Internet bots are software programs that perform specific tasks. Some bots – like search engine crawlers – have been programmed to do something positive. These bots crawl through the internet, uncovering web pages and using the information on these pages to rank them in the search engine. The idea is that the search engine then presents the “best” and most relevant websites for any given search.
Unfortunately, there are also bots that pose threats to applications. We call these bad bots, and they can have a significant impact on your online business. If we take a look at the digital world, we can see how bots have impacted specific industries. Some are more harshly affected than others, but the bottom line is that any company conducting business online should be wary of the significant impact and cost of bad bot traffic.
Below, we have outlined the key industries that are targeted by threat actors, and the operational, financial, and brand impact bots can have on organizations.
Online bots heavily target the advertising industry. This has had a profound effect on online ads, primarily because it changes the way businesses approach this sector. For advertising to work, it needs to be trusted. The problem with bots is that they can break down this trust, making it hard for the advertiser to trust sellers of advertising spaces.
What tends to happen is a seller can start generating fraudulent clicks via bots. Most online advertising platforms operate using a PPC system, meaning the advertiser only pays for each click an advert gets. When bots start clicking on the advertiser’s ads, they have to pay for every click. Therefore, the actual cost of advertising rises, but the advertiser sees a poor return as they aren’t getting genuine clicks. The trust between the advertiser and the seller is completely gone, making it harder for businesses to find advertising platforms they can rely on.
Furthermore, bots can have an impact on advertising agencies within the industries. These are the sellers of ad space, and they can unknowingly become the victim of bot attacks that flood clients with fraudulent clicks. As a result, their clients start generating awful returns and paying lots of money, ending up very unhappy. They could even be accused of botting ads, sending their reputation down the drain.
It comes as no surprise that the financial services industry is a massive target for bad bots. Naturally, in an industry that revolves around money, hackers are always looking for ways to exploit systems and steal cash. Financial institutions, banks, and insurance companies are high-value targets, so cybercriminals know targeting them can lead to serious payouts.
Threat actors can call upon a variety of adversarial tactics to try to defraud financial services organizations. A common method is credential stuffing to conduct account takeover (ATO). Credential stuffing relies on stolen usernames and passwords to access personal accounts. Bots taking control over accounts can result in significant fraud losses for financial organizations. When bot attacks occur, it reflects poorly on your company, making it hard for consumers to trust your organization with their money.
This sector also experiences distributed denial of service (DDoS) attacks. Bot operators can administer an application DDoS attack that slowly drives massive traffic to a website. The traffic increases to a point where the server can’t handle it, and it shuts down. Application DDoS leverages bots to issue targeted application requests that appear legitimate, such as search queries and other computationally expensive tasks, making them exceptionally tricky to detect and stop. From here, the threat actors will demand payment from the finance company if they want their server to be back online – or attempt to commit other attacks while their security defenses are down.
Marketplaces & Internet Services
Marketplace websites have a very straightforward business model; they depend on listings from users to create a marketplace where people can buy or sell products. There are plenty of these around, and they are often subjected to bot attacks from criminals.
Scraper bots are used to scrape the website for data, which they can publish elsewhere. Sometimes, they sell it to other websites, meaning someone can set up a competing site that uses all of the same content of the original. From here, the new marketplace site can benefit from a good search ranking as it is piggybacking off the work done by the original site. As a result, it’s not uncommon to see these cloned sites getting more traffic than the originals, stealing customers and money away from the website.
On a less serious and more annoying level, bots can also respond to listing on the marketplace with fake leads. They can act as though they’re interested in a purchase, but never go through with it. This wastes people’s time and makes everyone get very frustrated. Unfortunately, if you own a marketplace site, you will get the brunt of anger from unhappy users. They will be sick of bots constantly attacking their listings and might go elsewhere, leaving your site with a bad review. So, you have to do some reputation salvaging here for something that wasn’t your fault.
Travel & Hospitality
Online travel sites have business models that revolve around keeping their prices a secret. They don’t always display them for all to see – you usually need to make inquiries to see how much things cost to book.
What frequently happens is that bots will scrape pricing and other data, gaining access to the prices they provide. Competitor sites can then use this data to determine how much you charge for specific flights, hotels, or other services. As a result, they can undercut you and steal lots of customers away from your site by promising much cheaper bookings.
Another use case for bots is submitting fake inquiries. Bot owners will send bots to a travel website and make inquiries about bookings. This causes the site owners to spend time and resources following up the queries and providing the requested information. However, the form fills are fake, and subsequently, they lead nowhere and just waste time and money.
Travel websites are also subject to fraudulent activity on onboarding, account creation, account login, as well as carding and cracking attempts to drain stores of value within an account such as loyalty points, gift cards, and credit cards.
Retail & eCommerce
Retailers and eCommerce companies are massive targets of various types of bot attacks, including denial of inventory, inventory hoarding, sniping, web scraping, fake site creation, fake account creation, and other types of bot-driven fraud.
Inventory hoarding refers to bots that add stock to their online basket, removing it from the system. Retail and eCommerce sites tend to have systems where items are removed from the stock counter when someone adds those items to an online shopping cart. As such, bots often add all the inventory of a given item to their basket, giving the illusion that no more exist. This means that legitimate customers are unable to purchase an in-demand product because it appears to be out of stock. As a result, they will likely go to a different store, costing you valuable sales – not to mention the annoyance of needing to fix the issue and reset the stock to ensure that the inventory is correct.
Adversaries or competitors of retail sites can leverage bots to steal content and replicate sites elsewhere. One of our retail customers had this happen to them, where the fraudster stole product listings from their site, set prices competitively lower, and sent counterfeit products to the end-customer, making a profit on every sale. This resulted in a loss of revenue for our customer as well as a tarnished brand reputation, which we helped them remediate once we were deployed to detect and stop these bad bots.
Media & Entertainment
Lastly, the media and entertainment industry is negatively impacted by bots all the time. Your social media accounts can be botted, meaning that loads of fake followers start following you. This may seem like a good thing, but it makes it harder to track your progress as you’re unsure what your real follower count is. Also, some social media platforms ban accounts with botted followers, which can be bad news for you.
Additionally, you get bots replying to posts with spam, or just generally being a nuisance. Again, it makes it really hard when tracking your performance metrics as it seems like you get loads of interactions, but they’re all from bots.
Even worse, bots can generate fake accounts at scale to sway the public with misinformation or disinformation.
Account fraud at scale, such as account takeover, carding, cracking, are also a problem for the media and entertainment industry.
Dealing with the Impact of Bots in any Industry
Regardless of what industry you’re in, if you conduct business online, then it’s vital to understand your bot traffic and detect bad bots. Bot mitigation allows legitimate users and good bots in and prevents bad bots from launching attacks on your applications and APIs.
For more information on bot mitigation and to see what it takes to stop sophisticated automated threats, request a demo to see Kasada in action.