How to Master Malicious Bot Protection

You know those pop-up bubbles that appear on the bottom right-hand corner of a new webpage to say “Hello” and ask you if you have any questions. Those are called chatbots. They aren’t physical robots, but pieces of software that are designed to pop up when someone visits the page, ask an introductory question, and, if the user clicks on it, ask common questions to help direct the visitor. These chatbots help answer common questions that get repeated, freeing up real people to answer the more complex questions that users may have. There are lots of different kinds of bots, but they’re not all as innocent as a chatbot.

Understanding Malicious Bot Threats

Unfortunately, not all legitimate bots on the internet are designed to be helpful. Some people create bad bots that are designed to buy up inventory to sell at a higher price later (like concert tickets), promote certain harmful or self-serving ideas on social media through comments, or automatically download software to artificially boost their rankings. Malicious bots, however, take things several steps further. We’ll discuss the most common bot threats below.

• Malicious Chatterbots: These spam bots hit chat rooms, message boards, and apps with spam and advertising.
• Inventory Denial Bots: Inventory denial bots are created to visit websites selling goods and put items into a fake cart to hold them. Websites usually adjust inventory when it looks like an item will be bought, such as when an item is added to a cart. This keeps real customers from purchasing goods.  
• Spambots: These bots are made for web scraping, or infiltrating a system to harvest it for contact information. Spam messages are then sent to the contacts it was able to obtain.
• DoS Bots: If an attacking party can get enough computers and devices infected with a certain malware, this creates a botnet, or a bunch of devices that can all be controlled by the same person or group of people. These botnets can be used to perform identity theft, spread malware and spam, and perform DDoS attacks to overwhelm a website with bot traffic to keep it from functioning properly.
• Click Bots: Click bots are designed to click on ads, buttons, or other hyperlinks. This can defraud advertisers, trick websites, influence online polls, or fake traffic numbers.
• Account Takeover Bots: These bots are made to hack into profiles or accounts of real users to access private information like banking details, personal messages, and identification information. 

The Importance of Malicious Bot Protection

Bot and cybersecurity protection have become a necessary component of any organization hoping to survive in the online space. Bots make up 40% of online traffic, so they’re everywhere. If the bad ones cause your website or information to be compromised, you could face financial loss, reputation damage, and potential legal implications for your business. Below are several examples:

• A data breach in 2022 cost the company over $350 million in customer payouts due to a lawsuit filed against them. Vulnerable information included 37 million customer names, birth dates, and even social security numbers.
• An insurance  suffered a data breach in early 2023 that exposed contact information, social security numbers, driver’s license numbers, and health insurance information of nearly 9 million people.
• In 2022 a large-scale DDoS attack brought down several large US airport websites for several hours by the pro-Russian hacktivist group KillNet.

Common Signs of Malicious Bot Activity

Here are some common signs of malicious bots and their not-so-great activity on websites:

• Abnormal website activity including suddenly high page views, higher than normal bounce rates, spikes in traffic from unknown locations, junk conversions (contact form submissions that make no sense), etc.
• An increase in support tickets related to account lockouts and fraudulent transactions. This could be a sign of credential-stuffing bots that take over legitimate user accounts with information they’ve harvested from past leaks. This negatively impacts customer experience and these fraudulent transactions can overload your servers (creating longer page load times) or even render your website unavailable.
• Low yield on advertising spending could signal that bots are clicking on your advertisements and driving up your pay-per-click spending but not buying anything.
• If you find duplicates of your content on non-approved sites, you may be dealing with a web content-scraping bot. These bots steal content you worked to assemble and curate and they use it to increase their traffic to the detriment of yours.
• An uptick in failed credit card transactions is a dangerous sign of bad bots. These credit card stuffing bots test thousands of stolen credit card numbers in an attempt to find one that works. They make low-value purchases on less secure websites before performing larger transactions on bigger sites or selling the validated card numbers on the dark web. Wherever your site fits into this system, if the failed transactions are egregious enough, your payment provider may fine you.

Effective Strategies for Malicious Bot Protection

No two bots are alike, so the best way to mitigate against their harmful practices is to use several tactics to effectively stop them in their tracks. Consider the following strategies.

• Block all bot traffic that you’ve identified as malicious. Be prepared for the bot operator to change their tactics and come back later with a different strategy.
• If you notice trademark bot behavior such as a pattern of suspicious logins, low page depth or time-on-page, or failed credit card validations, it’s crucial to deploy a security test such as CAPTCHA to verify that suspicion. Try to only serve CAPTCHAs to suspected bots and not legitimate users since it creates friction in the user experience.
• Rate limiting is when you limit the number of times an IP address can submit requests to your site. While this may keep less sophisticated bots at bay, many of today’s more advanced bots can keep their number of requests just below your rate limit, remaining undetected while they continue to inflict damage.
• Requiring additional authentication for users, such as using one-time passwords or two-factor authentication, is one way to stop credential-stuffing bots, but it also adds friction to the user experience.
• Implementing bot detection tools will help you discover suspicious bot activity. Tools include IP address tracking which can help you block sources of suspicious activity. Implementing a robots.txt file guides search engine bots to the pages they should index, and using a web application firewall (WAF) will create a kind of shield between the internet and the web application so only legitimate users can access the relevant server. 
• Use malware detection software to detect, quarantine, and/or delete malicious code, to prevent malware from causing damage to your device or system.

Now What?

Now you know what bots are, why it’s important to have protections in place, some common signs of malicious bot activity, and what you can do to stop them. The best way to protect yourself against malicious bots is to use a multi-layered strategy that includes some or all of the suggestions we discussed above. Relying on a single strategy might work for less sophisticated bots, but most can get around a single layer of defense. Using several bot mitigation tools will make it increasingly difficult for sophisticated bot attacks to succeed. For more information, you can check out RiskRecon by Mastercard and its different tools to help protect you and your company from bot attacks. You can even request a demo to see how their solutions could work for you.