How to Get Ahead of the Bots Coming for Your Business in 2023

We’re looking forward to hearing Forrester’s research into bot threats over the past year, and sharing expert opinions on what businesses need to watch out for going into 2023, in an upcoming webinar.

The webinar will feature Forrester Senior Analyst Janet Worthington, alongside our CPO and co-founder Andy Still and Head of Threat Research Matthew Gracey McMinn.

Register now: How will bots impact your business in 2023?

In the meantime, let’s look at some bot trends over the past 12 months.

Attack types and targets are broadening

In 2022 our research teams and bot experts have seen a continuation of the usual bot attacks seen in previous years, such as credential stuffing, content scraping and scalping. However, we have seen the motives for these attacks change, or become part of new attack chains.

For example, credential stuffing and account takeover (ATO) bots have become dangerous tools for the burgeoning refund fraud ecosystem. Criminals undertake the usual first stages – using leaked credential pairs from other websites to test for reused credentials elsewhere automatically and rapidly using bots – before illegally accessing accounts and claiming refunds on past orders.

Refund Fraud-as-a-Service has come into sharp focus in the past year, with eCommerce businesses losing over $25 billion to it annually. It’s just one example of how bot developers and users are commoditizing their skills and tools, opening such activities up to a greater number of unscrupulous attackers.

You no longer need to be a technical expert to take advantage of malicious bots and make a quick profit. As we’ve seen in recent years from the highly professional Genesis Market and similar sites, accessing stolen accounts or the means to exploit them is cheap and user-friendly – such sites even have 24/7 helpdesks in multiple languages, or information brokers to guide the way.

Scalping is no longer a niche area

A quick scan of news site comment sections and social media threads reveals a general derision of scalpers of all kinds, whether they are buying up every Taylor Swift ticket in rapid succession, stockpiling baby formula during a shortage, or making a quick profit by marking up limited edition sneakers or PS5 consoles.

However, more and more of the population are turning to scalping. This is down to a few factors:

• Many people now see scalping as the only way to obtain frequently scalped items (if you can’t beat them, join them).
• There is a lack of concrete legislation or legal action stopping scalpers from operating, particularly outside of ticket scalping.
• Many retailers still don’t have adequate defenses or strategies to stop scalper bots from operating on their sites.
• Using a scalper bot or buying the services of a scalper is easier than buying the scalped items at retail price from retailers, and cheaper than buying marked-up items from secondary marketplaces.

The last point is a consequence of the growing professionalization of the bot ecosystem year-on-year. With the release of the PlayStation 5 during the pandemic, and the following explosion of scalper bots snatching so much of the available stock, stories emerged of technically savvy gamers building their own scripts to either alert them when stock became available or to automatically add the consoles to shopping baskets – in essence, they created their own scalper bots.

Today you don’t need to know how to code to be a scalper. The years-old, hyper-targeted sneaker bot market has broadened in scope to scalp a full range of items from every eCommerce business imaginable – open to anyone for a price.

Businesses are gaining understanding of bot threats

According to Netacea’s recent survey of enterprise businesses, there is a growing understanding of bot threats – where they originate, what they are trying to achieve, and crucially how much financial damage they are causing.

But it isn’t all good news. Despite this increased awareness, businesses still aren’t reacting quickly enough to bot attacks. In fact, the average time to detect and respond to attacks increased over last year’s survey, from 12-14 weeks up to 16 weeks. This is simply not fast enough to remediate the damage caused by bot attacks – the potential damage done in those 16 weeks could be the difference between profit and loss.

Another key finding was that fewer businesses reported being affected by bots, but those that were affected saw much steeper financial impact than in previous years. This indicates bots are shifting their focus to target vulnerable businesses more heavily. Bot operators rarely give up entirely – they simply move on to attack an easier target.

Attacks on APIs will only increase

Speaking of easier targets, API security is becoming the new battleground for bots. APIs are a more straightforward entry point for bots than websites in many cases, as they don’t need to emulate human behavior – APIs are designed for interaction from other systems, so it’s even harder to distinguish malicious bot traffic accessing APIs than websites.

This trend is already playing out, as evidenced again by our report. Industries that are at the forefront of API usage, such as financial services, have already experienced such attacks, but APIs are becoming more ubiquitous and bot operators, evidently, have caught on. Now almost every industry is relying on APIs to keep their applications connected to internal and external systems, opening a new attack surface for bots and business logic attacks.

Get the full story in our live webinar

We’ve only scratched the surface in this blog post, so be sure to get the full story in our upcoming webinar.

You’ll hear directly from Forrester Senior Analyst Janet Worthington about the research firm’s findings over the past year, and their predictions for the year to come.

This information will be backed up with Netacea’s own research, as presented by webinar host and Netacea co-founder Andy Still. You’ll also have the chance to see a credential stuffing bot attack in action, in a demonstration staged by Netacea’s Head of Threat Research, Matthew Gracey-McMinn.

The webinar takes place on Wednesday 20th November from 4pm GMT – Click here to register.