Bad bots are getting worse – the complicated world of bot attacks and account takeover fraud

By Mélisande Mual – The Paypers

The global push for digitisation has created the perfect environment for fraudsters to operate on a large scale in three ways: firstly, with data breaches happening on a daily basis, there is no shortage of stolen credentials available for purchase. Secondly, the number of digital transactions is ever-increasing, causing financial institutions to process more and more transactions every day. Finally, technologies such as automation tools and bots have become cheaper and more widely available than ever before. Together, these phenomena lead bot attacks to become increasingly cheap, scalable and dangerous.


Bot attacks (also known as botnet attacks or malicious bot attacks) happen when a cybercriminal uses a collection of devices over the internet to cause harm in various ways. These devices are often infected with a virus that provides the hacker with complete access and control over a device, which the hacker then integrates into a botnet. These botnets can include thousands of devices, all controlled by a single hacker. 


Botnets can be used for various purposes: firstly, they can be used to carry out Distribution Denial of Service (DDoS) attacks. DDoS attacks occur when too many devices try to log in or enter a webpage, causing the bandwidth of a server to be flooded, thus disrupting the traffic of the webpage. This causes websites and APIs to function slower than usual, or even become completely unavailable to customers, which disrupts their business. According to Gartner, downtime caused by bot attacks on average costs USD 5,600. Secondly, they can be used for data scraping, which often comes in the form of competitors of a business using botnets to gather pricing data or published content from websites in order to undercut those prices or publish duplicate data on different websites, which damages SEO rankings and skews analytics. Lastly, they can be used for credential stuffing, which is the practice of trying to log in with stolen credentials from other websites. If a user has reused a password for two different accounts, the bot is able to take over an account, which leads to account takeover fraud. 


“These botnets can include thousands of devices, all controlled by a single hacker.” 


Account takeover fraud is a type of identity theft that allows a cybercriminal to gain access to a digital account, e.g. email account, bank account, or social media account, that does not belong to them. According to LexisNexis, 69% of fraud in mid/large ecommerce businesses and 55% of fraud in mid/large retailers was made up of account takeover fraud and fraudulent account creation in 2019. This is unsurprising, as Akamai found more than 85 trillion credential stuffing attacks on their customer base: in the US alone, account takeover fraud cost USD 4 billion. Account takeover fraud has become heavily automatized and offers a huge return on investment for a cybercriminal while taking on relatively little risk. This return on investment is caused by account takeover fraud being a versatile way of providing profit to the fraudster, for example, a fraudster can choose to make purchases with an account, open new credit cards or other accounts, or simply transfer money to an account accessible by the fraudster. 


However, there are several ways in which botnets and account takeover fraud can be prevented or fought. On the side of the consumer it is paramount that strong passwords are used, and never re-used, for example, by using a password manager: this prevents malicious actors from gaining entry to your account. 


Businesses are constantly fighting to prevent bot attacks. However, where previously static security solutions, such as Web Security Appliance (WSA) or Web Application Firewall (WAF), were enough to stop bot attacks, the rapidly evolving technology has created a necessity for more sophisticated and dynamic solutions, harnessing the power of AI and advanced cryptographic challenges.


Account takeovers are hard to prevent, especially with the space being further complicated by the recent emergence of human malicious actors in the form of sweetshops, which can execute account takeovers at a high level of sophistication and circumvent bot-only oriented approaches. However, businesses are developing solutions that use data such as device ID fingerprinting, geolocation and behavioural biometrics to detect fraudulent account takeovers and protect against them. Many companies stress that there is no ‘silver-bullet solution’ for account takeover fraud: it is a continuous threat that always takes on new shapes, requiring always-developing solutions.


Even though some businesses use sophisticated fraud prevention methods, many companies are unable to even detect bot attacks, much less prevent them. Because of this, rates of bot attacks and account takeover are not likely to fall in the nearby future. In fact, The Open Web Application Security Project (OWASP) predicts that by 2021, 50% of all internet traffic will be caused by malicious bots. Therefore, it is paramount for consumers and businesses alike to prepare themselves for this rapidly growing threat.


About the author

Mélisande Mual is the publisher and managing director of The Paypers. The Paypers is one of the pioneering media outlets of the payments industry, serving as the go-to source of information for the global digital transaction community since 2008.