Are you currently experiencing an attack?

Are you currently experiencing an attack?

Malicious Bots and How to Fight Them

Bots are a fact of life. According to the 2018 Bad Bot Report, in 2017, bots made up 42.2 percent of all web traffic, up 3.5 percent from the previous year. And the nature of bot traffic is quickly getting worse. As recently as 2014, good bots (such as search engine spiders) heavily outnumbered the bad bots. Today, the situation is reversed; now, more than half of all bot traffic is hostile.

Malicious bots, which are becoming more sophisticated and more prevalent, inflict a lot of damage in the digital world. This article examines the new generation of malicious bots and discusses how they can be identified and excluded.

How Malicious Bots Cause Damage

Every business with an online presence is regularly attacked by malicious bots via its website, APIs, or mobile apps. They inflict direct (revenue loss) and indirect (reputation loss) damage on businesses through activities such as:

  • Price scraping, which is most common in sectors where products are easy to compare and purchase decisions are price-sensitive, such as online electronics retailers. Armed with realtime pricing data provided by the bots, the perpetrator gains an unfair advantage by dynamically adjusting its own prices in order to meet or undercut its competitors’ pricing.
  • Content scraping, i.e., duplicating proprietary content, can be devastating to websites that invest considerable resources in aggregating and monetizing large-scale databases, such as online local business directories or online product catalogs. If the scraped content is made freely available to the public, the victim’s business model is undermined. If the content is used for spam or email fraud, the victim’s reputation is damaged.
  • Distributed Denial-of-Service (DDoS) attacks are typically perpetrated using the attacker’s own or a rented botnet, or even through hacked IoT devices. According to a 2017 Neustar report, a DDoS attack mounted at peak times can cost an enterprise more than $100,000 per hour in lost revenue. The cost of undermined customer and advertiser relationships is harder to quantify, but just as damaging. Ransom DDoS attacks are also on the rise, with companies being extorted for protection money.
  • Denial of inventory, or hoarding, automatically holds items in shopping carts with no intention to purchase. With legitimate buyers prevented from purchasing the “out of stock” items, the victim loses sales revenues — with the bots often targeting the retailer’s most popular products. And, if these attacks happen often enough, the seeming recurrent lack of inventory can also discredit the credibility of the website.
  • Credit card testing: Bots are used to test stolen credit card numbers through fraudulent transactions, typically on smaller, unsuspecting ecommerce websites. These transactions cause direct losses through chargebacks, extra logistics costs, and shipped goods that may never be recovered.
  • Credential stuffing uses bots to make repeated login attempts using stolen credentials. Once the logins are successful, attackers take over the accounts of legitimate users or customers.

Malicious bots are generally indiscriminate in their attacks, grabbing opportunities as they arise. However, some sectors are more frequently the victims of malicious bots, including gambling, airlines, finance, healthcare, and concert/event ticketing. In addition, malicious bots tend to target large- and medium-sized websites.

Challenges in Detecting and Blocking Malicious Bots

Bots have become more adept at mimicking human traffic and disguising their identity. The first simple crawlers, like Apache Nutch or Scrapy, had no Javascript capability and were thus easily identifiable as bots. More advanced tools, like PhantomJS and CasperJS, look a lot more like browsers and are thus much harder to detect from legitimate user traffic.

In 2017, 74% of all malicious bots were Advanced Persistent Bots (APBs), which cycle through random IP addresses, enter networks through anonymous proxies, change their identities frequently, and do a good job of mimicking human behavior. The most recent tools, such as Headless Chrome, provide almost perfect rendering and, in 2017, almost half of all malicious bots used Chrome as their fake identity.

Another challenge is that bots have gained power through numbers. They are massively distributed through botnets, and the exponential growth in IoT-connected devices has given bot operators access to hundreds of thousands and even millions of different IP addresses to mount their malicious attacks.

Last but not least, the growth in the use of mobile devices to access the web has not been lost on malicious bot operators. They have discovered that cellular gateways offer a new and effective channel for malicious bots to simultaneously attack multiple websites and apps. With cellular gateways handling massive volumes of requests — most of which are legitimate — it is very difficult to identify and block malicious ones. In addition, in many cellular carriers, a single IP address can serve thousands of devices per day, making the bots more invisible than ever before. Yet another complication is that mobile devices move through different gateways throughout the day, allowing bots to change their identities and making detection even more challenging.

How to Outsmart Malicious Bots

As malicious bots grow in numbers and sophistication, they can no longer be thwarted by single-dimensional tools such as CAPTCHA systems. A recent Stanford University study has found that 13 out of the 15 CAPTCHA systems used by popular websites are susceptible to automated attacks.

Thus, today’s advanced malicious bots, often powered by full-stack browsers such as WebKit, Chromium V8 and IE WebBrowserControl, can only be blocked by deep bot detection expertise implemented within a multi-layer, multi-tier dynamic security strategy.

Reblaze’s industry-leading biometric bot detection goes far beyond traditional methods such as browser authentication. The platform uses Machine Learning to construct and maintain behavioral profiles of legitimate human visitors. For each user, Reblaze continually gathers and analyzes stats such as client-side I/O events, triggered by the user’s keyboard, mouse, scroll, touch, zoom, device orientation, movements, and more. Therefore, Reblaze understands how actual humans interact with the web apps it is protecting. Continuous multivariate analysis verifies that each user is indeed a legitimate human.

Reblaze’s cloud-based platform is easy to deploy, fully managed, always up-to-date, and integrates well with security systems already in place.

A Final Note

Unfortunately, cybercrime and malware are facts of life in our digital world. Enterprises large and small must exercise constant diligence in order to protect their digital assets from attackers, including malicious bots that operate relentlessly 24x7x365.

For more information on how Reblaze detects and blocks malicious bots, see

Photo by Ilya Pavlov on Unsplash

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.