Bot Detection

Decrypting Cyber Threats: Insights from Breaking (Bad) Bots

November 28, 20236 min Read

Breaking Bad Bots report

I joined Arkose Labs six months ago because the company’s mission to make the digital world safe for everyone resonated with me. But at the time, I didn’t have a full appreciation for the threat landscape – its quick shifts, motivations behind attacks, and the disturbing downstream effects that jolt enterprises and traumatize consumers. 

All of that crystallized when I had the opportunity to work on our latest quarterly report, “Breaking (Bad) Bots: Bot Abuse Analysis and other Fraud Benchmarks.” 

This research is distinct from other published cyberattack reports in that it analyzes, over time, adversaries' execution of attacks using malicious bots and fraud farms. And the impact on enterprises is substantial. Our threat researchers observed a 121% increase in total attacks (from bots and fraud farms) in Q2 over Q1 2023 on our customer base, which is made up of the biggest B2C companies in the world. 

The harm is downright disturbing for consumers. The latest FBI IC3 report shows U.S. consumers reported losing nearly $3 billion to online account-related schemes. (That figure is likely much larger if you add in unreported losses.)

I’ve concluded that today bots are the most dangerous, invasive species for enterprise websites and apps because much of the traffic enterprises experience isn’t even a real person. Just how alarming is the proliferation of these bots? Read on for some key report findings.

Breaking (Bad) Bots: Bot Abuse Analysis and Other Fraud Benchmarks
Breaking (Bad) Bots: Bot Abuse Analysis and Other Fraud Benchmarks

The Escalation of Bot Attacks

The sheer volume of bot risks can overwhelm enterprises’ defenses. The sophistication and velocity of bot attacks requires a highly performant and specialized defense strategy that many companies are still trying to figure out. And the disproportionate share of traffic from bots wastes resources and distorts sites’ revenue-generating activities and business metrics. To wit, malicious bot attacks escalated 167% in Q2 over Q1 2023. 

But not all bots are the same. We categorize bots into two different types:

  1. Intelligent bots, which are capable of complex, context-aware interactions
  2. Basic bots, which are limited and perform simple, repetitive tasks

Intelligent bot attacks increased 291% in Q2 over Q1 while basic bot attacks increased 163% during the same time period. The increases are staggering, especially when you consider that enterprise security professionals have experienced major budget cuts this year and continue to face labor shortages combined with a growing skills gap.  

And here’s an interesting point that unfortunately tilts the advantage to adversaries: As the security skills gap widens, the attacker skills gap closes. 

Cybercrime-as-a-Service (CaaS), a trend that began to emerge about a year ago, is one major reason for the increase in bot-led attacks. Our threat intelligence researchers have observed more bad actors using bots to attack at the speed-of-machine and at volumes never before seen. 

Adversaries with technical skills have always been able to earn more money attacking enterprises with bots they developed than adversaries using manual attack approaches. But today, highly technical adversaries are spreading the proverbial wealth by developing malicious bots and selling them to fraudsters who may be newbies. Technical adversaries often also provide training and even support to help their “customers” launch successful attacks. 

Our founder and CEO Kevin Gosschalk explained it this way: 

“The massive rise of CaaS has completely changed the economics for adversaries. It’s much cheaper to attack companies and the attacks are just better because it’s a dev shop that is doing the attacks instead of just individual cybercriminals.”

A Diverse Range of Threats 

Adversaries use bots to perpetrate a wide variety of attack types, like fake account creations, website scraping, manipulation of account management/customer support, including password resets, and account takeovers, including credential stuffing. The Breaking (Bad) Bots analysis uncovered that most intelligent bots are used to conduct fake account creation attacks (68%), followed by scraping (16%). 

It also exposed the most attacked industries by bot-led incursions (% increase from Q1 to Q2):

  • travel and hospitality (1,515%)
  • streaming media (334%)
  • social media (216%)
  • financial services (156%) 

As you can see, the current bot threat landscape reflects a rolling barrage where the attacks are incessant. Bots are go-to tools for volumetric attacks that are now easily obtained and deployed by the least experienced bad actors so that they can make massive amounts of money. 

And that’s the core of the matter. Money is the #1 motivating factor for adversaries – and at the same time their Achilles heel. Fortunately, there’s a point where attacks become nonviable: when the effort to attack eats so much into adversaries’ profits that they abandon their efforts against a particular website or app.

World-Class Bot Defense

A critical aspect of how enterprises can block bots, immediately and permanently, uses adversaries’ own weight against them. Here are a few ways that Arkose Labs blocks bots for some of the biggest companies in the world, leveraging the philosophy that by increasing adversaries’ effort-to-attack ratio, the bad actors will move to less-protected targets.  

  1. Proactive Defense: Enterprises detecting and mitigating attacks before they can wreak havoc have a competitive edge. By using passive authentication, like device intelligence and behavioral biometrics, enterprises detect and stop bots while creating a delightful experience for genuine consumers. 
  2. Adaptive Response: Distinguishing suspicious traffic from legitimate user behavior requires finesse, not just crude blocking tools that throw the good out with the bad. Our approach is differentiated because of its dynamic interdiction that traps bots without sacrificing legitimate consumer experience. Our CAPTCHA challenges become progressively harder for suspicious and/or malicious traffic, while at the same time are easy for good consumers to solve, if consumers even see them in the first place. Every time an adversary fails to solve a CAPTCHA, their cost to attack increases.
  3. Actionable Data: We’re in the trenches daily with our customers. To help them tune their internal security models, we provide more than 125 risk signals to drive precise, transparent decisioning. This data is a valuable input to downstream risk and fraud prevention tools.
  4. Guaranteed Impact: Not only does Arkose Labs provide enterprises a 24/7/365 customer SOC and world-class care with industry-best service, as rated by G2, but also we back up the efficacy of our technology with industry-first warranties that add in an additional layer of confidence for companies working with us. 

In just a short period of time – six months – I’ve come to have a deep understanding of the underbelly of the threat landscape, the world of bad bots, and how adversaries leverage them to do harm at a massive scale. But I’ve also learned that technology with high efficacy really can be used effectively to give an edge to those fighting the good fight.    

Want to know more about how Arkose Labs can help your enterprise beat back the bots? Book a demo today.