I joined Arkose Labs six months ago because the company’s mission to make the digital world safe for everyone resonated with me. But at the time, I didn’t have a full appreciation for the threat landscape – its quick shifts, motivations behind attacks, and the disturbing downstream effects that jolt enterprises and traumatize consumers.
All of that crystallized when I had the opportunity to work on our latest quarterly report, “Breaking (Bad) Bots: Bot Abuse Analysis and other Fraud Benchmarks.”
This research is distinct from other published cyberattack reports in that it analyzes, over time, adversaries’ execution of attacks using malicious bots and fraud farms. And the impact on enterprises is substantial. Our threat researchers observed a 121% increase in total attacks (from bots and fraud farms) in Q2 over Q1 2023 on our customer base, which is made up of the biggest B2C companies in the world.
The harm is downright disturbing for consumers. The latest FBI IC3 report shows U.S. consumers reported losing nearly $3 billion to online account-related schemes. (That figure is likely much larger if you add in unreported losses.)
I’ve concluded that today bots are the most dangerous, invasive species for enterprise websites and apps because much of the traffic enterprises experience isn’t even a real person. Just how alarming is the proliferation of these bots? Read on for some key report findings.
The sheer volume of bot risks can overwhelm enterprises’ defenses. The sophistication and velocity of bot attacks requires a highly performant and specialized defense strategy that many companies are still trying to figure out. And the disproportionate share of traffic from bots wastes resources and distorts sites’ revenue-generating activities and business metrics. To wit, malicious bot attacks escalated 167% in Q2 over Q1 2023.
But not all bots are the same. We categorize bots into two different types:
Intelligent bot attacks increased 291% in Q2 over Q1 while basic bot attacks increased 163% during the same time period. The increases are staggering, especially when you consider that enterprise security professionals have experienced major budget cuts this year and continue to face labor shortages combined with a growing skills gap.
And here’s an interesting point that unfortunately tilts the advantage to adversaries: As the security skills gap widens, the attacker skills gap closes.
Cybercrime-as-a-Service (CaaS), a trend that began to emerge about a year ago, is one major reason for the increase in bot-led attacks. Our threat intelligence researchers have observed more bad actors using bots to attack at the speed-of-machine and at volumes never before seen.
Adversaries with technical skills have always been able to earn more money attacking enterprises with bots they developed than adversaries using manual attack approaches. But today, highly technical adversaries are spreading the proverbial wealth by developing malicious bots and selling them to fraudsters who may be newbies. Technical adversaries often also provide training and even support to help their “customers” launch successful attacks.
Our founder and CEO Kevin Gosschalk explained it this way:
“The massive rise of CaaS has completely changed the economics for adversaries. It’s much cheaper to attack companies and the attacks are just better because it’s a dev shop that is doing the attacks instead of just individual cybercriminals.”
Adversaries use bots to perpetrate a wide variety of attack types, like fake account creations, website scraping, manipulation of account management/customer support, including password resets, and account takeovers, including credential stuffing. The Breaking (Bad) Bots analysis uncovered that most intelligent bots are used to conduct fake account creation attacks (68%), followed by scraping (16%).
It also exposed the most attacked industries by bot-led incursions (% increase from Q1 to Q2):
As you can see, the current bot threat landscape reflects a rolling barrage where the attacks are incessant. Bots are go-to tools for volumetric attacks that are now easily obtained and deployed by the least experienced bad actors so that they can make massive amounts of money.
And that’s the core of the matter. Money is the #1 motivating factor for adversaries – and at the same time their Achilles heel. Fortunately, there’s a point where attacks become nonviable: when the effort to attack eats so much into adversaries’ profits that they abandon their efforts against a particular website or app.
A critical aspect of how enterprises can block bots, immediately and permanently, uses adversaries’ own weight against them. Here are a few ways that Arkose Labs blocks bots for some of the biggest companies in the world, leveraging the philosophy that by increasing adversaries’ effort-to-attack ratio, the bad actors will move to less-protected targets.
In just a short period of time – six months – I’ve come to have a deep understanding of the underbelly of the threat landscape, the world of bad bots, and how adversaries leverage them to do harm at a massive scale. But I’ve also learned that technology with high efficacy really can be used effectively to give an edge to those fighting the good fight.
Want to know more about how Arkose Labs can help your enterprise beat back the bots? Book a demo today.
*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Heidi Anderson. Read the original post at: https://www.arkoselabs.com/blog/decrypting-threats-insights-breaking-bad-bots