Are you currently experiencing an attack?

Are you currently experiencing an attack?

Bot Protection in 2019, Part 3: Hostile Bot Traffic Per Vertical

This is part 3 of a series. Previous articles: Part 1 Part 2

Hostile Bot Traffic Per Vertical

Malicious bot activity is not uniform across verticals. Different industries present different types of opportunities for threat actors. Thus, verticals tend to experience different types of attacks.

The statistics below reflect the composition of incoming traffic for Reblaze’s client organizations and companies in some prominent industries. As we shall see, effective bot management requires a web security solution that can handle a wide variety of situations.


 Of all verticals, online retail tends to face the broadest range of bot-based threats. Ecommerce sites and applications present a rich array of illicit opportunities for threat actors. Retail sites and applications rely directly on incoming traffic for revenue; thus, DDoS extortion is potentially lucrative. Payments are processed: thus, credit card fraud is constantly being attempted. Customers must be able to access their accounts; thus, hackers have the ability to stuff credentials, and the incentive to breach the retailer’s backend and steal account data. Customers can often upload their own content, such as reviews: thus, spam bots are rampant. Sites and applications often have loyalty and/or gift card programs: thus, gift card fraud can be profitable. Inventory hoarding damages revenue, but is difficult to detect; thus, it is attractive to unscrupulous competitors who are eager to gain market share.
And so on.


 SaaS providers face several major types of bot threats. Many SaaS platforms process and store large amounts of customer data. This makes them attractive targets for data theft, along with account & credential attacks. Most providers seek to remain competitive by continually adding features to their platforms; this creates an expanding attack surface, susceptible to application abuse (especially within APIs, which many security solutions cannot defend adequately). Also, attacks which makes a platform unresponsive to customers creates customer dissatisfaction, increases the churn rate, and damages the provider’s reputation in the marketplace. From a cybercriminal’s perspective, this creates a high perceived value for DDoS extortion.


 Malicious bots are often used for several types of attacks against educational institutions. DDoS attacks are common: along with those that occur without an obvious motive, there are the usual attempts at extortion, revenge, and political grandstanding. Vulnerability scans are also frequent. Educational institutions tend to be large public organizations. Therefore, many threat actors perceive (whether correctly or incorrectly) that their web assets are less likely to have effective protection against cyberattacks. A successful breach creates an opportunity for ransomware payoffs, along with data theft. Educational institutions often store detailed PII (such as social security numbers) for their students. Therefore, attackers are especially interested in stealing student account data, whether by direct data theft or through credential attacks.


 Bot-based attacks create unique challenges for healthcare organizations. No other industry has such strict legal and regulatory requirements for maintaining tight data security, or such potentially damaging consequences when security measures fail. Account and credential attacks are a major threat; a compromise of patient data can result in punitive fines and penalties. Vulnerability scans can result in system breaches; subsequent ransomware attacks can hinder the healthcare provider from providing effective care for the patients.

Content/Data Aggregators

 In this vertical, sites and applications sell access to content and/or intellectual property. This can include a wide variety of content: everything from databases of legal records and court cases, to aggregations of current real estate price valuations. Unlike some other verticals, these platforms often do not attract many payment-related attacks such as credit card fraud. (Many content platforms do not process funds directly: they rely on third-party services for subscription payments and so on.) Instead, cybercriminals are most interested in stealing the data itself. Scraper bots masquerade as legitimate users, copying data that is publicly accessible. Other bots attempt to penetrate or otherwise circumvent security measures, to steal data that is meant to be restricted. Spam bots pollute user-generated content (e.g., marketplace reviews) with SEO link drops, or corrupt it with self-promotional content.

Travel and Ticketing

 Companies within the online ticketing/booking vertical must defend against a variety of bot-based threats. Because these platforms sell directly B2C online, attempted credit card fraud is a constant problem. DDoS attacks are also frequent. These sites and applications also must contend with several threats that are more specific to their industry. For example, inadequate bot protection will leave ticketing/booking platforms vulnerable to inventory hoarding. As mentioned previously, hoarding bots can not only reduce reservations and ticket sales (because they prevent legitimate customers from buying), they can also increase expenses (due to data fees that many platforms pay). Application-specific abuse is also a growing problem, thanks to the increasing popularity and feature-richness of mobile/native travel applications.


 Gaming sites and applications accept and pay out large amounts of money, while operating in loosely-regulated jurisdictions. This makes them extremely popular targets for cybercriminals. DDoS attacks on gaming platforms are rampant: not only continuous attacks for extortion, but also intermittent attacks from competitors to knock down a platform right before important events (playoff games, prominent races, etc.) when a large rush of last-minute bets would otherwise be coming in. Other bot attacks include vulnerability scans (to facilitate system breaches), advertising click fraud (because many of the ad networks which accept gaming ads do not have robust anti-fraud controls), and application abuse.


 Attacks on government web assets can vary, depending on the size of the agency. The types of attacks are generally the same: governments are most often threatened by DDoS, data theft, and vulnerability scans. But threat actors often wage them differently for different targets. This is especially true for DDoS. Attacks on the largest jurisdictions, such as national agencies, are generally politically motivated. An example of this is “OpIsrael,” the annual coordinated attacks on Israeli sites by anti-Israel activists around the world. In contrast, attacks on smaller targets are often waged for extortion instead. Threat actors also use bots to probe government sites for vulnerabilities. Hackers frequently target government sites for ransomware attacks, due to a perception that these organizations are more likely to have inadequate or out-of-date defenses. Once a vulnerability is discovered, the attacker breaches the site and either steals data, encrypts it as part of an extortion attempt, or both.


 Bots are used in a variety of attacks against financial service providers. This includes everything from vulnerability scans to sophisticated account takeovers (e.g., credential stuffing combined with identity/IP rotation)—subtle attacks which are very difficult for most security solutions to detect, but with disastrous consequences for the provider if they succeed. Even a small security incident is enough to cause PR nightmares, punitive regulatory fines, and potentially crippling loss of business.


Different industries experience different types of hostile bot traffic. Thus, for effective bot detection and mitigation, a web security solution must be able to identify many different kinds of bots.

Unfortunately, many security solutions are still relying exclusively on older methods of bot detection. These methods are growing increasingly ineffective against the latest generations of bots.

This will be the topic of the next article in this series.

This article is part 3 of a six-part series. You can download the complete report here: 2019 State of Bot Protection.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.