Online businesses have been fighting bots and various automated attacks since the dawn of the internet era. This has become a never-ending security challenge for organisations large and small. While the good bots enhance search engine ranking, provide market intelligence and offer publicly usable data, the bad bots always find a way to proliferate your website and carry out malicious activities, without your knowledge.
Gaining an unfair advantage at a very low cost is what drives the business of web scraping, form spam, account takeover, ticket scalping, carding and many more. A mere $300 (£230) is enough to set up virtual machines, activate proxies and start sending malicious bots. The dark side is, by and large, most online businesses are losing their core competencies as a result of such nefarious activities. Consider a business investing millions of dollars to set up an online business, hire and train resources, and create proprietary content only to be taken away in a flash by automated bots with a few hundred dollar investment. Another important point is that it takes a while for businesses to realise that their core competencies are compromised.
If you’re a business owner, what can you do about this bot problem? Firstly, what are the different types of bot threats your website may face?
Malicious bots may scavenge the site for stealing valuable content that is used for competitive intelligence purposes, and then curate and use the data to cut costs or sell them in a secondary market. Online businesses of all types encounter content scraping in some form. The intensity of bots varies based on the type of content and its value.
Affected businesses: Online media & publishing, travel, classifieds and e-commerce sites are predominantly affected by content scraping.
Affected businesses: E-commerce, travel sites and marketplaces often become victims of price scraping.
Form spam is characterised by bots submitting fake forms on the website in an attempt to scrape listings, advertiser info, and so on. Spambots target lead generation forms, sign up pages and comment sections of a site to post unrelated advertisements, links to malicious websites, and abusive or unwanted information. These bots also create fake profiles and send messages to trick users into following a link, making a purchase or downloading malware to steal personal information. Genuine users may be hounded by fake messages to the point where they stop visiting altogether.
Sales teams are set off on a wild-goose chase unable to reach any of the leads, thereby costing time and money for the online business. Listing agents and advertisers on the other hand are disappointed with the poor quality of leads and may opt a different site due to lack of ROI.
Affected businesses: Online classifieds, property portals, technology & consumer forums usually victimised by form spam.
Skewed Website Analytics
Bot visits skew website data, artificially inflating visits and unique visitors, increasing bounce rate, decreasing pages/visit, average visit duration, and goal conversion rates. Bot traffic renders the analytics data inaccurate and leads to poor decision making. Data-driven decision-making is considered a smart move, but it is often disastrous when done with misleading data.
Bots hinder online marketing & customer acquisition KPIs like revenue, margin, marketing costs, IT support costs, and so on, leading to wastage of money, time, effort and lost sales.
Affected businesses: Most online businesses, especially e-commerce websites.
Millions of compromised credentials are available on hacker dump sites, black markets and hacktivist forums. Attackers use these credentials through bots to programmatically attempt to login to susceptible websites. A number of malicious bots run sophisticated brute force attacks on the login pages and payment pages to break passwords and make fraudulent purchases using stolen credit cards information.
Such a loss of sensitive information not only impacts the brand reputation but also increases chargeback penalties. Also, the high bot traffic slows down the site creating a bad user experience.
Affected business: E-commerce sites most commonly fall prey to account takeover.
Auction Sniping and Shill Bidding
Human bidders on auction sites are becoming increasingly frustrated with their inability to win auctions against software-controlled auction snipers. Second, bots steal bidder information from the auction sites, and offer to sell them the very item they are currently bidding, thus drawing bidders away from the legitimate auction sites. Third, sellers of auction items involve bots to bid for the item solely with the intent inflating the price. As a result, a genuine user never gets to buy the item at a reasonable price.
Affected business: Auction sites
Ticket bot operators use software programs to purchase the much desired sporting or music event tickets from ticket selling sites, as soon as the sale opens. These tickets are sold on secondary ticket reseller sites at an insanely high price. Ticket selling websites are often victimised by such malicious ticket touting activities, affecting their brand identity, as genuine customers are not able to book tickets at fair prices.
Affected business: Ticket selling sites
Carding is when a bot automatically submits orders on a website in an attempt to find a credit card number that is valid, which can then be used for other fraudulent purposes. A number of stolen credit cards and clever credit card algorithms are tested at high speeds. This results in heavy traffic on the website impacting user experience, along with an increase in chargeback costs and transaction disputes.
Affected businesses: E-commerce and payment processing sites often face the wrath of carding fraud.
Bots are increasing in number and complexity. To improve web security and safeguard your business from malicious bots, the way forward is to invest in bot detection software. Though it’s a straightforward recommendation, you have to consider these four parameters before you zero-in on the right bot detection solution:
- How good is the solution in ensuring zero false positives - you don’t want to block genuine users
- What’s the technology behind the software, and whether it’s scalable - the solution should scale along with your business, across countries
- Where exactly should you implement - take action against bots only on certain sections of the website
- Does the bot prevention solution prevent sophisticated bots - bots can change their characteristics dynamically and evolve
Have you assessed if bots are impacting your website? If yes, how do you plan to block bots and safeguard your online business?
Narendran Vaideeswaran, Director Product Marketing, ShieldSquare