ThreatList: Human-Mimicking Bots Spike, Targeting e-Commerce and Travel

bad bot activity internet

Overall bot activity on the web has soared, with a 26 percent growth rate — attacks on applications, APIs and mobile sites are all on the rise.

Bad bots, bad bots, whatcha gonna do? Target e-commerce, the travel industry, media and online marketplaces, that’s what.

Those are the top four verticals attacked by bots in the last year, according to data released on Wednesday from Radware, with e-commerce accounting for the most activity.

In 2019, overall bad-bot traffic grew by 26 percent, rising to account for a quarter (24.5 percent) of total internet traffic. Automated attacks on mobile phones and APIs are rising too, with bad bots accounting for 15.4 percent of the total traffic on mobile devices.

Web applications are the most exploited attack surface across industries. In 2019, 35 percent of the total traffic were bad bots on web applications, an increase of 10 percent year-over-year. And on a related note, attacks on APIs have ramped up in the last few years. In 2019, 16.6 percent of the traffic on APIs were bad bots, rising from 14.3 percent in 2018.

“Despite their rapid and widespread implementation, APIs remain poorly protected and are a vulnerable surface for automated threats,” according to Radware. “Personally identifiable information (PII), payment-card details and business-critical services are at risk due to bot attacks on APIs.”

Radware noted that cybercriminals use bots in many ways: Sophisticated bots built to circumvent security measures and take over user accounts by mimicking human behavior; denial-of-service bots that prevent online checkouts or take down specific pages; bots built for mobile environments; those that exploit vulnerabilities in applications and APIs; and custom, targeted bots that are built to attack specific companies or competitors.

What that bot activity looks like tends to vary from vertical to vertical, according to the analysis.

Different Verticals, Different Attacks

In e-commerce for instance, Radware has seen bad bots attacking web applications, mobile apps and APIs. Specific attacks include “payment fraud on checkout pages to content scraping (prices or product info) on product pages, coupon scraping, inventory holdups and cart abandonment, as well as various forms of account takeover, including brute force and credential stuffing on the homepage or user login page,” the firm noted in its writeup.

In the media and publishing realm, most of the observed bot activity in Radware’s telemetry is focused on ad fraud, and organizations looking to disrupt competitors’ advertising efforts.

bot activity motivation radware

The motivation for bot attacks varies by industry. Click to enlarge.

“Media and publishing outlets use many good bots for advertising and affiliate programs; their main challenges are to filter out dirty bot traffic as well as to correct marketing analytic tools,” according to the report. “In this vertical, it is common for competitors and ad platforms to scrape data and content or attempt to skew the analytics of the media campaigns, causing further harm by leading the targeted publisher to make thwarted decisions that are based on false data.”

Advertising is also at the heart of attacks on online marketplaces and classifieds (think eBay, Craigslist, Etsy and others).

“[These businesses] rely on the credibility and trust of consumers to grow their businesses,” Radware noted. “As they attract more traffic, these companies benefit from performing as hubs for advertisements. Their objective is to keep ads secure from scraping — especially from competitors — which may also run scripts to collect users’ sign-up information. This effort is why we see more bad bot traffic against the homepage.”

And finally, the most common bot attack type for the travel industry (consisting of airlines, transportation and hotel chains) is “denial of inventory.” This is a tactic meant to restrict the availability of bookable properties or airline seats for actual humans. In its analysis, Radware found that a full 29 percent of the traffic to booking sections is generated by bad bots.

“These bots can hold inventory for as long as the bot herder chooses making it unavailable to real users, thus causing an immediate financial impact on the victim,” the firm explained. “Empty hotel rooms are locked up, and airline seats go unsold. The bots run in a loop and hold the rooms or tickets after timeouts are generated and the inventory is supposed to go back to the pool.”

Another common issue is bot activity that takes advantage of loyalty programs and rewards, the firm added.

Varying Sophistication Levels

Notably, sophisticated bot activity increased 18 percent in the past year and now account for 45 percent of the bad bot traffic overall, according to Radware.

types of bad bots radware

Radware’s classification of bot sophistication. Click to enlarge.

“Bots have evolved significantly since their origins as simple scripting tools that used command-line interfaces,” according to the report. “Bot developers now use JavaScript and HTML5 web technologies to enable bots to leverage full-fledged browsers. The bots are programmed to mimic human behavior when interacting with a website or app to move the mouse, tap and swipe on mobile devices and generally try to simulate real visitors in order to evade security systems.”

From an industry-specific perspective, the sophistication level of e-commerce bots tends to be higher than in other verticals, the analysis showed, with 58 percent of the activity consisting of distributed, mutating bots that are programmed to not have repeating behaviors. These are custom-tailored to fool bot-management technologies that use data and behavioral profiling to identify false, non-human actions. Radware also noted that bots carrying out denial-of-inventory (in this vertical, that means denial-of-service attacks on checkout pages) and ATO attacks also require advanced capabilities to impersonate a real human user.

That said, some attacks, such as payment-card scraping, can be carried out by simple scripts, Radware noted – as is seen in Magecart attacks.

The use of bots built to masquerade as humans is also common in the travel industry, according to Radware. Nearly two-thirds (38.4 percent) of bad bots accessing these types of travel web properties fall into this category.

“Bad bots are evolving to be more sophisticated in their capabilities to mimic human behavior and circumvent conventional security protections,” Radware said in its report. “These developments not only threaten application security and user data but also directly impact revenue-generating transactions. As a result, organizations’ brand reputations, customer trust and sensitive data are at greater risk than ever before.”

Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.

Suggested articles