What Are Bot Attacks (and How To Mitigate Them)

September 20, 2023

Cybercriminals are constantly looking for ways to bypass security deployments and gain access to sensitive accounts and information. In recent years, one of the most troubling developments on this front has been the rise in bot attacks.

Even the most well-defended systems and components are not immune to a bot attack. Relatively secure accounts with multi-factor authentication (MFA) in place of traditional password logins may also fall victim to a persistent threat perpetrated by malicious bots.

In this article, we’ll explain what a bot attack is, what kinds to look out for, and what steps you can take to detect and prevent them.

What is a bot attack?

Bot attacks are cyberattacks that use algorithms and automation to perform illicit actions. Attackers may write scripts to penetrate organizations’ systems, disguise and deploy malware, steal or solicit user information, or perform other cybercrimes.

Because bot attacks can be automated, they significantly expand the reach and capability of cybercriminal pursuits. They power more cybercrime in more ways with every passing year.

Data accumulated and analyzed between 2021 and 2022 suggested that 86% of all cybercrime attacks were bot-driven. What’s worse, the complexity observed in the sample was significantly higher than attacks studied in previous years. So, as bot attacks grow in prevalence, they become harder to differentiate from sophisticated human-led attacks.

This is partly due to the greater presence of bots in general—and bad bots specifically—across the web. Recent studies estimate that about 47% of all internet traffic comprises bots. In addition, 30.2% of traffic is "bad" bots or programs that exist purely to fulfill nefarious purposes.

Motivations behind bot attacks

Bot attacks are not radically different from other forms of cybercrime. Bots are a means to an end, and those ends are shared by the vast majority of attackers, irrespective of their means.

In particular, almost all cybercrime is financially motivated. Namely, per Verizon’s 2023 DBIR, 94.6% of breaches in 2022 were driven by financial motives. Other motives included espionage, political aims, or interpersonal grudges.

Like all cyberattacks, bot attacks aim to line the pockets of cybercriminals by stealing funds or data, extortion, or fraudulent schemes to gain illegitimate access to resources. These attacks may come from strangers seeking a payday or organized groups and even nation states with wider-ranging motivations.

What differentiates bot motives is that most bot tactics lend themselves best to higher-volume, lower-complexity schemes. Cybercriminals using bot attacks may prioritize immediate or shorter-term impacts (like attacks designed to cause website downtime) over more elaborate plans to steal trade secrets. Those attacks may be more effective if they are human-led.

Impacts of bot attacks

Although attackers are almost always after financial gains, their actions can impact victims differently. Bot attacks, like other cyber threats, can lead to consequences such as:

User friction: Bot attacks aimed at websites affect the site’s performance for legitimate users, often resulting in complete downtime.

Financial losses: Bot attacks cost their target companies money by direct theft, resource damage, ransoms, and general mitigation costs. Per one recent study, over 75% of companies impacted by bot attacks lost at least 6% of their revenue. Even more concerning is that 83% of companies surveyed suffered an attack.
Legal trouble: Organizations that have data breached may also be subject to compliance and other legal penalties enforced by governmental and regulatory bodies. HIPAA, PCI, GDPR, and other widely applicable frameworks stipulate severe fines for sensitive data breaches.

Customer attrition: Successful attacks can also lead to losses of current or potential customers. Any customers impacted by a data breach may lose trust in the organization or any software platforms they believe were impacted.

The stakes of a bot attack depend heavily on the kind of attack waged, the data targeted, and other factors about the parties impacted. But in many cases, they can be extremely severe. That’s why robust fraud prevention controls are essential.

Types of bot attacks

As noted, bot attacks are not unique from other forms of cybercrime. Most varieties of cyberattacks can incorporate scripts. However, some attack vectors are particularly apt for automation and algorithmically-driven activity. Attacks that include large volumes of similar actions, such as repeated requests or messages, are effective when they are bot-led.

Four particular vectors are often partially or wholly bot-led:

Credential stuffing
Scraping attacks
Account takeover
DoS and DDoS attacks

Credential stuffing

In credential stuffing attacks, attackers obtain usernames and passwords (from the dark web or from another breach) and then try those same credentials on other websites. Over the past few months, credential stuffing attacks have hit PayPal, DraftKings, and Norton LifeLock.

Passwords are easy for computers to guess but hard for users to remember. If users are asked to create strong passwords for every account (a good practice), chances are they will cycle between 2-3 passwords across all their accounts. This means that once a password is leaked, all their accounts that use the same password are at risk.

With the aid of bots and automation, attackers can perform high-volume credential stuffing attacks and put sites at risk besides the site where the data breach initially took place.

Scraping attacks

Scraping is extracting information from a website or other digital location and compiling it, often for analysis. When it targets publicly available information, scraping is within the bounds of legality and standard business practice.

