A bot is a small piece of software that automates web requests with various goals. Bots are used to perform tasks without human intervention, including everything from scanning website content to testing stolen credit card numbers to providing customer service support. A bot can be used in both helpful and harmful ways, while “bot attack” always refers to an attacker with a fraudulent goal.
Bot Attack Definition
A bot attack is the use of automated web requests to manipulate, defraud, or disrupt a website, application, API, or end-users. Bot attacks started out as simple spamming operations and have branched into complex, multinational criminal enterprises with their own economies and infrastructures.
Bot attacks are automated, ranging from individual cyber criminals to vast hacking organizations. Sophisticated attackers write custom code to vary frequency and length of an automated attack, designed to circumvent security monitoring.
Unsophisticated cyber criminals use open source developer tools for building bots known as botkits. Botkits are widely available for free online and sold on the Dark Web. Botkit sellers offer paid services to execute bot attacks, including software that creates a botnet to power DDoS attacks.
A botnet, shorthand for “robot network”, is a group of interconnected devices which work in tandem to complete repetitive tasks. A malicious botnet is a group of machines infected by bot malware; each device controlled by a botnet is called a “bot.” A threat actor, or “bot-herder,” dictates commands to the botnet from a central point to launch coordinated attacks.
Botnets can grow to encompass a massive quantity of bots, which makes them formidable weapons in the hands of attackers. A large botnet might command millions of computers to launch high volume DDoS attacks, while a small botnet might pull off a targeted intrusion to a valuable system, such as classified government intelligence or financial data.
What Types of Data Do Attackers Target in a Bot Attack?
Bots are a tool used to execute attacks against web applications and APIs in order to steal or alter critical data. Common bot attack scenarios include:
Web Content Scraping
Search Bot Imposters Versus Genuine Search Engine Bots
Web scraping bots automatically gather and copy data from other websites. They can disguise themselves as innocuous search engine crawlers as they scan content, but these search bot imposters steal content without the knowledge nor permission of the website owner.
In contrast, legitimate search engine bots declare themselves using user agent strings (e.g. robots.txt, googlebot). Google or Bing use bot crawlers to index content for the primary purpose of improving search engine results for end-users.
Types of Scraped Web Content
Scraped web content is a diverse category that includes written copy, images, HTML/CSS code, metadata, and e-commerce data. The attacker repurposes this content in exploitative ways:
Republishing copyrighted television shows or paywalled news articles
Syndicating blog posts to steal SEO value and organic traffic
Gathering product pricing or inventory data to gain a competitive advantage
Compiling contact information to sell to other businesses as sales targets
Stealing HTML code to build a fake branded website as part of a phishing scheme
Account Takeover (ATO)
Data breaches often result in large dumps of user credentials becoming available and sold on the dark web to threat actors. Then, attackers use automated bots for account takeover fraud (also called credential stuffing attacks), meaning they rapidly test usernames and passwords in the authentication flows for consumer sites.
Once valid user credentials are found, threat actors take over website accounts and lock out legitimate users. Attackers take personally identifiable information (PII) and stored payment methods from those accounts to commit all types of fraud—from setting up new credit card accounts to making purchases with the stored payment information.
Form Submission Abuse
Application programming interfaces (APIs) are the backbone of the modern web enabling organizations to provide access to sensitive data to authorized users in a programmatic manner. As a result, automated bots take advantage of these data pipelines where they are deployed to probe and extract sensitive data from APIs.
Attackers may launch credit card enumeration attacks in order to validate stolen credit cards, perform e-commerce gift card fraud, or even obtain patient healthcare records. You may also see bad actors using Tor attempt to access APIs from countries or geographies where services aren’t legitimately provided or attempt to perform transactions from OFAC countries blocked due to regulatory compliance.
How to Protect Your Web Applications and APIs from Bot Attacks
Effective bot attack protection requires the ability to:
Identify which web requests indicate bot attacks
Take appropriate action on malicious requests
Display actionable data
1. Identify Bot Attack Indicators
Security must inspect all web requests to establish a baseline of normal activity. After establishing a threshold for normal behavior, observe abnormal web requests to help identify which requests indicate attack.
Attack indicators are not identical at every organization. For example, when observing a social media app’s login pages, suspicious activity indicators are:
Irregular increases in login attempts
Account creation coming from the same IP address
2. Take Action on Bot Attacks
After establishing a baseline of normal web request behavior within your system, you’ll be able to distinguish between legitimate user and bad actor activity. Actions include observing, blocking, allowing, or alerting. It is crucial to take appropriate action on each request to avoid false positives and service disruptions to valid users.
Bot Blocking Capabilities
Advanced security tools allow users to create parameters and predefined signals to filter out authentic users from bots. A powerful combination of thresholding, advanced rules, and predetermined blacklists allow organizations to customize their protections from known bots and IPs. Rulesets filter all incoming traffic and block malicious traffic before it reaches the app origin or API endpoint.
3. Display and Deploy Actionable Data as Part of Your Bot Management Strategy
Organizations need a way to collectively gather and visualize all web request data. Accurate metadata and behavioral data is key to automating your bot attack strategy. Inspecting specific attributes in web requests helps to inform rules, templates, or other automated systems.
Bot Visibility Within a Unified Console
A unified management console, such as a web application and api protection (WAAP) platform, shows all traffic directed at your web properties. This global visibility helps you understand the impact that bots have on your resources to keep operating costs low for the entire security team.