Are you currently experiencing an attack?

Are you currently experiencing an attack?

Bot Protection in 2019, Part 2: Types of Bot Attacks

In Bot Protection in 2019, Part 1, we discussed the composition of web traffic today (the percentages of humans, good bots, and bad bots), the consequences of inadequate bot protection, and the types of attacks for which hostile bots are used.

This article will discuss in more depth the types of bot attacks. The most common are:

  • DDoS (Distributed Denial of Service)
  • Credential Attacks
  • Vulnerability Scans
  • Credit card fraud
  • Gift card fraud, including loyalty account abuse
  • Scraping & Data Theft
  • Inventory Hoarding
  • Advertising Abuse
  • Application Abuse
  • Spam

The discussion below includes the acronym WSTG: “Who Stands To Gain.” Often during bot mitigation, it’s helpful to understand the source of an attack. A useful approach is the same logic that’s become a cliche in Hollywood police/crime dramas, when a detective or investigator says “follow the money.” Applying the same reasoning to cyberattacks is useful, and is expressed below by this acronym.

 Distributed Denial of Service (DDoS)

DDoS is the most dramatic, and probably the most feared, form of bot attack. Malicious actors use large networks of bots to create coordinated attacks at massive scale.

The goal is to disrupt the targeted organization by overwhelming its web applications or APIs with incoming requests, making them unavailable for normal use. If the victim cannot filter out the attack traffic, the disruption will last for as long as the attacker wishes.

DDoS has some important differences from other types of bot attack. Many of the others can be waged by human threat actors. (For example, vulnerability testing can be done manually.) However, DDoS is a distributed attack that consists of automated traffic. Also, the bots behind a DDoS can vary widely in their sophistication: everything from complex malware running on zombie PCs, to simple IoT devices that have been hijacked for a mass attack.

DDoS attacks from competitors are often timed carefully. (For example, it’s common in online gaming for a DDoS to occur right before a large race or sporting event. Bettors who are placing wagers will go to the first available platform.) Criminals often focus on longer periods, e.g. DDoS extortion of ecommerce sites during holiday shopping season.

WSTG: Criminals, competitors, occasionally governments.

Motive: Competitors wish to disrupt the victim’s business operations, making it impossible to serve customers. Criminals will often send ransom demands (i.e., DDoS extortion). Hackers will use DDoS to get revenge for perceived injustices. Governments will use DDoS for suppressing opposing political viewpoints (of humanitarian groups, journalism/media sources, etc.).

Consequences: Loss of sales revenue, and longer-term loss of customer goodwill and reputation in the marketplace. In extreme or frequent cases, a decline in search engine rankings can occur.

 Credential Attacks

(Including enumeration/brute-force, credential stuffing, account creation or takeover)

User credentials are highly coveted commodities in the dark web. Hackers discover credentials by sending out bots to wage brute-force attacks; the bots attempt to gain access to a web application by trying every possible combination of letters, numbers, and symbols, to see which combinations work. Or, they steal credential sets (personal identification data, account logins and passwords, contact data, etc.) in massive data breaches.

Valid credentials can then be used in a variety of cyberattacks, and can also be sold in illicit marketplaces for others to use. Credentials can allow attackers to take over the affected accounts within the targeted web application. Another common attack is to use bots to “stuff” the credentials into the login pages of many other web applications (especially high-value targets like bank websites, payment providers, and so on). Unfortunately, many people still use the same credentials across a variety of websites. Therefore, credential stuffing allows an attacker to leverage a single data breach into the successful takeover of multiple accounts across different websites.

WSTG: Criminals

Motive: Obtaining credentials for resale, abuse, or both.

Consequences: Hijacked accounts cause numerous problems for the victim and its customers. When the data breaches are discovered, the victim is the target of bad publicity, loss of reputation and trust, and might receive fines and penalties from industry and privacy regulators.

 Vulnerability Scans

Threat actors use bots to automatically scan large numbers of systems for known vulnerabilities. When an exploitable system is found, hackers follow up with direct attacks.

This follow-up activity can take a variety of forms, depending on the weakness that was discovered. Immediate attacks include data breaches, malware drops, and ransomware encryption attacks. For large networks that are perceived to have high long- term value, the attacker might install a backdoor instead, then use it to penetrate the network more deeply.

