Threat actors use bots to wage a variety of web attacks. In fact, almost all attacks involve bots in one way or another. Hostile bots which are not identified and blocked can create a variety of problems for organizations with significant web assets (i.e., sites and web applications, microservices, and mobile/native API servers). The list includes site downtime, data theft, breaches and intrusions, loss of revenue, and more.
Here are some of the common attacks for which threat actors are using bots.
Card Fraud (Credit and Gift)
Web applications which accept credit cards and/or gift cards can be abused by bots in various ways. Stolen card numbers can be validated, and new ones discovered, when bots enter card numbers into the application. Later, the numbers are used fraudulently, which results in chargebacks and lost revenue from the products that were shipped. Gift card and coupon code abuse also reduce revenue and damage profit margins.
Credential Attacks (Enumeration and Brute-Force, Credential Stuffing, Account Creation, Account Takeover)
User credentials are highly coveted commodities in the dark web. Hackers steal credential sets (personal identification data, account logins and passwords, contact data, etc.) in massive data breaches. Or, they discover credentials by sending out bots to wage brute-force attacks; the bots attempt to gain access to a web application by trying every possible combination of letters, numbers, and symbols, to see which combinations work.
Valid credentials can then be used in a variety of cyberattacks, and can also be sold in illicit marketplaces for others to use. Credentials can allow attackers to take over the affected accounts within the targeted web application. Another common attack is to use bots to “stuff” the credentials into the login pages of many other web applications (especially high-value targets like bank websites, payment providers, and so on). Unfortunately, many people still use the same credentials across a variety of websites. Therefore, credential stuffing allows an attacker to leverage a single data breach into the successful takeover of multiple accounts across different websites.
Hijacked accounts cause numerous problems for the victim and its customers. When the data breaches are discovered, the victim is the target of bad publicity, loss of reputation and trust, and might receive fines and penalties from industry and privacy regulators.
Distributed Denial of Service (DDoS)
DDoS is the most dramatic, and probably the most feared, form of botnet attack. Malicious actors use large networks of bots to create coordinated attacks at massive scale. The goal is to disrupt the targeted organization by overwhelming its web applications or APIs with incoming requests, making them unavailable for normal use. If the victim cannot filter out the attack traffic, the disruption will last for as long as the attacker wishes.
Common motives for DDoS include extortion (via ransom demands by the attacker), a desire (by competitors) to disrupt the target’s business, and even (in the case of governments) a desire to silence political dissent.
Web applications which offer online purchasing or reservations are vulnerable to inventory hoarding, when hostile bots make inventory unavailable to legitimate customers. For example, bots attack eCommerce sites by adding products to shopping carts, but never completing the purchases. Travel sites and applications are attacked by bots which abuse time-to-checkout policies (which usually allow 15 minutes or so for customers to complete their transactions), continually looping and booking reservations without ever purchasing tickets.
This causes direct loss of revenue, because legitimate customers cannot make purchases. Many victims also experience higher expenses. For example, travel sites and applications often get their data from aggregators, and pay conditional fees to do so. Each time a “customer” searches for airline flights, a small financial liability (a data lookup fee) is created. If the customer buys a ticket, the aggregator gets a commission on the sale; otherwise, the fee is charged to the site owner. Since bots never buy tickets, their continual requests for flight data can accrue significant expenses for the site owners.
Scraping and Data Theft (Prices, Content, etc.)
Scraper bots steal data from online sources. This is commonly seen in verticals such as data aggregators which gather and sell access to content. Scraping is obviously a direct threat to this business model. In other verticals, scraping can cause indirect damage. For example, ecommerce sites contain prices and other product data; possession of this data can be a competitive advantage, so scrapers are used to steal it.
Common perpetrators are competitors who wish to undercut the victim’s prices and thus, capture some of their sales. They can also steal useful content such as product reviews, boosting their own sales at the expense of the victim. Criminals steal commercially valuable data and resell it.
Many websites accept user-submitted content: posts on forums, reviews on ecommerce sites and marketplaces, and so on. These sites usually experience large numbers of bots continually posting spam comments, links, etc. Over time, this can degrade search engine rankings and damage the site’s reputation among users.
Threat actors use bots to automatically scan large numbers of systems for known vulnerabilities. When a vulnerable system is found, hackers follow up with direct attacks: SQL injection, XSS, or whatever attack will be successful against the vulnerability that was found. A failure to detect and block the scanning bots will ultimately result in data breaches and many other harmful events.
Advertising abuse (Click fraud)
Advertising bot attacks, although they sound benign, are quite serious and can cause a lot of damage. Click fraud occurs when bots are sent to “click” on ads; it can skew the results of a commercial or political ad campaign. This will cause the advertiser to invest poorly and spend the ad budget in the wrong places. It also harms ad networks and the sites on which the ads are run, since advertisers will eventually notice that their ads aren’t producing worthwhile results (despite getting lots of “clicks”), and they will slow down or stop their campaigns.
Sites which run ads will lose income over the short term (when ad networks reverse the payments from fraudulent clicks), and also lose the opportunity to have generated revenue from those previous page views. Long term, the sites will lose the opportunity to receive revenue from ads overall, since the networks will eventually refuse to supply ad inventory to the victim’s sites.
This includes a large variety of hostile bot activities that don’t fall into the previous categories, where bots abuse specific capabilities of the victim’s web application or API. For example, bots will exploit a phone system API to send out massive amounts of SMS spam.