Organizations are fighting a losing battle against advanced bots
The new generation of advanced bots is now on everyone’s radar. The rise of high-performance IPs and generative AI has led to the rise of today’s ‘superbots’. These bots can spoof fingerprints, conduct distributed attacks at scale, mimic human behavior using machine learning, and fool traditional CAPTCHAs up to 100% of the time.
There is much discussion about how organizations’ cybersecurity strategies must now rapidly evolve to keep up with these increasingly sophisticated bots. But beneath this story lies another truth: most organizations still haven’t put even basic bot protection into practice.
Recent research, testing more than 14,000 of the world’s largest websites, found that as many as 2 in 3 (65.2%) have no protection against even basic bots. The research also shows that bot protection rates are struggling to keep pace with the rapid growth of digital businesses, with only 8.44% of websites fully protected against all bots, down from 10.2% of last year. Not only are bots becoming more sophisticated, but organizations’ defenses against bots are also becoming weaker.
Co-founder and Chief Strategy Officer at DataDome.
How even simple bots can have a catastrophic impact
What’s in a name? Simple bots may sound like they don’t have the potential to do much damage, but in fact the opposite is true. Simple bots, such as curls or fake Googlebots, can perform a number of malicious tasks and cause significant financial and reputational damage to companies. Simple bots are also often used to test a website or app’s defenses to help cybercriminals fine-tune their attacks – much like a burglar might ‘search’ a house before breaking in.
Simple bots can perform credential stuffing by taking a list of usernames and passwords (usually purchased from other malicious actors) and plugging them into a website to gain access and take over accounts.
Similarly, fraudsters can use simple bots for carding and card crunching. A cybercriminal may only have the credit card number and expiration date they need to complete a transaction, but not have access to the security code. With a simple bot they can try all possible combinations until the right value is found.
Industries that are “worst offenders.”
While media and gambling lead the way as the most protected sectors (with 46.30% and 40.48% full bot protection respectively), others lag behind. Our research found that e-commerce and healthcare are the two most poorly protected industries globally, despite being perhaps the two most in need of robust protection.
This is particularly devastating for the e-commerce sector. 69.29% of pure e-commerce players – companies without physical store locations – have no bot protection whatsoever. A shocking statistic for organizations that generate all their revenue through online sales.
Ecommerce companies simply cannot afford the reputational risk associated with bot activity on their websites, especially as we approach the holidays, when ecommerce sites will host more frequent and valuable transactions. Last year, holiday e-commerce spending was $1.17 trillion. The stakes are high, both for cybercriminals and the retailers they target.
The healthcare sector was another big offender, with 70.44% of healthcare domains completely unprotected against simple or advanced bot attacks. The healthcare industry holds a vast amount of confidential and sensitive information, which without adequate bot protection is wide open to data breaches. Cyber attacks endanger the reputation of organizations, reduce patient trust and make organizations vulnerable to legal sanctions.
Reducing the barriers to bot entry
The rise of Bots-as-a-Service has made bots more accessible than ever, even for fraudsters with little technical expertise. It has never been easier or cheaper to launch sophisticated attacks. In the past, hackers needed coding skills to develop and execute cyber attacks. Now cybercriminals can buy or lease bots-as-a-service on the black market. A simple bot can be purchased online for less than $50.
The rise of generative AI in the mainstream has also lowered the barriers to bot entry. Cybercriminals with some technical acumen can use AI to create bots that are easier to scale and harder to detect. For example, AI can generate bots that more convincingly mimic human behavior. This is especially useful in the case of phishing attacks, where AI bots can mimic human tone and use NLP to generate personalized phishing messages.
First master the basics
While many organizations are wondering how to best protect themselves against the bots of tomorrow, they can start by assessing whether they have the basics in place. Most organizations will need to start from the ground up and ensure they have protected themselves and their customers from simple bots.
There are some essential techniques that every organization needs in their bot protection toolkit. One of these is ‘honey trapping’, which allows bots to function as usual, but feeds them with fake content/data to waste their resources. There is also throttling and rate limiting, which allows bots to access your site but slows down bandwidth allocation, making them work less efficiently, causing fraudsters to give up. There are some attack vectors where completely blocking bot activity is the best approach, for example if bots are clearly spreading malware or conducting a DDoS attack.
Once organizations have mastered the basics with solid bot protection, they can start strengthening their defenses against the increasingly sophisticated bots of tomorrow.
We have recommended the best malware removal.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here: