Attack of the Bots

While there is always the debate about what the biggest cybersecurity threat is today—DDoS attacks, ransomware, SQL injections, etc.—there is consensus that, based on total dollars lost, the use of automated bots to commit fraud has risen to the top of the list.

Botnets are a type of malware that allows an attacker to take control of an affected computer. They are typically linked together as part of a whole network of infected machines (“botnet”).

Botnets have become a primary tool for fraudsters across the globe. And the use of botnets has surged in recent years as EMV chip cards have been successful in thwarting counterfeit payment card fraud. They are being used to target a range of industries, including financial-services companies (“bank bots”), online merchants, ticket purchasing services, digital advertising, the travel industry, and many more.

According to PYMNTS’ Q4 2016 Global Fraud Attack IndexTM: 

• Between Q3 2015 and Q2 2016, fraudulent orders of digital goods by botnets increased 47 percent
• Between Q3 2015 and Q2 2016, fraudulent order of luxury goods by botnets increased by  87 percent

Further, taking over users’ personal accounts through the use of bots is becoming a lucrative field for fraudsters. According to a report in 2016 from Trend Micro, a compromised account is worth around three dollars on the black market while a stolen credit card number is only valued at 22 cents.

Schemes as Numerous as the Bots

Fraudsters and even legitimate sources use Bots for profit in a number of ways. Some are used to buy up concert tickets in bulk to resell at a higher price (the old practice of “scalping”). In 2013, Ticketmaster, the largest online distributor of tickets in the U.S., estimated bots were being used by scalpers to purchase about 60% of tickets to the hottest shows. In an effort to combat this widespread abuse, Congress passed, and former President Obama signed, the "Better Online Ticket Sales (BOTS) Act of 2016" in December which made it illegal. 

In the advertising industry, automated bots are used to create phony traffic, driving up costs for paying advertisers. Use of this tactic was recently used by a Russian group to trick advertisers into paying as much as $5 million a day for fake video ads whose only viewers were half a million bots. And this is not an isolated case, some speculate that up to one-third of all website traffic is bogus.

In retail, bots are used to make fraudulent purchases using stolen credit card information, as well as to make legitimate purchases of limited quality items for resale at a premium on auction sites.

Given the range of schemes, it is hard to say which industry is the most popular target for bot fraud. But it is clear if a company is doing business online, they will get hit at some point. It is only a matter of how big a hit they will suffer.

A Way to Stop the Bots

Is there a way to slow or stop the bots? Fortunately, technology exists that can help. One signature quality behind bot attacks is their high rate of speed. Because of this, technology that can detect potential velocity attacks can identify and screen out the bots. These solutions work by flagging devices that are used to perform multiple unusual behaviors (usually at a high rate of speed). If a device performs multiple login attempts on multiple accounts over a short period of time, this could signal the use of a bot.

However, many of these bot detection tools fall short of true identification because they rely on IP addresses or cookies in their model. This method of identification is easily thwarted by sophisticated bots that change their IP address continually or clear/disallow cookies. Sophisticated bots like these require more sophisticated screening technologies.

The next generation of bot-prevention tools involve device intelligence, device fingerprinting, malware detection, machine learning, and behavioral analysis. This model relies more on identifying the bot at the root, that is, at the device level. Doing so makes it easier to employ both static techniques, such as detecting the presence of malware on the device, and a more complete behavioral analysis— that is, detecting a high number of attempts, a high number of failures, unusual traffic patterns, unusual speed of access and access attempts—that is more accurate and not so easily fooled.

Using a variety of techniques like these to identify and screen out the bots is a crucial factor in fraud prevention. While the threat from bots is pervasive and growing, companies that do business online would be wise to invest in sophisticated device intelligence, machine learning, and authentication technology to help turn the tables on fraudsters.