People always want immediate service no matter what product they buy, from buying a house to getting some apples in a grocery store.

The need of responding to customer needs as early as possible leads more businesses to migrate their customer service to the internet where they enjoy the utmost convenience of the internet and also face a high-security risk if they are not ready to deal with the growing bot threat and bot-driven fraud on the web.

The Growing Concern of Bot Threats

The majority of enterprises admit that they are unprepared for bot-based attacks like ad fraud, web scraping, spamming, carding, credential stuffing, etc. Only 19% of businesses use the bot management systems to mitigate malicious-automated attacks, while 73% still see such attacks every week, according to a Forrest paper.

A report findings show that

• 80% of organizations have lost revenue to bad bots
• One in four say a single bot attack has cost them $500,000 or more in 2020
• Two in three say a single attack has cost them $100,000 or more

As it is a costly lesson learned for business owners (some of whom even lost up to 10% of revenue to bot attacks), they reached a consensus about the significance of effective bot prevention solutions. 75% of decision-makers plan to increase their organization’s investment in bot management as they believe the number of bot attacks will continue to increase over the next year.

5 Frequent Bot Attacks on Online Businesses

In light of the status quo of online bot attacks, the author interviewed several online business owners/managers, trying to find out what kind of bot attacks are bothering them and what specific countermeasures they are taking to mitigate bot threats to their business.

Here are the findings:

1. Ad Fraud

To ensure a successful online business, the owners and marketers need to make sure that their ad spend is worth it, which means they need the ads to reach real people, aka their potential clients. However, the fact is there is a type of fraudster that deliberately interrupts the ad reach process and the thing they do is called ad fraud.

Ad fraud refers to any attempt to defraud digital advertising networks for financial gain. An ad fraud bot mimics the user's actual behavior (such as downloading, logging in, registering, etc.) to trick advertisers and ad networks into paying an extra amount of money.

From what the author learned, bot-driven ad fraud (typically click fraud) is the most irritating bot attack on online businesses, as the owners paid for nothing but fake clicks as well as missed the precious timing for advertising.

Let's hear some real experiences shared by our interviewees.

Decades ago, we had ad fraud bots attacking (including CPC/PPC bots, pixel bots) our marketing campaign, costing us a ton of money and generating no revenue, and over time they advanced to be able to fill out forms, watch videos, bypass viewability standards and pass other types of KPIs.

Rich Kahn, co-founder, and CEO of Anura.io

CocoFinder has repeatedly been the victim of bot attacks, particularly ad fraud bots that have seen us repeatedly fail to optimize our ad budget. Previously, we’ve attempted to close some of those ad mediums prone to most attacks by these bots, but that has only worked to hurt our marketing campaigns.

Josh Mitchell, CEO, and founder of AirConditionerLab

In my experience with some search engine ads, we have experienced bot traffic, which was clicks with high bounce rates that occurred suddenly in large volumes.

Shawn Plummer, CEO of The Annuity Expert

2. Account Fraud (including account takeover, credential stuffing, and credential cracking)

Account fraud is a series of automated attacks based on illegally getting access to a large number of accounts (both newly created and already existing), and then the fraudsters commit various cyber crimes by abusing the functionality of those accounts. Common account frauds include credential stuffing, credential cracking, account takeover fraud, etc.

Those sophisticated fraud schemes are seen in almost every sector, from bank account compromise to merchant account fraud in e-commerce business.

Here are some examples of typical account frauds.

...we have been continuously attacked by botnets, especially by Ad frauds & credentials stuffing attacks. In credential stuffing attacks, a chain of bots attacked our customers and us to collect our access credentials. They send us & our customers a link to tap on, followed by the landing page, which asks for further login with access credentials. The landing page looks like our own website Home page.

Daniela Sawyer, Founder and Business Development Strategist of FindPeopleFast.net

We recently suffered from an account takeover attack. This type of attack begins when user credentials are sold to threat actors who then use automated bots and rapidly test usernames and passwords in the authentication flaws of consumer sites. Also called credential stuffing attacks, once valid credentials are found, attackers can lockout legitimate users and steal PII (Personal Identifiable Information) and stored payment methods to commit all types of fraud.

Katherine Brown, the Founder & Marketing Director of Spyic

We've had credential stuffing with repeated failed logins into the administrative accounts for our blog.

Shawn Plummer, CEO of The Annuity Expert

One unusual one we saw more recently stemmed from a Google account hack. The organization has a single sign-on for Google so the hacked emailed account leads to problems on the website.