There are many examples of discoverable vulnerabilities being exploited. Perhaps the most severe and notorious recent security incident is the Equifax breach, which was made possible by an unpatched vulnerability in Apache Struts.

WSTG: Criminals

Motive: Enabling many other forms of attacks.

Consequences: Large-scale data breaches and many other harmful events.

 Credit Card Fraud

Bots are the foundation of a card criminal’s arsenal, and are used in a variety of methods to obtain or validate stolen card numbers. Later, the numbers are used fraudulently, which results in chargebacks to the unfortunate merchant.

To steal card data, bots scan for vulnerabilities within retailers and other sites that process payments. When a vulnerability is found, the hacker breaches the site and steals the data. One successful attack can produce a windfall of cards: thousands, or even tens of thousands of active numbers.

Threat actors also use bots to validate stolen card numbers. Bots enter the numbers into web applications to see if they are accepted or rejected. A similar technique is used to discover new cards: bots cycle through potential numbers and enter them into web applications. This is a crude, but effective, way to steal additional cards that were previously unknown to the attacker.

The scale of online credit card abuse is illustrated by the prevalence of “card not present” fraud. This is growing, thanks in part to the rise of EMV chip cards. EMV makes physical card fraud more difficult, which discourages criminals from monetizing stolen numbers by printing physical cards. Thus, more criminals are moving online to monetize their stolen numbers.

Fraud Rates for E-Commerce Sales. Source: “Card-Not-Present Fraud around the World,” US Payments Forum.

WSTG: Criminals

Motive: Selling hijacked numbers on the darknet and/or using them to make fraudulent purchases.

Consequences: Lost revenue when products are shipped, and fraudulent payments are subsequently reversed. Card fraud also results in penalties and (eventually) account cancellations from merchant account providers.

 Gift Card Fraud (including Loyalty/Reward accounts)

Criminals steal gift cards by using bots to stuff possible numbers into applications until valid ones are found. Validated card numbers are used to directly purchase goods, or are sold for cash through various online services.

Criminals can use similar methods to perform coupon code discovery. While not as outright fraudulent as the above, it still has a direct impact on revenue.

Bots also use credential stuffing to take over loyalty/reward accounts, and drain their balances—potentially extracting funds from customers’ linked debit cards.

Threat actors have proven quite creative in exploiting gift and loyalty programs. Past examples included the discovery of programming errors in certain gift-card account APIs, creating potential race conditions. To exploit them, bots would submit simultaneous transfers among multiple cards, sometimes resulting in funds being credited to one card without being debited from another. Fraudsters were able to convert a small “seed” of initial funds into large gift-card balances.

WSTG: Criminals

Motive: Stealing or fraudulently creating gift-card balances for resale and/or purchases.

Consequences: Reduced revenue and damaged profit margins. Loyalty and reward program abuse results in harmful publicity and customer dissatisfaction (especially when customers have personal debit cards attached to their accounts).

 Scraping and Data Theft

Scraper bots steal data from online sources. This is commonly seen in verticals such as data aggregators and other providers which gather or generate data and content, and then sell access to it. Scraping is obviously a direct threat to these business models.

Elsewhere, scraping can cause indirect damage. For example, retail sites contain prices and other product data which, when stolen, can destroy a competitive advantage.

Sophisticated scraper bots can eventually steal entire databases, even when they aren’t directly available to users of the targeted site or application. This can be done through repeated queries or requests, using different parameters each time. For example, insurance companies provide rate quotes for specific combinations of input criteria. A scraper bot can submit continual requests for quotes, with a different combination of criteria each time, and capture the quotes that are returned. Eventually, the complete database of rates can be obtained.

WSTG: Competitors and criminals.

Motive: Competitors wish to undercut the victim’s prices and their sales. They can also steal useful content such as product reviews, boosting their own sales at the expense of the victim. Criminals steal commercially valuable data for resale.

Consequences: Degraded search engine rankings, damaged reputation among users, and declining user base.

 Inventory Hoarding

Web applications which offer online purchasing or reservations are vulnerable to inventory hoarding (a.k.a. “Denial of Inventory”), when hostile bots make inventory unavailable to legitimate customers. Example: bots attack retail sites by adding products to shopping carts, but never completing the purchases.

