Fact or Fiction? The Biggest Bot Myths Debunked
Bad bots are damaging businesses and are costing them millions. As a result, many businesses are investing in bot management software to control the bot traffic accessing their site.
In 2020, Netacea found that 99% of the businesses we surveyed had either a full or partial bot management solution in place or were in the process of implementing one. While this seems to be a promising statistic, many of the same businesses are falling victim to common bot myths and relying on solutions that are inadequate for sophisticated bot detection, leaving them vulnerable to bot attacks, data breaches and more.
Netacea was interested in finding out just how many businesses could differentiate between common myths and bot facts. We interviewed 440 businesses based in the USA and UK, across eCommerce, telecommunications, entertainment (including online gaming and streaming), travel and financial services. Could they separate bot fact from bot fiction?
Myth, near-myth, or fact?
“A web application firewall (WAF) stops sophisticated bots.”
WAFs are designed to prevent attacks that target holes in security, through techniques such as injecting code. Many WAF-based solutions also offer basic bot mitigation software – which is potentially why many businesses believe it is an efficient method of stopping and preventing sophisticated bots.
73% of businesses we surveyed believed this to be true, including 92% of telcos and 77% of eCommerce businesses.
This is a myth. The more sophisticated bot attacks exploit websites by taking advantage of business logic. For this, bots do not need to bypass security holes, rendering WAF-based solutions ineffective against sophisticated bots. Examples of business logic attacks that bypass WAFs include:
- Credential stuffing attacks in which bots automatically inject thousands of stolen or leaked credentials into a website login page until they find a match, subsequently gaining fraudulent access to customer accounts and in-account valuables, such as loyalty points or stored credit card details.
- Inventory hoarding, where bots hold an item (or multiple items) in their basket whilst listing it for resale to make a profit on a third-party site, only purchasing the item when the sale goes through.
- Using scalper bots to purchase new, limited edition or discounted stock at a much quicker speed than genuine human customers.
“Recaptcha distinguishes between bots and humans.
ReCAPTCHA is a bot management software from Google which allows websites to distinguish between human and automated traffic to their website.
72% of businesses we surveyed believed this to be true.
This is a near-myth. While reCAPTCHA does differentiate between some human and bot traffic, advancements in artificial intelligence have allowed the more sophisticated bots to circumvent this technology and easily gain access to a website. Additionally, the increased use of CAPTCHA farms means that bot mitigation software such as reCAPTCHA is unable to guarantee detection of some of the simpler forms of automated traffic.
What is a CAPTCHA farm?
A CAPTCHA farm is when CAPTCHAs are distributed to a group of humans to solve – often these people are outsourced from developing counties.
“All bot users are criminals.”
Many people who use bots do so with the intention of exploiting the business and making a profit from their efforts. Take those using a scalper bot for example – their intent is to buy up the limited edition, or newly launched stock and re-sell it on third party websites to make a profit. While this is frustrating for the business and potentially damaging to customer experience, is this illegal?
Just over half of the businesses we surveyed (55%) believed that all bot users could be considered criminals.
This is a near-myth. Although at the time of writing there are plans for laws against scalper bots being discussed in both the UK and the USA, currently the practice of obtaining or purchasing items using a bot is legal. Additionally, while many of the people using scalper bots are doing this to resell products and make a profit – some are simply consumers tired of consistently being beaten by scalper bots, and so acquire their own in order to purchase their desired item. Either way, neither of the above can be considered criminals for their use of bots, as there are no laws against this practice.
Bot usage, however, for credential stuffing and card cracking is a form of online fraud – for this reason, those using bots in this way can be considered criminals.
“The majority of credential stuffing attacks use bots or automated technology.”
Huge lists of stolen or breached usernames and passwords are available for sale on the dark web. Cyber-criminals will purchase these credentials and continually input them into the login forms of various websites until they get a match. Once an account is verified, the cyber-criminal will then have access to all the account assets and valuables – such as any premium subscriptions associated with the account, stored credit card details or accrued loyalty points. The cyber-criminal can either change the password and acquire account assets for personal use or, more often than not, re-sell these verified credentials and account assets on the web to make a profit.
64% of the businesses we surveyed believed this to be true.
This is a fact. With more than 15 billion credentials available for sale on the dark web, and more data breaches occurring daily, it is impossible to check their validity manually. For this reason, most attackers will use automated technology to sift through the millions of credentials and verify accounts for use or resale.
“Distributed denial of service (DDOS) protection will stop all bots.”
The aim of a DDoS attack is to overwhelm a website with traffic. Automated technology is often used for this, usually a network of machines known as a botnet.
77% of businesses we surveyed believed DDoS protection could stop all bots.
This is a myth. While bot traffic is also automated technology, it is different to that used in a DDoS attack. Bot traffic usually has different intentions for accessing a website than DDoS traffic; while bots are capable of overwhelming a website, they often require the website to be working optimally to carry out their attack, and therefore will have failed if they overwhelm the site. Most forms of DDoS management use some form of “rate limiting” protection – however most bots are sophisticated enough to limit how frequently they repeat actions to avoid detection from this software. Many of the more sophisticated bots can even learn the rate limits for specific websites to better avoid them.
The problem with believing bot myths
Believing in bot myths, and consequently investing in the wrong bot protection can cause a multitude of problems for your business. Having a WAF, DDoS or CAPTCHA based solution in place and believing your business is protected from sophisticated bots gives you a false sense of security. This leaves your business vulnerable to bot attacks, forms of online fraud such as account takeover and card cracking, data breaches and more. A false sense of security can come at a significant cost to your business. In 2021 Netacea found that bots cost businesses up to 3.6% of their online revenue, for 25% of the businesses we surveyed this figure was close to a quarter of a billion dollars.
It is impossible for businesses to manage the bot threat, without first getting a better understanding of what the bot threats are, and which methods of protection can keep up with the evolving and more sophisticated threats. If myths such as the above continue to be believed, businesses will remain vulnerable to bot exploitation – which will consequently cause damage to brand reputation and customer experience, as well as resulting in significant financial losses.