During the pandemic, online presence has become crucial for a retail business to survive. It has also introduced an additional challenge. Hard-to-detect malicious bots are now leaching off of already vulnerable businesses.
“Last year, a particularly tough one for legitimate businesses already operating with razor-thin margins thanks to an economic slump, was a bumper year for those who use bots to leech off of those businesses — especially from bad actors who looked to take advantage of a significant shift to online working and retail,” Andy Still, CTO at Netacea, is quoted in a press release.
Netacea, the bot detection and mitigation company, surveyed 440 businesses across the travel, entertainment, eCommerce, financial services, and telecoms sectors in the United States and the UK. The enterprises surveyed had turnovers ranging from $350m to over $7bn.
It found that every sector had a substantial bot problem, with two-thirds of businesses detecting website attacks. 46% of respondents reported mobile apps had been attacked, and 23%—mainly in the financial services—said bots had attacked their APIs.
According to survey respondents, automated bots operated by malicious actors cost businesses an average of 3.6% of their annual revenue. For the 25% worst affected businesses, this equates to at least a quarter of a billion dollars ($250 million) every year.
“The biggest problem for most businesses is account checker bots that use breached passwords to take over accounts through the credential stuffing, though sniper bots, scalper bots, and scraper bots are not too far behind,” Netacea revealed.
Another concerning and common problem of the cybersecurity industry is the time between attacks and their discovery. On average, it takes 14 weeks to learn about an attack. It means that malicious hackers can reign free for months before their wrongdoing is even noticed.
Netacea highlighted four main types of automated bots. Account checker bots take lists of a leaked username and password pairs (combo lists) and test them against a website. This is also known as a credential stuffing attack and relies on reused passwords. Scalper bots automate the process of buying limited goods, such as event tickets, completing the checkout process in a fraction of the time it would take any legitimate user. Scraper bots are used to collect large amounts of data from websites for use elsewhere. Sniper bots monitor time-based activity and submit information at the very last moment, removing the opportunity for other people to respond to that action.
Other bots include DDoS attacks, which use a large number of compromised devices (also known as a botnet) to overwhelm a website and knock it offline, carding bots that check stolen card details, ad fraud bots, and inventory hoarding bots (similar to scalper bots but these keep items in baskets to manipulate a site).
“While there is a greater awareness of the threat than in previous years, only 5% of security budgets are being used to target the problem. Businesses need to realize that bots are not a mere nuisance, but a genuine security threat—especially when a business is already struggling because of other factors,” Still said.