Attack Types & VectorsSecurity

CISOs, Know Your Enemy: An Industry-Wise Look At Major Bot Threats

March 21, 2019 — by Abhinaw Kumar0


According to a study by the Ponemon Institute in December 2018, bots comprised over 52% of all Internet traffic. While ‘good’ bots discreetly index websites, fetch information and content, and perform useful tasks for consumers and businesses, ‘bad’ bots have become a primary and growing concern to CISOs, webmasters, and security professionals today. They carry out a range of malicious activities, such as account takeover, content scraping, carding, form spam, and much more. The negative impacts resulting from these activities include loss of revenue and harm to brand reputation, theft of content and personal information, lowered search engine rankings, and distorted web analytics, to mention a few.

For these reasons, researchers at Forrester recommend that, “The first step in protecting your company from bad bots is to understand what kinds of bots are attacking your firm.” So let us briefly look at the main bad bot threats CISOs have to face, and then delve into their industry-wise prevalence.

Bad Bot Attacks That Worry CISOs The Most

The impact of bad bots results from the specific activities they’re programmed to execute. Many of them aim to defraud businesses and/or their customers for monetary gain, while others involve business competitors and nefarious parties who scrape content (including articles, reviews, and prices) to gain business intelligence.

[You may also like: The Big, Bad Bot Problem]

  • Account Takeover attacks use credential stuffing and brute force techniques to gain unauthorized access to customer accounts.
  • Application DDoS attacks slow down web applications by exhausting system resources, 3rd-party APIs, inventory databases, and other critical resources.
  • API Abuse results from nefarious entities exploiting API vulnerabilities to steal sensitive data (such as personal information and business-critical data), take over user accounts, and execute denial-of-service attacks.
  • Ad Fraud is the generation of false impressions and illegitimate clicks on ads shown on publishing sites and their mobile apps. A related form of attack is affiliate marketing fraud (also known as affiliate ad fraud) which is the use of automated traffic by fraudsters to generate commissions from an affiliate marketing program.
  • Carding attacks use bad bots to make multiple payment authorization attempts to verify the validity of payment card data, expiry dates, and security codes for stolen payment card data (by trying different values). These attacks also target gift cards, coupons and voucher codes.
  • Scraping is a strategy often used by competitors who deploy bad bots on your website to steal business-critical content, product details, and pricing information.
  • Skewed Analytics is a result of bot traffic on your web property, which skews site and app metrics and misleads decision making.
  • Form Spam refers to the posting of spam leads and comments, as well as fake registrations on marketplaces and community forums.
  • Denial of Inventory is used by competitors/fraudsters to deplete goods or services in inventory without ever purchasing the goods or completing the transaction.

Industry-wise Impact of Bot Traffic

To illustrate the impact of bad bots, we aggregated all the bad bot traffic that was blocked by our Bot Manager during Q2 and Q3 of 2018 across four industries selected from our diverse customer base: E-commerce, Real Estate, Classifieds & Online Marketplaces, and Media & Publishing. While the prevalence of bad bots can vary considerably over time and even within the same industry, our data shows that specific types of bot attacks tend to target certain industries more than others.

[You may also like: Adapting Application Security to the New World of Bots]


Intent-wise distribution of bad bot traffic on E-commerce sites (in %)

Bad bots target e-commerce sites to carry out a range of attacks — such as scraping, account takeovers, carding, scalping, and denial of inventory. However, the most prevalent bad bot threat encountered by our e-commerce customers during our study were attempts at affiliate fraud. Bad bot traffic made up roughly 55% of the overall traffic on pages that contain links to affiliates. Content scraping and carding were the most prevalent bad bot threats to e-commerce portals two to five years ago, but the latest data indicates that attempts at affiliate fraud and account takeover are rapidly growing when compared to earlier years.

Real Estate

Intent-wise distribution of bad bot traffic on Real Estate sites (in %)

Bad bots often target real estate portals to scrape listings and the contact details of realtors and property owners. However, we are seeing growing volumes of form spam and fake registrations, which have historically been the biggest problems caused by bots on these portals. Bad bots comprised 42% of total traffic on pages with forms in the real estate sector. These malicious activities anger advertisers, reduce marketing ROI and conversions, and produce skewed analytics that hinder decision making. Bad bot traffic also strains web infrastructure, affects the user experience, and increases operational expenses.

