In the context of web security, there are two types of bots: good bots and bad bots. Both attempt to access web resources (pages, web applications, APIs, etc.) or perform other typical web activities of a human user, but they do so for different purposes.
- Good bots. The most common type of good bot is a web spider (a.k.a. web crawler) deployed by a search engine. These keep the search engine’s index updated with current information about the sites being visited by the bots. Site owners generally welcome these bots, because it keeps their sites visible in the search engines and ideally will result in more users/customers. Another common “good” bot is a data aggregator, which again is meant to update some sort of directory or other content listing with information about the sites being visited.
- Hostile bots. These are deployed for malicious purposes. Their effects on the targeted sites and applications range from mildly harmful to potentially catastrophic, discussed further below.
Hostile bots are a serious problem on the Internet today. On average, Reblaze’s customers receive about 62 percent of their incoming traffic from bots. About 38 percent of the total comes from hostile bots. In other words, more than one-third of an average site’s traffic will be from attack bots.
There are many types of hostile bots. Here are some cyberattacks that use malicious bots:
Card Fraud (Credit and Gift)
Web applications which accept credit cards and/or gift cards can be abused by bots in various ways. Stolen card numbers can be validated, and new ones discovered, when bots enter card numbers into the application. Later, the numbers are used fraudulently, which results in chargebacks.
Credential Attacks (Enumeration and Brute-Force, Credential Stuffing, Account Creation, Account Takeover)
User credentials are highly coveted commodities in the dark web. Hackers steal credential sets (personal identification data, account logins and passwords, contact data, etc.) in massive data breaches. Or, they discover credentials by sending out bots to wage brute-force attacks; the bots attempt to gain access to a web application by trying every possible combination of letters, numbers, and symbols, to see which combinations work.
Valid credentials can then be used in a variety of cyberattacks, and can also be sold in illicit marketplaces for others to use. Credentials can allow attackers to take over the affected accounts within the targeted web application. Another common attack is to use bots to “stuff” the credentials into the login pages of many other web applications (especially high-value targets like bank websites, payment providers, and so on). Unfortunately, many people still use the same credentials across a variety of websites. Therefore, credential stuffing allows an attacker to leverage a single data breach into the successful takeover of multiple accounts across different websites.
Consequences for the victim
Hijacked accounts cause numerous problems for the victim and its customers. When the data breaches are discovered, the victim is the target of bad publicity, loss of reputation and trust, and might receive fines and penalties from industry and privacy regulators.
Distributed Denial of Service (DDoS)
DDoS is the most dramatic, and probably the most feared, form of botnet attack. Malicious actors use large networks of bots to create coordinated attacks at massive scale. The goal is to disrupt the targeted organization by overwhelming its web applications or APIs with incoming requests, making them unavailable for normal use. If the victim cannot filter out the attack traffic, the disruption will last for as long as the attacker wishes.
Web applications which offer online purchasing or reservations are vulnerable to inventory hoarding, when hostile bots make inventory unavailable to legitimate customers. For example, bots attack eCommerce sites by adding products to shopping carts, but never completing the purchases. Travel sites and applications are attacked by bots which abuse time-to-checkout policies (which usually allow 15 minutes or so for customers to complete their transactions), continually looping and booking reservations without ever purchasing tickets.
Scraping and Data Theft (Prices, Content, etc.)
Scraper bots steal data from online sources. This is commonly seen in verticals such as data aggregators which gather and sell access to content. Scraping is obviously a direct threat to this business model. In other verticals, scraping can cause indirect damage. For example, ecommerce sites contain prices and other product data; possession of this data can be a competitive advantage, so scrapers are used to steal it.
Many websites accept user-submitted content: posts on forums, reviews on ecommerce sites and marketplaces, and so on. These sites usually experience large numbers of bots continually posting spam comments, links, etc.
Threat actors use bots to automatically scan large numbers of systems for known vulnerabilities. When a vulnerable system is found, hackers follow up with direct attacks: SQL injection, XSS, or whatever attack will be successful against the vulnerability that was found.
Advertising abuse (Click fraud)
Advertising bot attacks, although they sound benign, are quite serious and can cause a lot of damage. Click fraud occurs when bots are sent to “click” on ads; it can skew the results of a commercial or political ad campaign. This will cause the advertiser to invest poorly and spend the ad budget in the wrong places. It also harms ad networks and the sites on which the ads are run, since advertisers will eventually notice that their ads aren’t producing worthwhile results (despite getting lots of “clicks”), and they will slow down or stop their campaigns.
This includes a large variety of hostile bot activities that don’t fall into the previous categories, where bots abuse specific capabilities of the victim’s web application or API. For example, bots will exploit a phone system API to send out massive amounts of SMS spam.