Bot attacks in 2022 and how companies can protect themselves

Image via Freepik

How are businesses dealing with bot attacks in 2022? In short: not well. A few years ago, companies were naïve to the threat of bots. Now, they understand them more, and many are adopting preventive measures. That's the good news. The bad news is that businesses are leaving bot attacks unchallenged for weeks — an average of 16, which means they are going undiscovered for almost four months.

A recent study of 440 businesses across the travel, entertainment, eCommerce, financial services, and telecoms sectors in the United States and the United Kingdom reveals that in almost every measure, businesses appear to be doing worse than last year in the battle against bots. However, this may not mean they are losing the fight.

Attacks have increased by 7-9% from last year, and budgets to combat the problem have increased due to heightened awareness. Most businesses recognize the impact of bots but, in many ways, are not pushing back hard enough and, subsequently, are losing ground.

The four main types of bots — scraper bots, scalper bots, sniper bots, and account checker bots — are all on the rise. Attacks from each of these have increased, and while most bots emanate from China (74%) and Russia (55%), attacks from the U.S. and Europe exist and pose an equivalent amount of danger.

Scalper bots, media darlings thanks to designer sneakers, consoles, and concert tickets, have typically led the pack in popularity, but their financial impact is dwindling. Businesses that understand the effects of these bot attacks are taking steps to mitigate the problem. However, the pain is being felt elsewhere, such as customer satisfaction which continues to drop. Ninety-seven percent of companies say that bot attacks have affected customer satisfaction. And web analytics, skewed by bots, are responsible for a 5% loss in revenue.

Two Areas Greatly Impacted: Web Analytics and Loyalty Points

Businesses are right to pay close attention to their web analytics — the tools available that interrogate customer journeys can give incredible insights into how customers think and buy, and small changes can help to increase sales. Bots do their best to spoil that, skewing analytics and leading businesses into bad decisions. Some companies have even launched entire marketing campaigns based on the false data created by bots. The actual cost of skewed analytics has increased a percentage point over the previous year to 5%.

For a long time, bots have found loyalty points to be an easy target too. The average loyalty points stolen have decreased slightly overall but not in the U.S., where the value has risen, meaning hackers have become more targeted in their attacks, seeking out more valuable accounts and selling them on for greater profits.

There is some good news, however. Only a handful of businesses reported the impact of these bot attacks to be significant. This indicates that while the attacks continue, companies are fighting back to some extent. More bot attacks are being detected and factored into decision-making, and businesses are starting to understand the scale of the problem better.

Where the Wild Things Are

Rising awareness and increased security may have made an impact, but how attackers operate has shifted along with it. Attacks on websites have remained static but increased elsewhere. Attacks on APIs (60%) and mobile apps (39%) are both up from 46% and 23%, respectively, in 2021.

While businesses are investing in better defenses, attackers are equally getting as savvy and finding ways to bypass security. There has been a marked rise in bots hiding behind residential proxies and rotating their user agents and I.P. addresses, amongst other techniques, to avoid detection. And as businesses improve their protections, they are catching bots that previously went unnoticed, which means the landscape becomes a game of cat and mouse.

Protection and Elimination

The good news is that businesses have increased budgets. This means they now have greater visibility of bot attacks. However, the gains so far are marginal, and they are spending less than 8% of the total security budget on bot management. It's not enough.

Forty-nine percent of respondents believe that all bot users are criminals — but this is not true. We've seen changes in how attackers operate, but businesses remain one step behind. There are still huge misunderstandings around bot attacks' origin, intention, and complexity. While credential stuffing and account takeover attacks are illegal, buying up high-demand items for resale is not.

As bots get more innovative, businesses need to as well. It starts with good mitigation strategies. This shouldn't involve blanket bans on traffic according to the country of origin, either. Bots can come from a variety of places or attack via proxy. Bot mitigation tools like reCAPTCHA help but aren't complete; neither are WAF or distributed denial of service (DDoS) protection alone.

Companies need to look at total user activity, unmasking the intent behind what they do. No matter how sophisticated and human-like the user's behavior appears, it can still be a bot. The right solution can distinguish between the two and stop the problem quickly before it worsens. The reality is that four months exceeds the length of a business quarter, and an attack that goes unidentified for that long will hurt profits quickly.

Matthew Gracey-McMinn is an experienced Cybersecurity professional and accomplished speaker, having recently hosted a session at the 2022 RSA Conference. As Head of Threat Research at Netacea, he researches and investigates the impact of malicious bots on online businesses and their customers. His articles have been published in Security magazine, Tech Radar and Security Info Watch.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?