How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
The World of Automated Web Traffic
A significant portion of all internet traffic isn't generated by humans, but by automated programs known as bots. These bots interact with websites for a wide variety of purposes, some of which are beneficial and essential for the web to function, while others are malicious and harmful. Understanding the difference between "good bots" and "bad bots" is crucial for website owners and security professionals.
What is a Good Bot?
Good bots are automated programs that perform useful or helpful tasks. They typically respect the rules set out in a website's robots.txt file and are transparent about their identity and purpose.
Examples of Good Bots:
-
Search Engine Crawlers: These are perhaps the most well-known good bots. Bots like Googlebot, Bingbot, and DuckDuckBot crawl the web to discover and index content, making it discoverable through search engines. Without them, search engines wouldn't work. They identify themselves clearly in their User-Agent string.
- Example User-Agent:
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
- Example User-Agent:
-
SEO and Site Monitoring Tools: Services like Ahrefs, SEMrush, and UptimeRobot use bots to crawl websites to analyze SEO performance, check for broken links, or monitor for downtime. These bots help website owners improve their sites.
-
Copyright Bots: These bots scan the internet for copyrighted content (e.g., images, music) that is being used without permission, helping creators protect their intellectual property.
-
Data Feed Bots: Bots used by aggregators, such as flight or hotel comparison websites, to pull publicly available pricing and availability data via approved APIs or feeds.
Characteristics of a Good Bot:
- Transparency: They have a clear identity and provide a way for website owners to get more information (e.g., a URL in the User-Agent string).
- Respectful: They follow the directives in the
robots.txtfile. - Controlled Crawl Rate: They are designed to crawl websites at a reasonable rate to avoid overwhelming the server.
- Provides Value: Their function is beneficial to either the website owner or the broader internet ecosystem.
What is a Bad Bot?
Bad bots are designed to perform malicious, disruptive, or illegal activities. They often disguise their identity, ignore robots.txt, and use sophisticated techniques to evade detection.
Examples of Bad Bots:
-
Web Scrapers / Content Scrapers: These bots are programmed to steal content, pricing information, product listings, or other proprietary data from websites. This data can be used to undercut competitors, republish content without permission, or for market analysis.
-
Credential Stuffing Bots: These bots take lists of stolen usernames and passwords from data breaches and systematically try them on other websites to perform account takeovers.
-
Spam Bots: These bots automatically post spam comments on blogs, forums, and social media, or create fake accounts to send phishing messages.
-
Ad Fraud Bots: These bots generate fake clicks or impressions on online advertisements to defraud advertisers and publishers.
-
Scalper / Hoarder Bots: Commonly seen in e-commerce and ticketing, these bots are used to automatically buy up limited-stock items (e.g., concert tickets, sneakers) faster than any human could, with the intent of reselling them at a higher price.
-
DDoS Bots: These bots are part of a botnet and are used to flood a target server with traffic, causing a Distributed Denial of Service (DDoS) attack that can take a website offline.
Characteristics of a Bad Bot:
- Deceptive: They often spoof their User-Agent string to mimic a legitimate browser or a search engine crawler.
- Disrespectful: They completely ignore
robots.txtdirectives. - Aggressive: They can make a huge number of requests in a short period, consuming server resources.
- Distributed: They often operate from large, distributed proxy networks (residential or datacenter) to hide their origin and bypass IP-based blocking.
- Harmful: Their actions are detrimental to the website, its users, or its business.
The Challenge of Bot Management
Distinguishing between good, bad, and human traffic is a complex challenge. Bad bots are constantly evolving their techniques to appear more human-like. Effective bot management requires a multi-layered approach that goes beyond simple IP blocking or User-Agent inspection, using advanced methods like device fingerprinting, behavioral analysis, and machine learning to accurately identify and mitigate the threat from bad bots while allowing good bots and legitimate users to access the site without friction.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.