Scraping attacks, however, cross the line into extracting private information for nefarious ends.

Scraping attacks often involve bots seeking ways to extract data from websites on false pretenses. For example, cybercriminals may use bots to scrape data from private profiles on social media by implanting the bots within users’ following lists, bypassing restrictions.

A recent high-profile scraping incident impacted Facebook. A massive attack leaked information from 553 million accounts, roughly 20% of the platform’s users. The attack was reported on and analyzed thoroughly in 2021, but the data in question had been scraped in 2019. The extent of this breach is unparalleled, encompassing personal information that has the potential to fuel subsequent attacks and enable unauthorized access to accounts, making it a commodity on the dark web.

Account takeover

Account takeover comprises two distinct phases. First, the account is accessed illegitimately. Cybercriminals or bots can use the attacks above they create to seize credentials and take over an account. Other methods include:

Brute force attacks: These attacks employ high-volume, automation-enabled methods for guessing passwords. Attackers set up bots to compute guesses at high volumes (i.e., 100,000 per second) to crack a user credential. If the number of characters is known, simple brute force calculators can accurately estimate how long it will take for a bot-driven attack to crack a password.

Malware and viruses: Attackers may install malicious software onto devices used by targets to steal their information at the input level. Keyloggers and other scanning programs can record and report on credentials without the users detecting any threat.

Once cybercriminals have gained the ability to access an account illegitimately, they may use bots further to infiltrate and exploit it. There, they can steal or otherwise corrupt sensitive data, engage in fraud, or access other closely linked accounts.

These hallmarks of broken authentication can be even harder to prevent when bot-driven.

DoS and DDoS attacks

Denial of service (DoS) attacks aim to jam up organizations’ systems with an influx of traffic. An individual or bot will send requests to a given server repeatedly until it causes traffic to slow to a halt. The goal is to interfere with business operations or take security features offline to render the organization vulnerable to additional attacks.

In a distributed denial of service (DDoS) attack, the same tactic is amplified with requests from numerous initiators. These attacks are not always bot-driven, but they are easy to automate. A lone attacker or group of attackers can write a single script, create duplicates and variations, and send near-infinite requests at relatively modest compute requirements.

These attacks are among the fastest-growing across every industry in 2023. By some estimates, DDoS attacks were up 200% in the first half of 2023, specifically because of automation i.e. bots.

How to detect bot attacks

Mitigating bot attacks begins with detecting them. This, in turn, requires understanding and identifying the common characteristics of bot traffic. Basic warning signs to look out for include:

Any suspicious or anomalous activity across your servers and platforms
Users behaving in ways that they do not normally or that most other users do not
Higher than average bounce rates, especially on websites or web applications

Another option for detecting bot attacks is investing in cybersecurity infrastructure that scans for threats related to bot activity. For example, you could install content filters and activity loggers that flag all potential bot traffic for scrutiny. Or, if your clients are not using bots in any capacity, you could disallow bot traffic entirely apart from website crawlers and other “good bots”.

How to prevent bot attacks

Mitigating bot attacks requires more than early detection. Even a threat identified early can eventually turn into a full-blown attack. Instead, organizations need prevention and protection mechanisms.

Some methods for preventing bot attacks include:

CAPTCHA systems: These Turing tests block bot traffic by filtering them out with tasks that human users can pass easily but bots cannot. With real-time machine learning, Google’s reCAPTCHA builds on this functionality to identify user behaviors, assess risk, and adjust protocols accordingly.

Passwordless auth: Passkeys, one-time passwords (OTP), time-based OTP, and other login protocols that forego traditional passwords can prevent bot traffic originating from stolen or cracked credentials, all while improving UX and customer satisfaction.

Web app firewalls: Firewalls are perimeter defenses that screen all traffic entering or exiting a given digital space. Any content that meets specific criteria can be prevented via deny-all-except or permit-all-except rules. Web application firewalls (WAF) provide the same functionality for web apps, with the ability to block all or most bot traffic outright.

Adaptive MFA: While some traditional MFA deployments remain susceptible to bot attacks, risk-based adaptive authentication through MFA is one of the best ways to prevent these attacks via a dynamic login process that identifies and stops bot attempts.

The login screens and flows for your software are one of the primary targets for bots and other cyber attacks. But they also have the potential to be the first and best defense against cybercrime.

Stop identity-driven bot attacks with Descope

The prevalence and sophistication of bot attacks make them a clear and present danger to businesses and individuals alike. Descope can help.

Descope helps developers and IT teams easily add authentication, authorization, and identity management to their apps using no-code workflows. In these workflows, you can add conditional steps to check if the login attempt is originating from a bot and block it if so.

Moreover, Descope offers third-party connectors with services such as Google reCAPTCHA Enterprise, Traceable, and Have I Been Pwned to ingest granular risk scores into your user journey and create branching paths for bots and real users.