Due to the pandemic, online presence is essential for businesses to survive. This has caused additional problems that being the malicious bots are now feeding off of the already vulnerable businesses.
Netacea, the mitigation, and bot detection company have surveyed 440 businesses. The surveys were across travel, eCommerce, entertainment, telecoms sector, and financial services in the US and the UK. The enterprises that have been surveyed have had turnovers ranging from $350m to $7bn.
It was observed that every sector faced a substantial bot problem, two-thirds of the business have detected website attacks. 46% of the reported cases were of mobile applications which have been attacked. 23% of the reports – mainly in the financial sector – were of bots attacking the company APIs.
According to the survey respondents, they said that 3.6% of their revenue was spent on damage control from the automated bot attacks operated by threat actors. The 25% of the worst affected businesses have spent $250M per annum cumulatively.
The major problem is that bot detection takes 14 weeks on average after a system has been infected. So the threat actors can do as they please for months before their crime is noticed.
Types Of Bots
Netacea has listed four major types of automated bots:
- Account Checker bots – These bots take a list of leaked account username and password pairs and run them against a test website. Also known as a credential stuffing attack and it is reliant on reused passwords.
- Scalper bots – These bots automate the process of buying limited goods e.g., event tickets, and completing the checkout procedure in a fraction of the time it would take any legitimate user to complete.
- Scraper bots – These bots are used to collect large quantities of data from websites for use at a later time, at a different location.
- Sniper bots- These bots monitor time-based activity and then submit information at the very last moment, thus eliminating the opportunity for other users to respond to that action.
Other bots comprise DDoS attacks. DDoS attacks use a large number of vulnerable devices (also called a botnet). They overwhelm a website and force it to go offline. Carding bots check stolen card details, ad fraud bots, inventory hoarding bots (they are similar to scalper bots but they store items in baskets to manipulate any given site), etc.
Even with much awareness of the growing threat, only 5% of security budgets go into tackling the issue. Businesses need to realize that bots are more than a just nuisance. They are a much more serious security threat.