4 Ways Bad Bots Can Wreak Havoc Online


“Technology is neither good nor bad; nor is it neutral,” observed the late American historian Melvin Kranzberg. This most certainly applies to the subject of bots, software agents that perform automated tasks online. Bots can vary greatly in their complexity, from incredibly basic tools composed of just a few lines of code to far more complicated pieces of software that appear almost indistinguishable from human behavior. This isn’t the only way bots vary, however. While bots are not all good or all bad in terms of their applications, there is no shortage of examples of bots used toward both end goals.

One example of a “good” bot is the so-called web crawler that indexes websites online so that they can appear in search engine rankings. This allows the information contained on the websites to be discovered by users when they search for a particular query.

But there is also, unfortunately, no shortage of malicious uses of bots, in which cyber attackers use automated software agents to inflict damage on victims or targets.

The disparity between these good and bad — a.k.a. beneficial or harmful — uses of bots is a major reason why any organization should make proper use of a bot manager. Here are four examples of how bots can be used maliciously, and some of the bot management tools which can help.

#1. Credential stuffing attack

Imagine finding a set of dropped house keys and then going to every house in turn and trying them in the door to see if they work. While you would eventually be successful, it’s such an inefficient strategy that no would-be burglar would likely use this technique in a hurry. Credential stuffing is a digital equivalent of this — only using automated bots to make an inefficient process far more manageable and, therefore, dangerous.

In a credential stuffing attack, cyber criminals utilize bots to work through a list of stolen or leaked credentials to try and find places where they can be utilized because some users will recycle passwords or user names. Once accessed, attackers could take over an account and use it for nefarious purposes, such as financial theft. Because bots can work very quickly, a job that would previously have taken humans days or months to complete can be carried out far more quickly and with minimal human intervention.

#2. Credit card and gift card fraud

Gift cards are appealing to scammers and criminals because they are virtually impossible to trace, while also having a monetary value that allows users to trade them for merchandise or, on occasion, cash. In a gift card or credit card fraud, attackers make use of bots to break into accounts used for creating gift cards, which they can then swap for cash. In another twist on this attack, cyber attackers use bots as a way to check out ill-gotten credit card information using tiny purchases that are not likely to be spotted. If the card turns out to be legitimate, the attacker may then graduate to using the card to make bigger purchases.

#3. Harvesting of intelligence

As noted, one of the beneficial uses of bots is for crawling the web, and indexing website information that can be used to make search engines more effective. However, that’s not the only activity web-crawling bots can perform. Malicious actors can utilize bots to perform scans of websites, web forums, and social media platforms in order to discover identifying information about the different users. This information could then be seized upon in order to perform attacks such as phishing attacks. That means utilizing information that’s discovered, perhaps about a user’s workplace or interests, which could then be turned into an attack for tricking them into handing over confidential data.

Web-crawling bots can also harvest assets such as pricing data or branding materials, which can be put to unethical use.

#4. DDoS attacks

A DDoS (distributed denial-of-service) attack aims to bring down a website or online service by overwhelming it with unimaginable quantities of fraudulent traffic. Where does that traffic come from? Bots, of course. By using malware to infect vulnerable internet-connected devices such as computers and Internet of Things (IoT) gadgets, attackers can put together vast botnets of thousands of devices. These can then be awakened, sleeper agent-style, and used to attack a particular target. In many cases, the rightful owner of the devices in question won’t even realize that they are the owner of an infected machine. The person who certainly will know? The target of the DDoS attack.

Protection against bad bots

The bad news is that the usage of bots continues to ramp up. The good news is that there are more and more tools available to help fight back — while still allowing legitimate users and bots to access websites as required.

Some of these tools include anti-DDoS measures which can spot DDoS attacks and stop them, cloud WAFs (web application firewalls) and gateway WAFs which will filter good traffic from bad, and RASP (runtime application self-protection) designed to keep applications safe from attack. By employing a range of these tools users can safely protect themselves against bad bot attacks.

This is one scenario in which bringing in the experts to help is a great, transformative idea.