Bad bots have a type. They prefer websites with logins, pricing and proprietary data, payment processors, and web forms. Between those four attributes there are a myriad of scams, exploits, and attacks that occur.
Bad Bots Scrape Pricing and Proprietary Data
Data from our Bad Bot Report 2017 shows that 97% of sites have bad bots scraping data. Pricing is definitely a target, but there is other data that matters to bad bots. Scraping is rampant in the travel industry. Travel sites are able to offer compelling and all inclusive vacation packages because they connect with global distribution (GDS) networks like Amadeus and Sabre.
GDSs’ connect travel sites into dozens of airlines, hotels, rental car companies, and other travel related products for a fee. The fee is incurred per request made to the GDS’s API. Competitors avoid GDS fees by scraping other travel sites.
Learn more about how scraping with this 2 minute video we put together on Scraping, Denial of Service, and skewing.
Bad Bots Perform Login Attacks for Account Takeover
96 out of 100 logins will be attacked according to our data. There are generally two reasons bad bots are used against logins. The first is to break into the account to carry out more in depth attacks (e.g. shopping cart attacks, payment fraud). This attack is known as ‘brute forcing’ and is generally accomplished using bots to guess login credentials against a database of dictionary words until a match is made.
Valid logins are themselves items of value. Instead of using bots to break into accounts, some bad bots are simply used to verify login credentials in bulk. The technique is known as ‘credential stuffing’.
Credential stuffing exploits our propensity to reuse passwords across multiple sites. If the infrastructure of a site owner is compromised and a list of usernames and passwords are stolen, then that list can be leveraged to attack other websites. Of course, a responsible site owner should encrypt such data, but many do not. Compromised admin accounts could also lead to encryption keys being compromised as well.
How Credential Stuffing Works
That an account has been compromised may not be clear to its owner; in most cases the aim is for an account takeover to appear—at least in the short term—as if a valid user is going about legitimate activity. Furthermore, because of the way credentials are traded on the dark web, the criminal use of an account may occur some time after the initial takeover.
Learn more about credential stuffing and credential cracking in this 2 minute video on how modern account takeover is done with bad bots.
Bad Bots Perform Payment Processor Fraud
Data and pricing found inside applications are a bad bots target as well, our data found bad bots active inside 9 out of 10 applications that required login credentials. Bad bots are used to perform tasks like cycling through shopping carts to get variations on pricing plans/packages and scrape additional content not available on the site’s homepage.
Why takeover accounts? There are two main reasons to install a bad bot behind a login page. The first reason is to scrape content that is only made available to registered members.
The second is transaction fraud. For example, bad bots are used to validate payment card details and drive customer not present (CNP) fraud. The quality of stolen payment card data is often unknown and criminals do not want to waste their time using card details that will never work in the first place. A file of stolen card details may have millions of entries. Carding is a process in which bots work through lists of stolen credit card numbers to find which ones are still valid. They do this by running small transactions against a target merchant’s online payment processor.
How Carding Works
Even when a payment card is valid, the expiry dates may not have been stored or may be out of date. CVC numbers are never stored. However, the range of possible values for both of these elements is small. The current expiry date, in the format of month and year, only represents 30 to 40 values to test.
The CVC code is a three-digit number so only 1,000 values are possible (000 to 999). Bad bots can be used to test the range of possible values against a merchant’s online payment process to identify the missing values in a process known as card cracking.
How Card Cracking Works
Learn more about the credit card fraud carried out by bad bots in this 2 minute video.
Bad Bots Spam Forms
For 31% of websites with web forms such as contact, discussion forums, and reviews, spam was a frustrating reality last year. Form spam damages the customer experience, affects brand perception, and can divert traffic away from your site. For any organization attempting to police form spam, it is a time consuming and costly task.
Malware distributors also use form spamming to embed links to sites hosting drive-by-download malware. Basically malware that is served to site visitors and either downloaded automatically by exploiting a software vulnerability or served up as a fake software update that coaxes the viewer into installing the malware themselves.
The four website attributes are common across many sites, which helps explain why bad bots account for roughly 20% of all internet traffic. If your site has these attributes and you’d like to learn more about what can be done to prevent them take a look at our product page.
Bad bots are capable of dozens of unique automated threats. Depending on your business, they may be impacting key metrics such as conversion rates, invalid traffic scores, customer satisfaction rates, etc. Learn more about how bad bots skew conversion rates here.
About the Author
Peter Zavlaris weighs in on various topics around bot mitigation, bot defense sharing white papers, videos and other resources on the topic.More Content by Peter Zavlaris