By Jack M. Germain
9/1/2021 11:23 AM PT
Bot detection and defense company Netacea announced on Aug. 11 that its investigation found companies are paying a heavy price for the increased use of malicious bot traffic aimed at them.
Automated bots operated by malicious actors cost companies an average of 3.6 percent of their annual revenue. For the 25 percent hardest hit companies, that equates to at least $ 250 million annually.
A major red flag for retail companies that have been moving much of their customer-facing activities online since the pandemic is that mobile apps are being attacked more than websites. Retailers have been online for a long time and follow their customers on mobile channels.
These companies may have a long history of handling bot attacks on their websites. But the increased exposure of mobile apps makes them a more attractive attack vector.
Even more worrisome is the time it takes to detect these attacks. The average time between a successful attack and its discovery is more than 14 weeks. This makes it difficult to limit the damage to a company’s customer satisfaction, reputation, and bottom line.
The researchers surveyed 440 travel, entertainment, e-commerce, financial services, and telecommunications companies in the United States and the United Kingdom.
They found that every sector had a significant bot problem, with two-thirds of businesses detecting website attacks.
Almost half (46 percent) of those surveyed said that mobile apps were attacked. Almost a quarter (23 percent) – mostly in financial services – said bots attacked their application programming interface or APIs.
“Last year, an especially tough year for legitimate companies already operating at razor-thin margins thanks to an economic slump, was a record year for those who use bots to break free from these companies – especially bad actors taking advantage of an advantage wanted to.” a significant shift towards online work and retail, “said Andy Still, CTO of Netacea.
All types of bots affect businesses. The report, titled “The Bot Management Review: What Are Bots Costing Your Business?” – revealed the importance of a major type of malicious bot. Scalper bots automate the purchase of inventory such as game consoles and other limited-availability goods. These bots work faster than any legitimate user can do.
Other mainstream attack bots include the Account Checker bot, which uses stolen usernames and passwords to take over accounts. Account verifier bots use data breaches and leaked passwords to compromise customer accounts.
Also of note are the sniper bot and the scraper bot.
The most common example of sniper bots being used is last-second bidding for auction items on sites like eBay.
Scraper bots automate the collection of large amounts of data from websites and apps, e.g. B. Product descriptions, prices, stock levels and other publicly available information. This data is then used by nefarious actors to undermine business, distract visitors or steal clicks.
Big impact on CX
Over 80 percent of companies said that bot activities had a negative impact on customer satisfaction. In particular, scalper and sniper bots were responsible for a large part of this customer dissatisfaction.
Typical businesses are unable to fight off these growing bot attacks, which are more than minor nuisances. Malicious bots weaken the bottom line of retailers.
Only a few security budgets of companies are earmarked for defense against bots, although according to Netacea they are slightly higher at up to 20 percent for larger companies.
“Although awareness of the threat is greater than in previous years, only five percent of security budgets are used to address the problem. Businesses need to realize that bots are not just a nuisance but a real security threat, especially when business is already suffering from other factors, “said Still.
Netacea’s research to date on the Genesis Market, an underground marketplace for stolen access data, shows how demanding the industry is.
The operators of bots do this on a professional level with consultants, help desks and highly specialized infrastructure providers accessible through covert forums, which, according to Still, makes bots widespread.
Plight of retailers
For retailers, the bot attacks let the bad guys manipulate the buying and selling game. Looking at just one online marketplace like Amazon shows how bot attacks can harm sellers.
It looks like a retail arbitrage (RA) game on steroids. If RAs can buy items quickly from Amazon Deals or deep coupon discounts, they can resell them for a profit, according to Jason Boyce, CEO and founder of Avenue7Media.
“I don’t think it’s a long-term branding strategy, so I wouldn’t recommend it to anyone. Amazon’s system is pretty sophisticated at identifying scrapers on its website, but at the end of the day it’s a tough challenge for them to completely block this activity, “he told the E-Commerce Times.
After all, they need buyers who can easily browse their website and shop there. Restricting access to bots could affect their sales. You have to walk the tightrope here, he added.
Lose the fight
Bots have been part of internet life since the days of Internet Relay Chat (IRC) and have influenced everyone who uses the internet, observed Bruce Snell, vice president of security strategy and transformation at NTT. People love these challenges of clicking any picture with a boat to log into a website, he quipped.
“You can thank bots for that. Most of the time, bots are just trouble, grabbing all the good seats when concert tickets go on sale or buying all new sneaker releases, ”he told the E-Commerce Times. “However, bots are also used for malicious activity such as attempting to log into banking sites with leaked user credentials found in a data breach.”
Snell’s personal email address was recently subject to a data breach. For the past few weeks, he’s been getting five or six emails a day from Instagram with a link to reset his password because a bot is trying to log in as him.
“Multifactor authentication can go a long way in preventing bots from successfully compromising someone’s account, but at the end of the day most bots look like normal traffic and can be difficult to identify with standard security tools,” said he.
Unfortunately, he doesn’t see an end in sight, because ultimately bots are a numbers game. A cybercriminal can use a bot to attempt to log into 500 different websites with stolen credentials. While many websites have fraud and spam detection measures in place, there is enough without protection that a low-cost tool like a bot is worthwhile for the bad guys, he explained.