The data sought by cybercriminals vary from one vertical to another, whether banking credentials, medical records, pricing information or confidential research, to name just a few.
In some cases, cybercriminals write and deploy very sophisticated bots to overcome security measures and take over user accounts, disrupt service availability and exploit vulnerabilities in applications and APIs. In other cases, businesses directly target their competitors, commonly deploying bad bots to scrape the content and aggregate data such as product names and pricing.
The e-commerce industry grew 15% in 2019. The vertical industry reports an increase in bad bot attacks on its web applications, mobile apps and APIs.
Bad bot attacks are common across all applications, from payment fraud on checkout pages to content scraping (prices or product info) on product pages, coupon scraping, inventory holdups and cart abandonment, as well as various forms of account takeover, including Brute Force and credential stuffing on the homepage or user login page.
Since every disruption affects revenue, most e-commerce companies invest heavily in protecting their applications. Therefore, we see an extremely high amount (58%) of distributed, mutating bots within the total bad bot activity for this vertical. Hackers use sophisticated bots to evade bot management technologies that rely on data and behavioral profiling that are not big enough to produce correlations between different violations.
Types of bad bots targeting the e-commerce industry
Data about bad bot attacks on e-commerce sites reveal a mix of sophistication levels. Some attacks such as scraping can be performed by simple scripts or headless browser bots. Denial of inventory and account takeover attacks require advanced capabilities to impersonate a real human user.
Levels of bad bot sophistication when committing attacks on e-commerce sites.
Media & Publishing
Media and publishing outlets use many good bots for advertising and affiliate programs. Their main challenges are to filter out dirty bot traffic as well as to correct marketing analytic tools. In this vertical, it is common for competitors and ad platforms to scrape data and content or attempt to skew the analytics of the media campaigns causing further harm by leading the targeted publisher to make thwarted decisions that are based on false data.
Online Marketplaces & Classifieds
Marketplaces and classifieds rely on the credibility and trust of consumers to grow their businesses. As they attract more traffic, these companies benefit from performing as hubs for advertisements. Their objective is to keep ads secure from scraping — especially from competitors — which may also run scripts to collect users' sign-up information. This effort is why we see more bad bot traffic against the homepage.
Travel & Hospitality
Travel and hospitality organizations such as airlines, transportation and hotel chains rely heavily on online purchases. Cybercriminals target their sites with attacks that mainly use human-like and distributed mutating bots to bypass security tools. Nearly two-thirds of ad bots accessing their web properties are considered sophisticated bots.
Types of bad bots targeting the travel industry
The most common bot attack type identified is denial of inventory. Twenty-nine percent of the traffic to booking sections is generated by bad bots. These bots can hold inventory for as long as the bot herder chooses making it unavailable to real users, thus causing an immediate financial impact on the victim.
Empty hotel rooms are locked up, and airline seats go unsold. The bots run in a loop and hold the rooms or tickets after timeouts are generated and the inventory is supposed to go back to the pool. The loss is even greater as the airline must pay a small amount to a Global Distribution System (GDS) per every request. Another common issue is bot activity that takes advantage of loyalty programs rewards.
The author is Managing Director-India, SAARC & Middle East at Radware. Views are personal.