WP Bad Bots and the Commoditization of Online Fraud | Imperva

Bad Bots and the Commoditization of Online Fraud

Bad Bots and the Commoditization of Online Fraud

Fraudsters will stop at nothing to exploit your websites and customers, and with the accelerated shift to digital payments, online fraud has never been more profitable. This shift, catalyzed by the pandemic, really gained traction in 2021 as the popularity of digital payments exploded. In fact, compared to 2020, online payments more than doubled in 2021, growing by 104%. Add to that the fact that the average person has over 100 online accounts, many of those accounts have stored payment methods within them, and this has created the perfect playground for bad actors.

The 2022 Imperva Bad Bot Report: Evasive Bots Drive Online Fraud is now available for download. Get the report today.

With an abundance of online accounts and transactions to attack, the techniques that bad actors devise to commit fraudulent acts online are constantly evolving to maximize profits. One of the most concerning new strategies is the automation of online fraud. Let’s take a look at a few of the forms of automated online fraud employing bad bots:

Account Takeover Fraud

The most common fraudulent attack that makes use of bots is account takeover (ATO). ATO is a form of digital identity theft through which bad actors attempt to gain illegal access to user accounts belonging to someone else. The automation of this attack is done by brute force techniques, mainly Credential Stuffing. This technique leverages a key weak spot among many online account users – reusing passwords for many websites. At least 65 percent of people reuse their passwords across multiple sites, meaning once their credentials are compromised, all of their accounts that use the same password are also at risk of account takeover fraud. It has become very easy for attackers to obtain dumps of leaked credentials online. When you combine that with easy accessibility to bot infrastructure and the financial incentives behind user accounts, you can see why this attack vector has become so common and profitable.

Any online business that uses a login page is at risk of account takeover fraud. If there is money to be made by taking over user accounts on their website, that risk is even higher. Businesses should expect bots to relentlessly hammer their way into their websites with thousands of login requests 24/7.

Successful account takeover attacks can have a massive negative impact on customers: account lockouts, financial fraud, theft of personal information, and much more. This impact trickles down to the business as well in the form of increased customer support costs, revenue loss, customer churn, tarnished reputation, risk of non-compliance with data privacy regulations, and more.

Bad actors attempting to take over employee accounts is another business risk. Using compromised employee credentials, attackers can access the organization’s network and execute malware or exfiltrate sensitive data to orchestrate a much more elaborate attack on the business and on the broader supply-chain.

New Account Fraud

In this type of online fraud, bad actors use bots to automate account creation so it can be done in masses and generate an army of fake user accounts to have at their disposal. Attackers can use these accounts to commit various forms of online fraud; from comment spam and amplifying propaganda to promotion abuse (new user offers) and money laundering.

Credit Card Fraud

There are two techniques that leverage bots in credit card fraud: card cracking and carding. Card cracking is based on the assumption that credit card information with cardholder names and primary account numbers is readily available on the dark web. But card-not-present fraud requires a cardholder’s CVV number, expiration date, and postal code. In this technique, a bot will spread its guesses across multiple websites, and determine these missing pieces of information in mere seconds. Then, armed with legitimate card numbers, fraudsters can buy products online and have them shipped anywhere in the world.

Carding fraud occurs when criminals run thousands of small purchases using stolen credit card numbers in order to verify them, then resell verified card information to organized crime rings at a much higher price. This leads to poor merchant history, chargeback penalties, and worse. Like most transaction fraud, carding is easier than ever – there are even step-by-step tutorials online.

Credit card fraud damages the fraud score of the affected businesses and increases customer service costs to process fraudulent chargebacks. It may also negatively impact conversion rates due to trust issues with credit card companies that require additional verification.

Gift Card Fraud

With the online fraud type known as Gift Card Cracking or Gift Card Enumeration, bots are being used to browse gift card balance pages to find which gift card numbers have unused balances. These can then be sold on the dark web for an easy profit. GiftGhostBot is an example of such fraud.


Bad bots are being used to aggressively flood the internet with spam comments which can lead to various fraudulent schemes. One such example was uncovered by Imperva Threat Research in the early days of the pandemic, as bots were used to spread fake news and drive unsuspecting users to dubious online drug stores.

The Role of Client-Side Attacks in Online Fraud

A recurring theme in some automated fraud attacks is their reliance on compromised user credentials and payment information. This is where client-side attacks come into play. Also known as Magecart attacks, client-side attacks involve injecting malicious JavaScript into first-party code or into the code of third-party services (the supply-chain) used on legitimate websites. This enables fraudsters to collect sensitive personal information directly from the client every time a customer enters their information into an online form on a website.

As an example, let’s take a login page. A user might be typing in their credentials, clicking “log in” and successfully accessing their account. What the user is unaware of is that at the same time, their credentials have also been sent to a fraudulent third-party, essentially compromising them.

So not only have fraudsters been able to automate their attacks, but they have also been able to optimize them by feeding them with information that is often obtained by abusing the same website functionality – in this example, the login page. The same page that can later be abused by bad bots performing credential stuffing to hack into user accounts.

It is critical to understand that client-side attacks are data breaches for all intents and purposes. As such, the risk of non-compliance with PCI, GDPR, CCPA and other data privacy regulations is very real. In recent years, companies have been fined millions of dollars following breaches to sensitive user information on their websites that are compromised in Magecart attacks.

Prevent online fraud with Imperva

A proactive approach to preventing automated online fraud starts with good web application security hygiene. Imperva’s WAAP (Web Application and API Protection) stack combines best of breed solutions that protect your business from edge to database, including key components essential for fraud prevention:

  • Imperva’s Advanced Bot Protection safeguards web applications, mobile apps, and APIs from all automated threats without affecting the flow of business-critical traffic. It continuously monitors online traffic to protect every aspect of your web applications against any attempt at fraudulent activity. By inspecting each request in real-time, Imperva determines if it’s a malicious bot, and then blocks the request outright if it is. Next, machine learning algorithms learn your legitimate traffic patterns to pinpoint dangerous anomalies. If necessary, more aggressive settings can be activated across critical attack vectors, such as account registration forms and login screens. Imperva uses a sophisticated mix of browser and JavaScript checks, device-based rate-limiting, behavioral analytics, and biometric validation to stop automated online fraud. The deep interrogation validates that there is a human behind the browser, ensuring that even bots that mimic human behavior with sophisticated tools can’t evade detection.
  • Imperva’s Account Takeover Protection reduces account-based fraud by preventing automated access to credential authorization processes while providing clear visibility and context for fraud resolution. The intuitive dashboards include vital information for fraud prevention and investigation, like which sites and user accounts are under attack, what techniques were used, whether the credentials are publicly-available and the number of times an account has been successfully logged into.
  • Imperva’s Client-Side Protection mitigates the risk of your customers’ most sensitive data landing in the hands of bad actors. It prevents supply-chain fraud from Client-Side attacks like formjacking, Magecart and other online skimming attacks. Client-Side Protection automatically scans for existing and newly added services on your site, eliminating the risk of them being a blind-spot for the security team. The solution empowers your security team to easily determine the nature of each service, and block any unapproved ones.