By Tiffany Olson Kleemann, CEO, Distil Networks
In 1998, “Titanic” became the first movie to gross $1 billion, the Michael Jordan-led Chicago Bulls won their sixth NBA championship, and President Bill Clinton was impeached but acquitted of wrongdoing in the Monica Lewinsky scandal.
It also was the year when bots – pieces of software that run automated tasks over the internet with minimal or no human intervention – first appeared online, providing services to users of the Internet Relay Chat messaging system.
Initially noticed by only a handful of computer geeks and, more recently, the esoteric preserve of cybersecurity experts, bots have now gone mainstream – and for all the wrong reasons. In their 20th anniversary year, bots are seen as responsible for influencing the results of the 2016 U.S. presidential election and causing crises at Facebook and Twitter.
However, while the world comes to grips with bad bots’ role in hijacking social media platforms and thwarting democracy, it’s easy to forget that these nefarious software scripts also are wreaking havoc on much broader swaths of the economy.
Whether for unauthorized data gathering, credit card fraud, click fraud or account takeovers, bots are a weapon of choice for hackers, fraudsters and nefarious competitors who routinely attack online retailers, financial institutions, airlines, ticket dealers, healthcare providers, gambling companies and others via their websites or mobile apps. In fact, social media bots represent just a sliver of the damage bots are doing around the world.
Consider that last year, 42 percent of all internet traffic wasn’t human – it was bots. Of that amount, 22 percent were bad bots. The remaining 20 percent were good bots that deliver useful services such as search engine indexing, stock trade execution, news updates and weather alerts.
Bad bot volume increased nearly 10 percent last year and there’s evidence they are becoming more sophisticated – for example, producing mouse movements and clicks that fool even advanced detection methods or using malware installed within browsers to connect to sites.
Nearly 83 percent of bad bot traffic originated in data centers last year, compared to 60 percent in 2016, which means that cybercriminals are increasingly taking advantage of low-cost cloud computing to carry out more and more bombardments.
As bots become simultaneously more sophisticated and cheaper to use, bot traffic will only continue to proliferate across the internet causing economic impact in the form of lost revenue, price inflation, fraud, theft and more. Here are just a few examples of how bot activity can manifest financially:
- Denial of service: Hackers use bots to blitz a site with clicks, slowing or shutting it down – also known as a denial of service (DoS) attack. For many online businesses, website downtime correlates directly with a decline in sales. If a retailer gets hit with a DoS attack during the holidays, the consequences can be detrimental.
- Spinning and hoarding: All too familiar to concertgoers and sports fans, shady ticket brokers leverage bots to constantly monitor ticketing sites to automatically search for and reserve tickets and robotize the process of buying tickets. The U.S. Congress passed the Better Online Ticket Sales (BOTS) Act in 2016 making this practice a crime, though crafty bot operators have found ways to skirt the law.
The same kind of bots are also used to fraudulently reserving blocks of seats on flights, causing the price of the remaining unsold seats to increase dramatically, throwing off airline ticket sales.
- Account takeovers: Hackers use bots to test usernames and passwords stolen from one enterprise on another’s site, until the right combination clicks. Here, the perpetrators take advantage of the fact that many people reuse their credentials on different sites. The typical website with a login screen gets hit by bot-driven account takeover attacks two to three times per month.
- Credit Card Cracking: Criminals can also take stolen account numbers and use bots to hit on the correct expiration data and three-digit Card Verification Value (CVV).
The economic effects of account takeovers and card cracking are formidable, Businesses and customers see a rise in fraud which result in damaged credit ratings to increased charge backs.
- Ad fraud: Nefarious competitors, vandals and dishonest owners of websites displaying ads can falsify traffic numbers by programming bots to swarm over a website and click on posted ads. Mobile tracking and marketing company AppsFlyer found that mobile app marketers worldwide lost as much as $800 million to ad fraud in Q1 2018.
- Content and price scraping: Bots scrape premium content from a website with the intent of using it for purposes outside the site owner’s control – prices, promotions, offers or content that’s meant to be available only to paid subscribers or authorized business partners. This equates to stealing a product and giving it away for free, resulting in lost revenue for the original owner of the content.
Competitors also use scraper bots to target the pricing section of a site and scrape pricing information, feed the aggregated data to an analytics engine and instantly match prices and products to attract more buyers. This practice is particularly common among online retailers. If a retailer loses enough competitive pricing wars fueled by price scraping bots, they risk going out of business.
- Gift card fraud: Bots target gift card payment processes on retail websites to defraud consumers from the money loaded on gift cards. The bots can cycle through millions of potentially gift card numbers to determine which have balances. If successful in obtaining the balance, fraudsters can resell the account number on the dark web or use them to purchase goods. The result is not only the loss of customer’s money, but also the loss of future customer revenue from dissatisfaction or distrust of the retailer.
- Stock trading: Investors can use bots to gather “alternative sources” of information about the health of a business to make decisions on whether to buy or sell stocks. For example, scraping inventory can provide an early view into the demand for products and whether a public company may have strong or weak revenue numbers.
Whether these various types of bot activities are deemed good or bad, either way, their global financial impact cannot be overstated. In order to remain competitive and protect themselves and their customers, businesses must be acutely aware of how bots are interacting with their websites and figure out where they stand in the bot arms race. There’s too much at stake to look away.
Tiffany Olson Kleemann is CEO ofDistil Networks, a bot mitigation company.