Are Bots Gaming Your Websites And Apps
Gaming websites are one of the prime targets for bad bot attacks, so we took a closer look at the particular risks faced by these and other vulnerable businesses in an interactive webinar.
What makes a gaming site vulnerable?
Quite simply because it’s easy money. It all starts with those tempting new account promotions – free spins for signing up. The bad guys simply point an army of bots at the site (or, increasingly, a mobile gaming app), the bots use account creation (defined in the OWASP Automated Threat Handbook), on signup forms to create hundreds of new accounts, play the free spins, and withdraw the winnings (or transfer them to another account, or sell the account on the dark web). Instant profit, and no humans required. Online gaming and gambling operates around the clock, around the world, and increasingly on mobile devices – and bots never sleep.
Typically, bad bots make up around 20% of website traffic. But when the pickings are as potentially easy as they appear on gaming sites, that number jumps to 50% or more, as we learned from our most recent Bad Bot Report. What’s more, bots are getting more sophisticated, better at imitating human behavior and targeting apps and APIs as well as websites. It doesn’t help that so many credentials are available on the dark web (Yahoo recently admitted that not one but three billion accounts were impacted by its 2013 breach), that the rapid growth of cloud computing lets bot operators hide in plain sight, and that automation tools are making bot creation and launching easier than ever.
Much of the damage is downstream
Because bots inflict much of their damage downstream of the actual attack point, their impact is felt across many aspects of the business.
- Finance is impacted by fraudulent accounts and chargebacks
- Marketing and business decision-making is impacted by skewed analytics, ad fraud, poor conversion rates, and suppressed SEO rankings
- IT is impacted by poor server response times and uptime metrics
- Customer Service is impacted by account takeover and fraudulent chargeback complaints
The greater the number of bot attacks, the more vulnerable the business becomes to a full-on denial-of-service attack against your ISP or, increasingly, your apps directly – and if you have white-label partners, they’re also going to feel the impact. For a cash-driven business like gaming, site slowdowns and unresponsive apps can be fatal. There’s little brand loyalty in gambling, and users are quick to go elsewhere to feed their habit.
Site attributes that signal danger
Extrapolating from our most recent Bad Bot Report, if your website contains pricing and proprietary information like betting odds and spreads, there’s a 97% chance you have bots scraping your site. 96% of sites with login pages have bots; more worryingly, bots have gotten past top-level login protection like captchas and multifactor authentication on 90% of sites to penetrate payment processing and registered customer databases. Even including a comment form on your website puts you at a 31% rate of bot infection.
Anything that’s behind a login needs protection today. For gaming sites, that means paying particular attention to customers’ personally identifiable information, particularly high-value VIP customers, and loyalty points (that’s easy currency again). It also means protecting the business against money laundering – high-speed automated transfer of funds between multiple accounts makes it almost impossible for anyone to follow the money.
There’s no honor amongst thieves, so anything proprietary that can be re-used elsewhere by competitors, aggregators, or black marketeers at a profit is fair game for bots.
What’s on your site today?
Distil’s new Bot Discovery tool is a free Google Analytics plugin that lets you remove all the bad data created by bots from your Google Analytics reports. For a bigger-picture view, you can sign up for a month of free bot protection service and traffic analysis, no strings attached.
About the Author
Edward Roberts leads Product Marketing and has over twenty years experience in technology marketing. Previously he worked for Juniper Networks, heading up Product Marketing for the Counter Security team. Before that he ran marketing for Mykonos Software, a web security company.More Content by Edward Roberts