Around one-quarter of web traffic is made up of bad bots. That might sound like a crazy statistic, but it’s true. These automated scripts, which vary in sophistication from incredibly simple algorithms to sophisticated AI agents able to convincingly pass as human in their online behavior, are an ever-increasing part of the online world. This is why more and more companies are calling on protection measures such as a Web Application Firewall (WAF) to help them.
Bad bots carry out a range of applications such as content and price-scraping, in which they scrape proprietary data from websites and online services, then package this data up, and sell it to companies who wish to buy it to use as a competitive tool. Website security should be our first priority.
Another huge market for bad bots is so-called credential stuffing attacks. Credential stuffing cyberattacks involve the use of credentials that are gained from a data breach being used to try and log into other services in which the rightful owner of those credentials may have an account. While many users will do the correct thing of having different login details such as usernames and passwords for every service they use, that is not always the case. A fraction of users will reuse the same login details for ease of use.
There is, of course, no guarantee that users will have accounts at particular targeted services (for example, John Smith having the username “John.Smith84,” the password “Johnspetdog” and an account at the American National Bank). However, if even a tiny number of users do yield positive responses that could still be a high enough success ratio for hackers to consider it a worthwhile endeavor.
Bad bots, bad bots, whatcha gonna do?
Lots of estimates peg the rate of success for credential stuffing attacks at 0.1%. This means that there is likely to be at least one successful hack for every thousand accounts that are tried. But although that would be frustratingly low odds if the credentials had to be entered manually by hackers every time, advanced bot tools mean that credential stuffing attacks can be carried out through automated means. It’s simply a matter of allowing bots to run through different combinations at a high speed.
Bot-driven credential stuffing attacks can be extremely large and prolonged. For instance, it is easily in the realms of possibility (and even commonplace) to have an attack that lasts for several days and includes tens of millions of login attempts. These attacks can be damaging to individual customers (who wants a bot having access to their banking details?), as well as to companies. These companies will have to deal with the criminal aspect of fraudulent requests as well as, potentially, having their services slowed down or even brought to a halt by massive credential stuffing attacks.
While the goal may be different from a volumetric DDoS (distributed denial of service) attack, large scale credential stuffing attacks nonetheless throw massive numbers of requests at websites and online services. In many cases, their servers may not be equipped to handle it.
The issue is becoming more widespread
Several factors have made such bot attacks more commonplace. One is the increased frequency of massive data breaches. For example, earlier in 2020, an enormous hack of the Marriott International hotel chain resulted in 5.2 million records being stolen. This is by no means the largest such hack. In October 2013, hackers stole data amounting to 153 million user records consisting of information such as customer names, user IDs, passwords, and debit and credit card details. This data frequently finds its way into the hands of other bad actors who may use it to orchestrate attacks such as credential stuffing cyberattacks.
A report from 2020 notes that a hacker group by the name of ShinyHunters put 91 million user records — supposedly gathered from 10 hacked companies — up for sale for just $5,000. That’s a tiny percentage of a penny per user. There are reportedly 15 billion user credentials currently for sale in hacker forums online. As more and more of our lives and activities take place online, not only does the quantity of data it is possible to steal increase, but so does the potentially damaging scope of such attacks.
The big challenge from a detection point of view is that it’s harder than ever to identify bot behavior — and therefore to keep out the bad actors. The more sophisticated bots are able to replicate the mouse movement and clicks that systems use to spot automated bots. But even simple bots can be difficult to spot on the first try. It is hard to differentiate a legitimate attempted login from an attacker carrying out a credential stuffing attack on the first attempt. Companies are therefore stuck between being unable to act, resulting in increased fraud, or recognizing too many false positives, and locking legitimate customers out of their accounts, while raising massive numbers of customer service tickets for employees to have to deal with.
The importance of proper protection
In short, bots waste resources and place user accounts at risk. Companies need to protect themselves against these attacks, which can prove extremely costly and damaging to customer loyalty. There are measures that companies can put in place, such as monitoring traffic sources for issues like high bounce rates and lower-than-expected traffic conversion rates from certain unexplained spikes. The best option, however, is to hire experts with a suitable history of bot detection who can help. Tools like proper Web Application Firewalls, otherwise known as a WAF, can be a gamechanger.
The biggest problem with bot attacks is how unrelenting they can be. It truly is a 24/7 problem that companies face. That’s why it’s crucial you select an equally 24/7 dedicated team of experts to help protect you against the problem.