Classifieds & Online Marketplaces

Intent-wise distribution of bad bot traffic on Classifieds sites (in %)

Along with real estate businesses, classifieds sites and online marketplaces are among the biggest targets for content and price scrapers. Their competitors use bad bots not only to scrape their exclusive ads and product prices to illegally gain a competitive advantage, but also to post fake ads and spam web forms to access advertisers’ contact details. In addition, bad bot traffic strains servers, third-party APIs, inventory databases and other critical resources, creates application DDoS-like situations, and distorts web analytics. Bad bot traffic accounted for over 27% of all traffic on product pages from where prices could be scraped, and nearly 23% on pages with valuable content such as product reviews, descriptions, and images.

Media & Publishing

Intent-wise distribution of bad bot traffic on Media & Publishing sites (in %)

More than ever, digital media and publishing houses are scrambling to deal with bad bot attacks that perform automated attacks such as scraping of proprietary content, and ad fraud. The industry is beset with high levels of ad fraud, which hurts advertisers and publishers alike. Comment spam often derails discussions and results in negative user experiences. Bot traffic also inflates traffic metrics and prevents marketers from gaining accurate insights. Over the six-month period that we analyzed, bad bots accounted for 18% of overall traffic on pages with high-value content, 10% on ads, and nearly 13% on pages with forms.

As we can see, security chiefs across a range of industries are facing increasing volumes and types of bad bot attacks. What can they do to mitigate malicious bots that are rapidly evolving in ways that make them significantly harder to detect? Conventional security systems that rely on rate-limiting and signature-matching approaches were never designed to detect human-like bad bots that rapidly mutate and operate in widely-distributed botnets using ‘low and slow’ attack strategies and a multitude of (often hijacked) IP addresses.

The core challenge for any bot management solution, then, is to detect every visitor’s intent to help differentiate between human and malicious non-human traffic. As more bad bot developers incorporate artificial intelligence (AI) to make human-like bots that can sneak past security systems, any effective countermeasures must also leverage AI and machine learning (ML) techniques to accurately detect the most advanced bad bots.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now


Federal CISO: Superhero Needed

May 16, 2018 — by Carl Herberger0


A famous leadership coach said, “Only Superman can leap tall buildings in a single bound, the rest of us must chip away at our goals one day at a time.” What a befitting quote for the position of Federal CISO! This role of organizing, equipping, training and leading the nation’s cybersecurity programs is not only ominous, it has thus far been an utter failure when historically approached.


Risk Management from the CISO Perspective

June 8, 2017 — by Ron Winward1


One of my favorite aspects of my role as a Security Evangelist for Radware is that I get the chance to really talk with business leaders about the challenges they face every day when protecting their business. I do a lot of listening, honestly, and I get the chance to learn a lot from these conversations.

Over the past few weeks, Risk and Risk Management have been common topics of discussion. They can be challenging because every business is different and we all face different risks or threats. Some of us have regulatory or compliance controls that we must operate within, which define how we handle certain risks. Others have customers who require that we maintain certain protocols and certifications as a method of protecting their data. Still, others have no programs in place at all.

One of the tasks of the CISO is to assess cyber threats and risks to the organization and to make recommendations on how to protect against them. So what are CISOs and security leaders concerned with right now? Here’s a recap of some of the messages I’ve heard over the past two weeks.

Size and Scope Might Be Indicative of Your Risk Program

“A risk program, you say?” Not all businesses have implemented a risk program. Others live by it. One CISO described how your risk program is likely influenced by the following:

– The purpose of your business
– How many employees you have
– Whether or not you’re a public company
– How long you’ve been in business

For example, a startup may not have a strong risk practice. Perhaps they’re more likely focused on growing a business with limited means. Do they hire a CISO? Probably not immediately (if at all), but maybe their idea, technology, or other intellectual property is the crown jewel of their business. Protecting those assets may be critical to the future of the business.

[You may also like: CISOs, Know Your Enemy: An Industry-Wise Look At Major Bot Threats]

On the other hand, a multinational financial company could have dozens of regional regulations with which they must comply. These companies have a much more mature risk program. In fact, many global organizations have CISOs dedicated to specific regions to assist with this complexity.

