Ever wanted to buy a new pair of sneakers online but found them always unavailable? Or got locked out of elusive concert tickets, limited-edition watches or computer graphics cards?
While some items may genuinely be popular, sometimes bots run by unscrupulous scalpers may be behind the problem. These programs continually spam a website to register or buy these exclusive items, depriving real users a chance to do so.
Bad bots, or automated software applications with malicious intent, also are involved in taking over accounts or scraping content or prices from other websites, according to cybersecurity firm Imperva.
In a report released in May, it revealed that more than a third of all Internet traffic in Singapore was down to bad bots. This was the second highest in the world, just behind Germany.
As more businesses make their processes digital, the number of targets grow for such bots, said Reinhart Hansen, the director of technology at Imperva.
And bots are becoming harder to detect because they now mimic human behaviour to overcome traditional defences set up to ward them off, he told Techgoondu, in this month’s Q&A.
NOTE: Responses have been edited for brevity and style.
Q: Why has Singapore faced many bad bots and what does that mean for consumers and businesses here?
A: Singapore has ranked high in the most attacked countries list for several years. During the pandemic, as digital transformation accelerated, more business in Singapore was conducted online.
When more digital services are available and more business is transacted online, there are more targets and more incentives for bot operators to target.
Every online business needs to care about bad bot traffic because it is likely to be the first indicator of online fraud activities. Failing to manage this growing problem is a business risk.
Successful bot attacks lead to account compromise, higher infrastructure and support costs, customer churn, and degraded online services. Organisations should invest in advanced bot protection to safeguard their customers’ interests, minimise the costs associated with fraud, and reduce compliance risk.
At the same time, consumers need to be aware that their data is at risk, especially in regards to account takeover (ATO) attacks where cybercriminals gain access to personal and financial information within online accounts using stolen passwords and usernames.
Consumers can mitigate the risk by practicing good security hygiene such as setting unique passwords in all their online accounts and being mindful of where they store any financial information.
Q: Briefly, how are these bots doing harm to victims? Are they taking over accounts or used to buy up scarce collectibles like sneakers?
A: Bots are a persistent, 24/7 threat to a business’ websites, mobile apps, and their frontend APIs (application programming interfaces). Bot operators use bots to automate tasks at scale in a number of ways – spreading misinformation, scraping data, hoarding inventory, and conducting fraud.
The three most common bot attacks in 2021 were ATO, content or price scraping, and scalping to obtain limited-availability items.
As mentioned above, ATO attacks are where cybercriminals compromise online accounts using stolen passwords and usernames.
If successful, the implications of an ATO are extensive. For customers, ATO attacks can lock them out of their account, while fraudsters gain access to their sensitive information such as credit card data, account funds, and health records.
For a business, they must handle the high costs associated with ATO including increased customer support costs, revenue loss, tarnished reputation, and potential penalties for regulatory non-compliance.
Content or price scraping attacks use bots to extract content and data from a website. A scraping attack can have impactful effects, especially when competitors scrape your prices to beat you in the marketplace and/or damage your search rankings.
Scalping bots such as Grinch bots essentially go out and buy all the available inventory of a very popular or newly launched item, with the intent to resell it at a substantially higher price.
For example, bots are frequently used to buy popular concert tickets as well as scarce collectibles or gaming systems that are then resold on another site for a much higher price.
And yes, while the retailer still generates a sale in the short-term, the long-term value of a bot does not equate to the same value as a satisfied customer who regularly returns to buy additional products.
Bots degrade the customer experience by slowing down a website and making products unavailable for purchase, forcing customers to go elsewhere. Once they’ve made the switch, they may never return.
Q: What has made these bad bots proliferate today?
A: Organisations have rushed to improve their online operations to stay in business since the beginning of the global pandemic in 2020.
It meant the creation of more digital services, new online functionality, and the development of expansive API ecosystems.
Unfortunately, this array of new endpoints is a ripe target for automated abuse. Whenever a new way of transacting online emerges, cybercriminals will look for ways to exploit this using bot-based automation.
Q: What are businesses in Asia-Pacific doing to counter the threat and what more can they do?
A: Traditionally, organizations could protect their site with a few tweaks and configurations to block bad bots. However, the 2022 Imperva Bad Bot Report found that this approach no longer works.
Bot operators are constantly evolving their tactics, and bots are increasingly hard to detect and stop – often because they closely mimic human behavior.
Without an advanced bot protection solution, it’s almost impossible to keep up with the evolving and continued threat of bad bots.
Organisations should invest in advanced bot protection to safeguard their customers’ interests, minimise the costs associated with fraud, and reduce compliance risk.