Tyler Golberg, Web developer, and strategist at CYBERsprout

I experienced a couple of different kinds, like 18+ spambots creating new accounts to comment incessantly in my blog. Most recently, a huge amassing of bots were posting unrelated spam comments all over my blog posts pushing their product or whatever they wanted me to promote for them, all of course to no avail.

Jordan Bishop is the founder and CEO of Yore Oyster

3. Web Scraping

Scrapers use a scraping bot or web crawler to read all accessible paths and parameter values for web pages and APIs, collect the responses, and extract data from them. It may occur in real-time, or be more periodic.

Malicious scraping will cause severe damage to online businesses:

• the website would receive the unusual request;
• its content might be duplicated; its search engine ranking might decrease;

According to business owners and managers, web scraping often appears in the form of content scraping and price scraping, which sabotage their businesses financially as well as ruin the business reputation.

Let's take a look at the real cases.

The bad bots were successful in extracting the email addresses of our customers and sending them unwanted emails containing malicious links. This frustrated our customers and drove them away. It affected our brand reputation on a large scale.

Josefin Björklund, the Co-founder of Topp Casino Bonus

Bot Scrapers are high-volume endeavors to withdraw listings from online retailer websites. Without proposing end-user consent, deceitful competitors can then add the plagiarized content to their listings, or the data can be sold on the Deep Web. In the end, the victim’s e-commerce portal receives fewer actual visitors, which cuts into income and strokes brand value.

Shiv Gupta, Marketing Director, Incrementors Web Solutions

Due to the nature of our business model, we used to receive a lot of bot traffic primarily for data scraping.

Manish Patel, Founder of BrandLists.com

We've had bots continuously scan our website's pages, scrap all of the data and then repost it on their own website without our permission. This has negative effects on our SEO performance due to duplicate content and also swap out our affiliate links to their own so thus making money off our hard work.

Colt Agar, Managing Editor TheTechReviewer.com

4. DDOS Attack

Distributed denial of service (DDoS) attacks are rapidly increasing in volume, size, and sophistication. One of the common approaches to a DDoS attack is that attackers initiate a large volume of requests to the targeted website to overwhelm the bandwidth of the website and disable its response to any legitimate users.

From the answers the author collected from online business owners, DDoS attacks are getting more frequent than ever.

We have experienced several different attacks, the most memorable being a DDOS attack on the evening of my wife and I’s 10th wedding anniversary (needless to say, that wasn’t the best anniversary present). We’re constantly battling bots who like to scrape and steal our content and pricing information.

Bret Bonnet, Co-Founder, and President of Quality Logo Products

My company was once attacked by bots, leading to the unavailability of our website for several days. This is called a distributed denial-of-service (DDoS) attack, which uses networks of bots to spam servers with requests and overwhelms bandwidth and processing resources. Since our company is entirely an online B2C platform, it led to a significant decline in our revenue as many of our customers were unable to reach our website and lost their trust in us.

Marilyn Gaskell, founder of TruePeopleSearch

Our business was under a botnet attack just when the pandemic started. DDoS is the most common of them all.

Josh Mitchell, CEO, and founder of AirConditionerLab

We've seen multiple DDOS (i.e. denial) and brute force attacks.

Tyler Golberg, Web developer, and strategist at CYBERsprout

5. Spam

As one of the most disturbing headaches for every netizen, spam is wherever no. Spambots post unwelcoming and inappropriate messages across the internet, such as on social media platforms, forums, blog comment areas, etc. Spam usually involves advertisements, irrelevant backlinks, or more scams like phishing and malware downloads.

The following is what online business owners have been through.

I've had a variety of bot attacks over the years. I experienced a couple of different kinds, like 18+ spambots creating new accounts to comment incessantly in my blog. Most recently, a huge amassing of bots were posting unrelated spam comments all over my blog posts pushing their product or whatever they wanted me to promote for them, all of course to no avail.

Jordan Bishop, founder, and CEO of Yore Oyster

But for us, it was mostly phishing attacks where some of our employees were targeted and the attackers would email us as Microsoft customer service personnel. Some days they even called us saying that our Office 365 would be expiring and that we should renew soon. Then they would proceed to ask about our bank details and other personal information.

Josh Mitchell, CEO of Air Conditioner Lab

Ways to Mitigate Bot Threats to Online Business

Organizations that suffer from bot attacks are looking for bot mitigation solutions to deal with these sophisticated bots.

The following are countermeasures they have already taken or are ready to adopt.

we purchased a bot management solution to prevent any further performance and security issues in the future and keep our customer base happy.

