A short primer on internet bots
An Internet bot (bot, for short) is a software application that runs automated tasks over the internet. Bots typically run simple tasks which they can perform at a dramatically greater rate than any human. Beneficial or anodyne bots are characterized as legitimate, or good. Common legitimate bots include Googlebot, an application Google uses to crawl the Internet and index it for search facilitation. Other bots are malicious, or bad. Cybercriminals use this type of bot to automate website scans to look for software vulnerabilities and execute simple attack patterns. Both good and bad bots are lightning-fast and unlike humans, they can operate 24×7.
The 2022 Imperva Bad Bot Report: Evasive Bots Drive Online Fraud is now available for download. Get the report today.
How bad bots damage digital organizations
If you have any web presence at all, you are constantly subject to an automatically generated attack driven by malicious bot activity. Imperva researchers have uncovered bad bot attacks on everything from scheduling websites to e-commerce sites offering high-demand items, even government websites that influence election to political offices. The results of these attacks include lost business, website slowdowns and downtime, increased fraud claims, and much more. For more about the damage bad bots can cause, download Bad Bot Report 2021: The Pandemic of the Internet.
No organization is immune to the threat of bad bots. Imperva Application Security Product Manager Lynn Marks spoke with Application Security Weekly about the 24/7 online fraud risk bots create and what steps businesses must take to protect their websites, applications, and APIs. Watch the interview here.
4 bad bots to watch for the remainder of 2022
4. Bots that schedule COVID vaccine appointments.
Imperva’s Threat Research Labs has monitored a 372 percent increase in bad bot traffic on healthcare websites globally since September 2020. As vaccine programs continue to roll out and more people get third and fourth vaccine boosters, we are seeing indications of bot activity on websites that offer vaccine appointment availability. We have recorded activity at rates of as much as 12,000 requests per hour. As vaccines become more widely available to the developing world, these bad bots will be an ongoing concern. Healthcare services in the developing world could be principal targets. For web applications managing vaccine rollouts, the prospect of bot operators pointing inventory hoarding bots at them to gain an unfair advantage and snatch appointments is a serious cause for concern. If hospitalization and death rates were to approach crisis levels due to new variants or relaxed mandates in the developed world, this threat would be even greater.
3. Social media bots that spread misinformation.
In addition to interfering with COVID vaccine scheduling, at the start of the pandemic we identified bad bots posting comment spam on social media, leading to concerns over a global spread of COVID misinformation. Social media bots have also been used to spread fake news, ranging from the connection of 5G and refugee crises to politically-motivated conspiracy theories. Often, these messages included links that led to phishing attacks. The World Health Organization (WHO) has dubbed the spreading of misinformation an “infodemic”. As the world becomes less “ordered” we expect these bad bots to continue relentlessly.
These particular bad bots already have a track record of making millions through hoarding gaming hardware. Online scalpers will continue to plague the gaming hardware market, which they have been targeting using Grinchbots, especially during the holiday season. The Grinchbot phenomenon resulted in a massive 788 percent increase in bad bot traffic to retail websites globally between September and October 2020. The timing is no coincidence, and aligns perfectly with pre-order dates for the new generation gaming consoles, the scarcity in chipware brought about by the COVID pandemic, and the inevitable holiday season shopping frenzy. The result has been frustrated gamers unable to purchase a new generation gaming console, GPU or CPU because bots hoarded them all. In a recent analysis of the online scalping market by data analyst Michael Driscoll, he reveals that the profits made from these sales on just a single online marketplace are estimated at US$82 million. The situation is predicted to continue throughout 2022, as the electronics supply chain remains precarious and demand grows; and most importantly, most enterprises have not been able to stop it.
1. Bots targeting elections.
Data from Imperva’s Threat Research Labs reveals a significant increase in advanced bad bot traffic targeting government websites with peak traffic in November. Bad bot traffic to those websites was consistently low in volume from February to September. It is unclear what their goal was, but the timing does raise questions about whether or not bot operators may have been trying to influence specific political races. As tensions and rhetoric intensify in the lead-up to the US midterm elections, we expect bad bot operators will look for opportunities to target government websites.
Three things can you do to stop bad bots
Every website is targeted for different reasons, and usually by different methods, so there is no one-size-fits-all bad bot solution. There are, however, some proactive steps you can take to start addressing the problem today.
- Plan ahead when updating your website.
When launching campaigns for new products, make sure that you are prepared to handle the high volume of traffic that is going to include a high ratio of sophisticated bots trying to scoop up the products and deny your customers access. Adding highly exploitable website functionalities like login opens up the chances of Credential Stuffing and Credential Cracking attacks by bad bots. A checkout form increases the chances of credit card fraud (Carding/Card Cracking). Gift card functionality invites bots to commit fraud. Make sure that these pages have extra security measures and a more strict ruleset.
- Block or CAPTCHA outdated user agents/browsers.
The default configurations for many tools and scripts contain user-agent string lists that are largely outdated. This won’t stop the more advanced attackers, but it might catch and discourage some. The risk in blocking outdated user agents/browsers is very low; most modern browsers force auto-updates on users, making it more difficult to surf the web using an outdated version.
- Block known hosting provided and proxy servers.
Even if the most advanced attackers move to other, more difficult to block networks, many less sophisticated perpetrators use easily accessible hosting and proxy services. Disallowing access from these sources might discourage attackers from coming after your site, APIs, and mobile apps.
Try Imperva for Free
Protect your business for 30 days on Imperva.