In some industries, inventory hoarding attacks occur frequently. For example, travel sites and applications are often attacked by bots which abuse time-to-checkout policies (which usually allow 15 minutes or so for customers to complete their transactions), continually looping and booking reservations without ever purchasing tickets.

This obviously prevents actual customers from purchasing, but the financial damage can be far worse. Travel sites and applications often get their data from aggregators. Each time a “customer” searches for flights, a small financial liability (a data lookup fee) is created. If the customer buys a ticket, the aggregator gets a commission on the sale; otherwise, the fee is charged. Since bots never buy tickets, their continual data requests can accrue significant expenses for site owners.

WSTG: Competitors

Motive: Commercial harm to the victim.

Consequences: In effect, inventory hoarding is an Application-Layer Denial-of-Service attack. It can result in direct loss of revenue, because legitimate customers cannot make purchases. Products which expire (e.g., tickets to an event) can go unsold. Sellers can accrue expenses such as data-lookup fees. Consumer goodwill and trust can be damaged.

 Advertising Abuse (Click fraud)

Advertising bot attacks sound benign, but they can cause significant damage. Click fraud occurs when bots are sent to “click” on ads; it can skew the results of a commercial or political ad campaign.

The direct victim is the advertiser who invests poorly and spends the ad budget in the wrong places. The site hosting the ads (and not properly controlling bot traffic) is harmed later, when the network blacklists it.

Advertising networks can be quite aggressive about blacklisting sites which have inadequate bot control. Otherwise, their advertisers slow down or stop their campaigns due to a failure to receive worthwhile results (despite getting lots of “clicks”).

WSTG: Criminals and competitors.

Motive: Criminals generate revenue from affiliate commissions and fraudulent clicks on ads on their own web properties. Competitors wish to financially harm the victim.

Consequences: Lost income (after ad networks reverse payments from fraudulent clicks). Lost opportunity to generate revenue from future page views, because the networks will eventually refuse to supply ad inventory to the victim’s sites.

 Application Abuse

This includes a large variety of hostile bot activities that don’t fall into the previous category, where bots abuse specific capabilities of the victim’s web application or API. For example, bots will exploit a phone system API to send out massive amounts of SMS spam.

API abuse is an increasingly large segment of this category. As mobile/native applications have grown increasingly important and numerous, threat actors are devoting more time and attention to abusing their backends. Many of the attacks discussed above can be waged through APIs; additionally, many applications offer their own specific opportunities for abuse.

Protecting API endpoints is a twofold problem. Usually, before threat actors deploy their specific attacks on an application, they first have to reverse-engineer its API. Thus, a web security solution must prevent this from happening, along with the more obvious challenges of detecting API abuse, enforcing API schemas, and so on. More on this in a later article.

WSTG: Mostly criminals, occasionally competitors.

Motive: Varies.

Consequences: Large-scale data breaches, installation of backdoors, ransomware encryption attacks, and many other harmful events.


Sites which accept user-submitted content (posts, reviews, etc.) are usually assailed by bots leaving spam comments and links.

Some commercial site platforms offer protection against spam with built-in or add-on modules. However, this protection often relies on obsolete techniques such as CAPTCHA. (Part 4 of this series will discuss the declining effectiveness of traditional bot detection methods.)

Even if this filtering works, it only means that the spam does not appear to legitimate site visitors. But the spam bots still harm the site, since the incoming spam content consumes bandwidth, requires compute resources to process, and also requires a potentially costly subscription to the spam-protection service.

Accepting spam content and then attempting to filter it is a partial solution at best. The best approach is to block incoming traffic from spam bots, so that their requests never even reach the targeted site. More on this in a later article.

WSTG: Competitors and criminals.

Motive: Illegitimately building search engine rankings and generating direct traffic for the spammer’s sites.

Consequences: Search engines penalize sites that are polluted with spam, so their rankings in the SERPs become degraded over time. As customers and users notice the spam, the site’s reputation will also be damaged. Eventually, the user base will decline.


This article has discussed the wide variety of web attacks that incorporate bots. An effective bot management solution must be able to protect against all of them.

In Part 3 of this series, we’ll discuss the different types of bot threats that are experienced by different industries.

This article is part 2 of a six-part series. You can download the complete report here: 2019 State of Bot Protection.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.