Marilyn Gaskell, founder of TruePeopleSearch

In the future, we are looking forward to bot-proof our ad campaigns by using bot detection and elimination resources. We project that this will help us reach our target audience more effectively and thus boost our conversion rate.

Harriet Chan, co-founder of CocoFinder

For protection from Ad fraud, we added a captcha box just after clicking to get rid of botnet activity.

Daniela Sawyer, Founder and Business Development Strategist of FindPeopleFast.net

The basic measures include placing robots.txt effective in managing crawl patterns, adding CAPTCHA to block download bots, and setting a Javascript alert to notify us of bot traffic.

Katherine Brown, the Founder & Marketing Director Spyic

CAPTCHA, 2-factor authentication, and limiting login attempts help a ton with brute force attacks.

Tyler Golberg, Web developer, and strategist at CYBERsprout

We had mitigated CAPTCHA, but the best way to ensure that bots are not accessing your website is to have the right web security.

Josefin Björklund, the Co-founder of Topp Casino Bonus

...since there were no ad fraud solutions that existed at the time, we built our own. We built a real-time solution to deflect bots from hitting our campaign, so we could generate revenue from our ads.

Rich Kahn, co-founder, and CEO of Anura.io

WordPress has some plugins to prevent these things from happening, and it works pretty well, but sometimes the bots manage to leak through the barrier. Although, when I compare the number of bots that harassed my site before I implemented that filter, I would say bots have been reduced by 60-70%.

Jordan Bishop is the founder and CEO of Yore Oyster

We install security plugins on our blog to block repeated failed password attempts and large volumes of failed logins.

Shawn Plummer, CEO of The Annuity Expert

Here are 3 recommendations to help online businesses prevent bot threats summed up from the above experiences.

1. In-House Solutions

Most of the interviewees admitted that deploying an in-house bot mitigation solution is their first reaction to dealing with bot attacks. There are four common types of in-house bot management solutions based on research:

• Manual log analysis: Manually prepare a list of suspected IP addresses. Those IPs will be blocked through an access control list of WAFs or SIEM tools to prevent them from accessing web applications.
• Rate limiting: Limit the number of visits from a specific IP address. Rate-limiting based solutions work based on predefined rules.
• Basic fingerprinting: Collect IP- and header-centric information to identify and block malicious bots.
• Advanced in-house bot management: Use in-house data while leveraging basic machine-learning models.
• 
  

2. Deploy CAPTCHA on Crucial Gateways & Sessions

Sophisticated bots sneak into the targeted websites to commit various malicious attacks by deceiving the website owners into believing they are legitimate visitors. CAPTCHA can filter out those unwanted "visitors" by challenging them with puzzles that only humans can solve.

GeeTest CAPTCHA recently launched a new version of AI-powered behavior analysis CAPTCHA, called Adaptive Verification. It makes CAPTCHA challenges less time-consuming and even a bit fun while providing consumers the best user experience and maintaining high-security capability. In this new version, GeeTest offers 3 new forms of CAPTCHA challenges including

• Match-Three Puzzle CAPTCHA

• Five in a Row

• Drawing CAPTCHA

3. Get a Dedicated Bot Management & Mitigation System

The more sophisticated the bots are, the more difficult they are to detect. A single type of prevention, such as an in-house solution, is not capable of dealing with the whole situation. Bot management and mitigation system can offer comprehensive services including

• Monitor your websites, networks, or applications for bot-related activities
• Identify traffic or activities of malicious bots.
• Prevent network access to sources found to be unsafe.
• 
  

GeeTest soon will set up a new product matrix, including behavior verification(CAPTCHA), device verification, and identity verification. It offers three methods in general to defeat cybercrime and online fraud based on a deep understanding of how malicious attack works.

Final Words

Online bot-based attacks have been more rampant than ever in the past year, as Covid-19 accelerated the trend of shifting to online operations. However, much to the enterprises' dismay, they are not ready for this trend. The silver lining is that more and more businesses realized the importance of stopping bot attacks. Some of them use in-house solutions, such as manual log analysis, rate limiting, basic fingerprinting, etc, while a study shows that those in-house bot management only failed at detecting most of the bad bots, of 11.54% that they detected nearly 50% was false positives.

Bot management and mitigation is a niche space and requires deep insight and comprehensive research to keep up with notorious cybercriminals. Therefore, adopting a dedicated bot management system to smartly handle bad bot traffic without compromising user experience becomes the priority of most businesses today.