Bots are an important tool to make the internet easier to use, automating many web-borne tasks. One of the most familiar bots is the web crawler or ‘spider’ used by search engines to crawl and index websites. However, with the Yang of the good bot comes the Ying of the bad bot. Security vendor Imperva has published a report into these bad bots, “Bad Bot Report 2021: The Pandemic of the Internet” exploring how these bad bots are taking over the internet.
What is a bad bot?
Bad bots are automated malicious programs that perform nefarious activities across a spectrum including:
- Screen scraping data to gain a competitive edge
- Stealing personal and financial data
- Credential stuffing attacks to break into online accounts
- Carrying out Denial of Service (DDoS) attacks to damage websites
Bad bots are often part of a network of bots known as a ‘botnet’ that is controlled centrally by a cybercriminal using a Command-and-Control center (C&C). A botnet uses individual bots to infect a device and that device is then controlled through the C&C. Some of these botnets control millions of devices.
The Imperva report classifies bad bots under 4 categories:
- Simple: Connects from a single IP address.
- Sophisticated: Mimics human behavior such as keyboard clicks and are highly evasive.
- Advanced Persistent Bot (APB): Uses a mix of technologies to evade detection — APBs make up over 57% of all bad bot activity and are used to carry out “significant attacks”.
The vastness of the bot-controlled internet
The Imperva report identifies an interesting aspect of modern web traffic – it is widely automated. The researchers found that over 40% of web traffic was made up from good or bad bot traffic as opposed to human traffic. Bad bots makeup almost 26% of all web traffic, showing an uptick over previous years. Trying to identify bad bot activity against this level of traffic requires smart techniques.
Types of bad bot activity
The Imperva report presents a landscape of bad bot activity that should concern any enterprise:
Online accounts contain a lot of valuable data, both personal and financial, and some accounts also contain loyalty points. A 2020 report from Akamai into credential stuffing found that of the 100 billion attempted attacks during 2018-2020, 63 billion targeted the retail, travel, and hospitality sectors. These attacks targeted accounts for their rich data sources and loyalty points. Imperva’s report concurs with Akamai’s findings. The researchers at Imperva identified that one-third of all login attempts, analyzed in the last few months of 2020, were from malicious bots. The main targets of these attacks included travel, entertainment, and financial services.
Exploiting the Covid-19 pandemic
The phenomenon of ‘scalpers’ took off during the pandemic according to the Imperva researchers. Scalping is a strategy used to buy up a product that is in high demand to then resell at a higher price to make a quick profit. During the pandemic, commodities were stockpiled, and gaming hardware was hoarded to scalp later. Bad bots were used to automate scalping. These bots, previously used by ticket touts, were used during the pandemic to check product inventory and hoard as certain tipping points were reached. Pandemic-related slowdowns in supply chains were one of the reasons why bad bot developers switched their model from tickets and events to commodities. Imperva noticed that in the initial stage of the pandemic, bad bots were used to hoard items such as Personal Protective Equipment (PPE) making these items very difficult to find in store.
The ‘Grinchbot’ is a prime example of a scalper. This bad bot was used to pre-order new generation gaming consoles as they became available. Imperva found a 788% increase in bad bot traffic to retail websites between September and October 2020; this timing aligns with the opening of pre-ordering of new game consoles.
Bad bots have also been found to be spreading misinformation about the pandemic. Social media bots being used to spread fake news about 5G and coronavirus, for example.
The mobile bad bot vs. the browser bad bot
In Q1 2021, almost 55% of internet traffic was via a mobile device. The bad bot is adjusting to this consumer behavior: Imperva researchers have seen bad bot traffic changing, finding a “growing popularity of attacks being launched from mobile ISPs.”
68% of bad bots self-reported via browsers (Chrome, Firefox, Safari, and Internet Explorer) — this is 11% lower than 2019. This reflects the move by consumers to internet access via mobile devices, mobile bad bots seeing a major rise from 12.9% in 2019 to 28.1% in 2020.
In terms of ISP origination, bad bot traffic from mobile ISPs increased by a massive 565.5% in 2020, accounting for 15.1% of all bad bot traffic.
In terms of ISP popularity for the bad bot cybercriminal, Amazon.com was the most popular bad bot source with 10.8% of all bad bot traffic, and on the mobile ISP side, 4.4% of bad bot traffic originated at Smart Communications.
Countries at war with the bad bot
The USA is the most targeted country from bad bot activity according to the Imperva report. The USA must withstand 37.2% of all bad bot traffic, globally. The next most targeted country is China with 8.3% of bad bot traffic, significantly less than the USA. The United Kingdom is in third place with 6.9% of bad bots targeting individuals and companies in the country.
Bad bots look set to continue to dominate bot traffic on the internet. The Rise of the Bad Bot: Part Two will look at how bots affect different industry sectors and what a company can do to protect themselves and their customers from the scourge of the bad bot.