“Everything is unprecedented until it happens for the first time.”

One security leader recently referenced this quote from the movie “Sully” when discussing his risk program. While often used as inspiration, this quote is incredibly relevant in cyber security. Security practitioners share the task of keeping our companies alive, online, and safe.

I think this quote stands on its own.

[You might also like: From the Corner Office: Views from a Chief Information Security Officer]

The CEO Usually Doesn’t Want to Know the Details About Your Risk Program

The CEO wants to know how you’re dealing with risk, but they usually don’t want to know the exact details (unless maybe they need to understand or they are part of risk committees). That’s why they have you, the CISO.

Instead, they need to understand how you are handling risk. Develop a clear and concise summary of your risk profile and what you are doing about it. The CEO needs to be able to tell Board members, shareholders, and customers if, how, and why you’re safe, but help him or her develop a clear way to explain your risk program.

Use Internal Auditing as a Tool

Let’s face it, nobody enjoys auditing. However, one CISO I talked with recommends that you embrace it. It can be difficult, but if you trust the process and commit to it, an internal audit can help you reach your security goals.

[You may also like: Executives’ Changing Views on Cybersecurity]

For example, an internal audit can help find gaps in protections that would ultimately need to be defined as risks. From there, you can define the likelihood of the risk, the impact to the business, and finally make a recommendation to mitigate the risk. Some of this might include budget allocation, which may help you achieve other goals as well.

Telecommuting Employees Are Bad at Backups

Do you have remote employees or contractors? Do they have laptops? Are they backing up data? Several discussions focused on this topic recently, specifically because of the WannaCry outbreak. If you do have remote workers in your network, how are they backing up their laptops? Laptops are usually opened while working and closed while not, meaning the backups have to be completed while open.

If they are backing up, are they using home resources or a central corporate server/resource? If it’s the latter, are they on VPN? Residential internet links don’t always have fast uplink speeds, making remote backups a chore for the user. Even if they run during the day, with slow upload speeds, a user might notice the burden of a saturated uplink on their residential link during the backup and even perhaps abort it, or avoid it altogether.

This recipe creates two common scenarios; telecommuters who either don’t back up their data regularly or they back up to non-corporate resources. We would all agree that using non-corporate resources to store corporate data presents risk, but so does foregoing backups.

Teach Your Employees About Risk

The CISO is accountable for cyber risk, but everyone should be invested in protecting the company. The good news is that threat awareness inside of organizations seems to be increasing. However, employees must also understand why cyber threats can also threaten the business directly. From safe internet browsing to developers coding with security in mind, everyone needs to understand how their activities impact the company’s risk profile.

[You might also like: Ask Yourself: Do I Need an Emergency Response Plan? WHY?]

In the same vein, teach your employees that they need to trust you and the IT teams if something has happened. Be approachable and make sure employees understand that they can safely reach out to your team in the event of a suspected issue. We would all rather know about something immediately than finding out later, the hard way.

40% of Businesses Don’t Have an Incident Response Plan

Radware’s 2016-2017 Global Application & Network Security Report found that 40% of businesses do not have an incident response plan in place. That number only marginally improved in 2018-2019.

Handling a security crisis can often come down to preparation. Even if you don’t have a security budget, you can still plan for what you will do if you encounter a security problem. Understand who needs to be notified, both internally and externally, as well as who will be involved in your response. Then practice it. Those first few minutes and hours will be critical to how you fare under duress.

Cyber Insurance Can Transfer Risk

The same 2016-2017 report referenced above also found that 70% of businesses do not have cyber insurance. A cyber insurance policy might be a way for you to transfer certain risks away from your organization. However, the feedback in the community is that policies vary drastically and you should have your legal team heavily involved if or when you decide on a policy.

[You may also like: Think Cybersecurity Insurance Will Save You? Think Again.]

The greatest observation from these discussions is that we all have different levels of risk tolerance. We also have different levels in maturity of our programs. But as security leaders, we understand that how we approach risk is critical to our business. Use risk assessments to help drive your security goals. Gain the attention of the senior leadership in your organization by defining risks that you face, their likelihood of occurrence, their impact to the business, and your recommendation to mitigate them.

This post was updated on September 11, 2019.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now