Wising up to bot attacks.
Cybersecurity is often described in terms of an arms race. On one side are the hackers, forever looking for new vulnerabilities, trying to trick people with new phishing attempts, and so on. On the other side are the security experts, also looking for vulnerabilities, but instead racing to roll out new patches and ensuring businesses are safe from attack. But there’s a new arms race starting up— between businesses and their customers.
New Security Threats
Businesses are slowly waking up to the threat of bot attacks. Our research has found that their understanding of where attacks are coming from, who is behind them and how to mitigate them has improved, albeit slowly. Unfortunately, there are others who are also gaining a better understanding of bot attacks, and are taking advantage: everyday consumers.
Bots are no longer only used by the tech-savvy. Until relatively recently, if bots were being used to buy up limited edition goods such as consoles or sneakers, a retailer could assume that those operating the bots cared little for the goods they were buying, as long as they could flip them for a profit. Those who genuinely wanted the goods would have to pay a premium. Now, genuine fans who just want to be first in the queue, frustrated at constantly losing out to bots, are getting in on the act.
There are three trends that are driving this change:
1. Bots are no longer only available on the dark web. Downloading the right browser and navigating the dark web was a barrier to operating a bot, but there are now forums and marketplaces on the clear web that make it possible to purchase or rent bots to operate.
2. Bots are easier to operate.
Bot creators are increasingly operating like consumer-focused businesses and making their bots user friendly, with better and more intuitive user experiences and comprehensive guides that anyone can follow.
3. Bots-as-a-service. Don’t want the hassle of operating a bot yourself? That’s no problem, simply get an expert to do it for you. Some bot operators are offering their services for a fee, meaning anyone, no matter their level of tech savvy, can benefit from a bot.
More and more, the businesses that offer bot services look just like the businesses they target. They have professional websites, responsive customer support, and advertise their services just like any other organisation. Their products are under constant development, and are designed to appeal to those who may have never used a bot before.
A Battle of Awareness
Our research has shown that businesses, in general, are more aware of the threat of bots. But the growth in awareness is slow, and there are many pervasive myths around bots.
For example, around three- quarters of businesses think that Web Application Firewalls (WAFs) and DDoS protection are effective against bots. In fact, while a WAF will stop some forms of attack, and DDoS protection safeguards against attacks from botnets, neither is an effective tool against bots looking to buy up limited goods or crack accounts.
One particularly worrying statistic from our research is that businesses can take up to 16 weeks to identify a bot attack, meaning bots can run wild for almost four months before businesses introduce countermeasures.
Meanwhile, high profile bot use means consumers are more aware than ever of their use. Mainstream publications and broadcasters have reported on bots being partly responsible for shortages of consoles and graphics cards. Consumers now know what bots are and how they can be used. If they want something with limited availability, there’s a much higher chance that they will at least consider and research the use of bots. With bot operators focusing on the customer experience and improving their marketing, there’s a much higher chance they will find what they are looking for.
This is the new arms race between businesses and their consumers. Savvy consumers are skipping
the middlemen and using bots to buy limited edition goods rather than pay a markup to a third party. This means two groups are pushing to the front of the queue: the bot operators looking to make a profit, and a small subset of customers. The rest are even more likely to miss out. Is this a problem if goods are being sold regardless? If consumers find that they are not being treated fairly and missing out on limited goods, this will damage loyalty and lead them to look elsewhere for other purchases. Plus, this is a vicious cycle—today’s disgruntled customers are tomorrow’s bot users. The only way forward is for more businesses to better understand the threat that they are facing, and how, unlike other security threats, their customers will actually become part of the problem if it is not addressed.
