The Threat From Bad Bots


Bots are software applications that automate repetitive tasks without any human interaction, and have fast become an integral part of what makes the internet work. However, there are good bots and there are bad bots, and the latter is what we need to be most concerned about especially in today's digital society.

Bad bots are constantly evolving, getting more and more sophisticated, and becoming more difficult to detect. They can cause significant financial damage to organizations by disrupting online operations in a variety of ways ranging from overwhelming websites with traffic to stealing information, including web content and ecommerce pricing data.

Bad Bot Types

Bad bots span a wide range of attack capabilities and scenarios, the following are the general categories that attacks fall into:

Spam Bots

Spam bots typically attack blog comment sections, community portals and lead generation forms with 'garbage' or fake content. They can also insert irrelevant and unwanted ads, malicious phishing links and banners into real-time conversations to cause disruption and attack users.

 Scraping Bots

Price, content and inventory scraping bots steal prices and product listings. This can damage an ecommerce site's revenue stream and harm SEO rankings due to duplicate content as stolen data may appear on competitor and bogus sites. Additionally, these bots scrape product reviews, news, product catalogs and user-generated content. Scraper bots also harvest email addresses, images, and text from victim websites that may be repurposed to pose as legitimate web pages.

 Credential Stuffing Bots

Credential Stuffing Bots can attempt to use login details from other sites or simply try brute force guessing attacks against your customer/admin accounts. If successful, they can then make purchases, harvest personal information and purchase histories, make unauthorized cryptocurrency, and transfer reward points and money to gift cards and air miles.

 Ad Click Fraud Bots

Ad Click Fraud Bots can be used to sabotage competitors by clicking on their ads to drive costs up and reach budget caps, or to scam advertisers themselves with fake websites and ad clicks that pay the fraudster directly. In both scenarios, bots automatically generate interactions or 'clicks' with ads, promotions and media.

 Credit Card Stuffing Bots

Carding bots make multiple attempts to authorize stolen credit card credentials. This can lead to merchant payment processors accumulating chargebacks and penalties that may ultimately result in the victim merchant being prevented from accepting credit cards altogether.

 Inventory Denial Bots

Cart Abandonment and Inventory Exhaustion bots automatically add hundreds of products to ecommerce shopping carts and then abandon them to block consumers from buying products, reduce sales, manipulate conversion rates and damage a brand’s reputation.

 DDoS Bots and Botnets

Distributed Denial of Service (DDoS) attack bots and botnets are made up of thousands of compromised computers or Internet of Things (IoT) devices called "zombies". They can slow down a website or take them offline completely by flooding sites with massive amounts of artificially generated traffic. Researchers have found cybercriminals advertising DDoS services on the dark web with basic fees to attack unprotected sites ranging from $50 to $100, while an attack on a protected site can reach $400 or more.

 Ticket Scalping Bots

Ticket scalping bots automatically buy tickets, enabling malicious users to resell them at a higher price. Examples include using a bot to purchase concerts tickets for major events or the minute that they go on sale.

 Fake Account Creation Bots

Fake Account Creation bots create fake accounts for criminal activities such as content spam, cryptocurrency laundering and malware distribution. Fake accounts compromise brands and attack users with malware such as ransomware.

 Hacker Bots

Hacker bots can distribute malware, attack websites, and entire networks by exploiting security vulnerabilities and injecting code into victim sites. Hacker bots can also perform DDoS attacks across web proxies with browser-like signatures to disrupt business operations.

 Impersonator Bots

Impersonator bots copy human computer interactions and behaviors to fool users and bot mitigation defenses and conduct malicious activities. Impersonators bots also include propaganda bots to influence political opinions on platforms such as Facebook and Twitter. According to researchers at the University of Southern California who studied bot use during the 2016 U.S. Presidential election, “the presence of social media bots can indeed negatively affect democratic political discussion rather than improving it, which in turn can potentially alter public opinion.”

The Growing Threat

A report from Imperva found that roughly one-quarter of all website traffic in 2019 originated from bad bots, an increase of 18% over 2018. 75% of that bad bot traffic is made up by Advanced persistent bots (APBs) that attempt to evade detection by cycling through random IP addresses, using anonymous or proxies, and changing their identities. The top industries in 2019 hardest hit by bad bots included financial services, education, ecommerce, and government as well as media and airlines.

Companies offering "Bad Bots as-a-Service"* are also gaining ground. These data scraping services sell bots as easy-to-use packed products offering pricing and competitive intelligence, alternative data for finance, or competitive insights managed by Web Data Extraction Specialists and Data Scraping Specialists.

Malicious bot-for-hire services also offer personal and financial data harvesting, brute-force login services, ad click fraud, spamming services, transaction fraud services, and even Distributed Denial of Service (DDoS) attacks.


The threat from bad bots is only getting worse, it's imperative for websites to have good security measures in place that will identify, and stop them. Our next article on bots will go over the common counter measures used to combat bad bots.

Bots Security Learning

© PEAKHOUR.IO PTY LTD 2023   ABN 76 619 930 826    All rights reserved.