Besting the bad bots: how advanced persistent bots are attacking sites, and what to do about them

From out of nowhere, bots have now hit IT headlines. The likes of Facebook and Microsoft are looking at bots to drive new services, and it’s possible to build bots automatically into cloud services.

These new launches are aimed at improving company services and filling gaps in customer expectations. However, bots are not new; indeed, they represent a significant challenge for companies’ IT security.

Nearly half of all Web traffic (46%) now originates from bots, with 18% from bad bots. And despite an overall decrease in bad bots, advanced persistent bot (APB) activity is on the rise, according to our third annual Bad Bot Landscape Report, which identifies statistically significant data on global bot traffic.

The study is based on aggregate data that identifies and tracks bots in real time. This represents the world’s largest Known Violators Database of bad bot fingerprints, and works across a global network of 17 data centres.

> See also: Why machine learning will impact, but not take, your job

Bots acting human

A majority of all bad bot traffic (88%) has one or more characteristics of an APB, the report finds, and 53% of bad bots are now able to load external resources such as JavaScript. That means these bots will end up falsely attributed as humans in Google analytics and other tools.

Another key finding of the report is that nearly 40% of bad bots are able to mimic human behaviour, so tools such as web application firewalls, web log analysis and perimeter firewalls are less likely to spot them.

As many of these existing web security tools perform less detailed analysis of clients and their behaviour, the result is like to be huge amounts of false negatives, where bots are identified as human visitors.

In addition, more than one third of bad bots disguise themselves using two or more user agents, and the worst APBs change their identities more than 100 times. About three quarters of bad bots rotate or distribute their attacks over multiple IP addresses and of those, one in five surpassed 100 IP addresses.

Serious damage

Bad bots have evolved to the point where they can inflict serious damage on organisations.

Five years ago, bad bots were doing a lot of web scraping, form spam and competitive data mining. What we've noticed in the past couple of years is that bots have evolved to do a lot more sophisticated actions. This includes activities like brute force login attacks, transaction fraud, account takeover, API scraping, and looking for vulnerabilities in IT and Cloud infrastructure.

We’ve gone from bots being used as a platform for spam and content theft to bots becoming a major security hazard in their own right. Even as more volumes of malicious activity can be attributed to bots, malware creators and criminals are finding new use cases every single day which bad bots are capable of carrying out.

The business impact of bad bots

Bad bots, including APBs, are having an impact on companies in many different industries, including real estate, transportation, financial services, healthcare and others. In the area of ecommerce, it's not just a matter of price scraping anymore; new risks include account takeover and credit card fraud.

The biggest source of bad bots continues to be China, followed closely by the U.S. Six out of the top 20 Internet service providers (ISPs) with the highest percentage of bad bot traffic originated from China. Meanwhile, the U.S. and Netherlands had the most mobile carriers on the top 20 list of bad bot mobile carriers.

As for ISPs and organisations, Amazon continues to be one of the most offensive hosts, in terms of malicious traffic. Just as AWS makes it easy for developers to spin up cheap resources to set up new infrastructure or get a website going, it’s also easy for bad actors to spin up bots in the same way.

According to Derek Brink, vice president and research fellow at research firm Aberdeen Group, enterprises need to assess the true risks of bad bots to their organisations and determine the best investments they can make to address the challenge.

> See also: How artificial intelligence is driving the next industrial revolution

This is not a trivial risk for organisations. Aberdeen’s research has shown that for a website that generates $100 million a year in revenue, the likely risk of bad bots can range between 1.8% and 7.6% of that annual revenue, with a most likely median of about 4%.

However, this likelihood of risk scales up or down regardless of the site’s revenue. For companies that are contemplating how to reduce the risk of fraud, this revenue risk can drive support from the board.

The clear message is that bad bots are not to be taken lightly. Companies need to address the challenges of bad bots, or face serious risk to the business.

Sourced from Rami Essaid, CEO, Distil Networks

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data