6 Scary Bots that’ll be Knocking on your Website’s Door this Halloween

October 28, 2015 Orion Cassetto

Halloween is famous for youngsters in creative costumes begging for candy with outstretched arms. What most people don’t think about are the online equivalent to these ghoulish goodie grabbers. Unfortunately, these visitors are more trick than treat. Be afraid. Be very afraid.

The Masked Marauder (Search Engine ImpostarrrRR)

Masquerading as a benevolent search engine like Google, Bing, or Baidu, the Masked Maurader’s true intentions arrrrrrre closer to plundering your intellectual property than pumping up your SEO rankings. What makes these bots so dangerous is that by pretending to be a Googlebot (or similar) they frequently gain access to protected areas of websites, often with little to no supervision or restriction once there.

Brute-force Bansheebot

The Brute-force Banshee has a wail of a time breaking into your website users’ accounts with stolen password lists. Security breaches like that of Ashley Madison are dumping huge troves of username and password combinations into the wild, providing this bot with nearly unlimited credentials to try in rapid succession on other websites. Once she finds valid login credentials the account is hers and she’ll take it for all it’s worth. These stolen accounts are frequently used for theft (of any goods which can be accessed via the account) and to perform transaction fraud. You might not like your account being stolen but this bot thinks stealing them is a scream!

Click-fraud Frankenbot

The Click-fraud Frankenbot is a bot that has been sending shockwaves through the advertising industry by rapidly clicking on online ads, pretending to be a human. A recent study on digital fraud by Distil networks estimates this bot to be responsible for 30% of all ad spend.

Whether you’re an advertiser or publisher, fake-clicks are bad news. Try as he might, the Click-fraud Frankenbot isn’t human and his non-human clicks on ads may result in publishers being banned from ad-networks for fraudulent activity, thus losing critical sources of revenue. For advertisers, click-fraud results in paying for ads which never reached a human audience, in other words wasted money.

Screen Scraping Skeletron

While not the most advanced bot on our list, the Screen Scraping Skeletron is no bonehead. He’ll scour your site -  looking for - and stealing any valuable content he can find. The Skeletron is a versatile bot which can be used for a host of business logic attacks such as negative SEO attacks, intellectual property theft, competitive intelligence gathering and other types of web scraping.  

He’s especially dangerous during the holiday shopping season as he may gather product listings, user reviews, vendor lists, as well as pricing and inventory availability information from ecommerce websites in real-time. He then hands this info over to your competitors enabling them to undercut you in the market.

Phantom JS

While technically a scripted, “headless browser”, Phantom JS moves through the web like a ghost. He is an advanced bot, used primarily for automating web page interaction, and he haunts websites with his ability to “walk through firewalls” posing as a human in order to steal content, perform competitive reconnaissance, and launch web application attacks. Owed largely to his Javascript API, Phantom JS is able to emulate real user behavior, take screenshots, and auto-navigate through websites. His knack for evading bot detection paired with a wide feature set have made Phantom JS a favorite automation tool for hackers.

Swampthing Spambot

Swampthing Spambot is a treacherous, amphibious automaton that spends his waking hours crawling through the internet looking for unprotected forums, comment boards, and form fields  to post unwanted, and often annoying advertisements, re-directions, and other forms of cyber-garbage. While more of a nuisance than anything else, you should be on the lookout for this spambot as he’s sure to have a negative impact on your user experience and loves infecting unsuspecting visitors with malware, or redirecting them to to your competitors sites.

Happy Halloween!

I hope you enjoyed this special holiday public service aimed to help you keep your site safe on All Hallows’ Eve.  Remember to keep an eye out for these ghoulish baddies and have a happy Halloween!


About the Author

Orion Cassetto

Orion Cassetto joined Distil Networks as Director of Product Marketing in 2015, bringing with him nearly a decade of experience in the Cyber Security industry. His strengths include competitive strategy, positioning, and messaging for web application security and SaaS-based security solutions.

More Content by Orion Cassetto
Previous Article
The Anti-Fraud Movement Took a Great Step Forward Today
The Anti-Fraud Movement Took a Great Step Forward Today

Trustworthy Accountability Group (TAG) unveils “Verified by TAG” program to combat digital ad fraud as part...

Next Article
Protecting Property Portals from Web Scraping Bots
Protecting Property Portals from Web Scraping Bots

Securing property portal listing data from bots is harder than ever. Why? Because web scraping is cheap and...