The new generation of advanced bots is now on everyone’s radar. The rise of high-quality IPs and generative AI has led to the emergence of today’s ‘super bots’. These bots can forge fingerprints, enact distributed attacks at scale, mimic human behavior using machine learning, and fool traditional CAPTCHAs up to 100% of the time.
There’s a lot of discussion about how organizations' cybersecurity strategies must now rapidly evolve to keep up with these increasingly advanced bots. But beneath this narrative lies another truth: most organizations still haven’t even nailed down simple bot protection yet.
Recent research, which tested over 14,000 of the largest websites worldwide, discovered a staggering 2 in 3 (65.2%) have no protection against even simple bots. The research also revealed the rate of bot protection is struggling to keep pace with the rapid growth of digital businesses: only 8.44% of websites are fully protected against all bots, a drop from last year’s 10.2%. Not only are bots becoming more advanced, but organizations' defenses against them are becoming weaker.
How even simple bots can have a catastrophic impact
What’s in a name? Simple bots might sound like they don’t have the potential to cause a great deal of damage - but in fact the opposite is true. Simple bots, like curls or fake Googlebots, can carry out a number of malicious tasks and cause significant financial and reputational damage for businesses. Simple bots are also often used to test out a website or app’s defenses to help cybercriminals fine tune their attacks - in much the same way as a burglar might ‘scope out’ a house before breaking in.
Simple bots can perform credential stuffing, taking a list of usernames and passwords (usually purchased from other malicious actors) and plugging them into a website to gain access and take over accounts.
Similarly, fraudsters can use simple bots for carding and card cracking. A cybercriminal might only have a credit card number and expiration date they need to carry out a transaction, but not have access to the security code. They can use a simple bot to try out all possible combinations until the correct value is found.
‘Worst offender’ industries
While media and gambling are leading the pack as the most protected industries (with 46.30% and 40.48% full bot protection respectively), others are falling behind. Our research uncovered that e-commerce and health are the two worst-protected industries worldwide - despite arguably being the two most in need of robust protection.
For the e-commerce sector, this is particularly damning. 69.29% of e-commerce pure players - businesses without any brick & mortar retail locations - have no bot protection whatsoever. A shocking statistic for organizations who make all of their revenue via online sales.
E-commerce businesses simply can’t afford the reputational risk that comes with bot activity on their websites, particularly as we approach the holiday season, when e-commerce sites will host more frequent and higher value transactions. Last year, e-commerce spending over the holiday season amounted to $1.17 trillion. The stakes are high - both for cybercriminals and the retailers they are targeting.
The health industry was another top offender, with 70.44% health domains completely unprotected against simple or advanced bot attacks. The health industry holds a huge amount of confidential and sensitive information, which, without adequate bot protection, is wide open to data breaches. Cyber attacks put organizations' reputations at risk, reduce patient trust, and make organizations vulnerable to regulatory penalties.
Shrinking barriers to bot entry
The rise of Bots-as-a-Service means bots are now more accessible than ever, even for fraudsters with little technical expertise. It’s never been easier or cheaper to craft sophisticated attacks. In the past, hackers needed coding skills to develop and execute cyberattacks. Now, cyber criminals can buy or lease bots-as-a-service on the black market. A simple bot can be purchased online for less than $50.
Generative AI’s emergence into the mainstream has also lowered the barriers to bot entry. Cybercriminals with some technical understanding can leverage AI to create bots that are easier to scale and harder to detect. For instance, AI can generate bots that mimic human behavior more convincingly. This is particularly useful in the case of phishing attacks, where AI bots can mimic human tone and use NLP to generate personalized phishing messages.
Nailing the basics first
While many organizations are asking how they can best protect themselves from the bots of tomorrow, they can start by assessing if they even have the basics in place. Most organizations will need to start from the ground up, making sure they’ve protected themselves and their customers against simple bots.
There are some essential techniques every organisation needs in their bot protection toolkit. One is honey trapping - which allows bots to operate as usual, but feeds them with fake content/ data to waste its resources. There’s also throttling and rate-limiting, which allows bots to access your site, but slows down their bandwidth allocation to make them operate less efficiently - leading fraudsters to give up. There are some attack vectors where blocking bot activity altogether is the best approach, for instance if bots are obviously spreading malware or performing a DDoS attack.
Once organizations have got the basics down with solid bot protection, they can start to bolster their defenses for tomorrow’s increasingly advanced bots.
We've featured the best malware removal.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro