Russian and Chinese bots leeching billions from largest companies

Most malicious bot attacks, costing billions to large companies, originate in Russia and China, new research by the bot detection and response specialist Netacea reveals.

Ransomware payments, averaging $1.5 million, seem like lunch money compared to the annualized costs inflicted by malicious bots on large companies. The average sum lost per company has now reached $85.6 million, and 99% of companies said they had seen an increase in automated attack volumes.

Compared with an average online revenue of $1.9 billion per company, bot damage corresponds to a total of 4.3% of their online income. Netacea included 440 large firms in its research from across the UK and US.

Researchers found that the losses are equivalent to 19 average data breach costs, or “over fifty average ransomware payouts, or the 8th highest ever GDPR fine – every single year.”

“Big ransomware attacks and GDPR fines grab headlines, but what we’ve uncovered is more insidious, and far more costly to businesses – what we’ve called death by a billion bots,” said Andy Still, Co-Founder of Netacea. “The cumulative effect of these attacks is wiping tens of millions of dollars in value from online businesses, not to mention the effect on their reputations and operations, yet this activity is low-key enough to remain undetected for months.”

Across the travel, entertainment, ecommerce, financial services, and telecoms sectors, 72% of businesses had suffered attacks originating in China and 66% from Russia.

Overall, over half (53%) of all bot attacks came from these two countries, with Russian threats increasing by 82% in just the last two years, according to the research.

Rob Black, Lecturer in Information Activities at Cranfield University, compares the situation to a “slow bleeding of wealth from organizations not aligned with the hostile actors’ objectives.”

Malicious automation enables inflicting many attacks with constant losses, taking the average business four months to detect.

“One explanation for the success of threat actors is that they are evolving their attacks, with API-based incidents now reported by 40% of businesses,” said Cyril Noel-Tagoe, Principal Security Researcher at Netacea.

The targeting of mobile apps, seen by attackers as a less fortified avenue, surpassed web-based attacks for the first time.

Methods used by bot operators

There are many methods to siphon value from companies using automated bots, the top three attack types being Sniping, Credential Stuffing, and Scraping.

Sniping: sniper bots monitor time-based activity and submit information at the very last moment, removing the opportunity for other people to respond to that action. For instance, last-second bidding on online auction sites. According to the 9% of the highest turnover companies, sniping impacted at least $260m of their annual online revenues.

Scalping: scalper bots purchase limited or high-demand goods, such as event tickets, in a fraction of the time it would take any legitimate user. And 45% of companies with online revenues of $2.6bn noticed it cost more than 5% of online revenues.

Scraping: bots gather content or data from websites. While some are beneficial, other scraper bots, such as content and price scraper bots, can have malicious intentions and cause serious harm. Hackers use bots to clone a website in phishing campaigns. Almost a third of companies said it costs over 5% of online revenues.

Credential stuffing: bots are used to test previously leaked credentials to target services or APIs at a mass scale, validating sets of usernames and passwords. For a handful (2%) of leaders, that cost more than 10% of online revenues.

Fake account creation: bots abuse the signup process to create user accounts in bulk, using stolen or fake identities. They are advanced to bypass many verifications. Over a quarter of smaller organizations were affected.

Gift Card Fraud: adversaries use bots to validate stolen gift cards or enumerate gift card codes for subsequent use or sale. More than a third (38%) of organizations with total revenues over $5bn said the cost of such attacks was greater than 5% of total online revenues, or at least $130m.

Other indirect losses come from reputational impacts on customers.

“With the fastest growth seen in countries where there is little chance of law enforcement, businesses can only expect these attacks to increase in number,” Still concluded.