the bot, the more likely it is to fly under the radar—and the more likely it is to cause serious damage. The only clear conclusion is that there are bots taking over accounts, stealing data, and disrupting businesses, all while remaining completely undetected.
What can businesses do?
Unfortunately, fixing the problem is not as simple as deploying better bot detection. These businesses are clued up on the problem and have solutions in place, yet this isn’t making the desired difference when it comes to visibility. One of the biggest challenges is the diffusion of responsibility within businesses. For many, there’s no single department responsible for bots. Rather there are four or more departments which inform a company’s bot management strategy and the execs who have the final say range from CIOs and CISOs to CMOs and even head of customer services. Diffuse responsibility makes it easy for problems to go unnoticed; they’re part of someone else’s remit. A pilot might know exactly how dangerous tornados can be, but if no one person is given responsibility for looking out, disaster is inevitable.
A lack of general awareness around the bot ecosystem also plagues businesses.Bots use stolen credentials that are sold on dark web marketplaces, but increasingly also on marketplaces operating on the clear web. The intelligence shared on these forums could be invaluable when it comes to businesses understanding the attacks on their own site. What credentials are available that could put your business in hot water? Have you been breached without knowing? High awareness and low visibility make for a dangerous mix. Businesses must better their understanding of sophisticated bots. Without knowledge of how bots operate, and the wider bot ecosystem, businesses are risking big financial hits and customers’ loyalty.
By Andy Still, CTO, Netacea