The Good and Bad of Bots

If you’ve used a text-based customer service option recently, chances are you were not communicating with a human. Chatbots are often the first line of customer support for many companies these days. 

Indeed, businesses are increasingly reliant on bots, software applications programmed to carry out tasks for a variety of digital grunt work, whether providing answers to common customer queries or tracking visitors to an ecommerce site. Cybersecurity companies like Mimecast send bots out to suspicious web pages to interact with them as a human would while simultaneously scraping and analyzing their content to ascertain whether they are legitimate or malicious URLs.

But just like sci-fi robots, real world bots can have a dark side, too. Cybercriminals can program bots to do some of their nefarious bidding for them. On an even grander scale, bad actors can infect entire networks of computers with malware — so-called botnets — to help in their phishing or DDoS attacks, for example. A “bot herder” will send messages to the veritable army of infected machines to serve masses of spam, crash websites, or steal data from the affected networks. 

Malicious bots cost businesses 3.6% of their annual revenue on average, according to one recent survey.[1] For the one-quarter of the survey’s respondents with annual revenues of $7 billion or more, that amounts to $250 million or more in damages. These bad bots can strike on a number of fronts: two-thirds of respondents reported attacks on their web sites, nearly half saw bots go after mobile apps and one-quarter (mostly in financial services) said their application program interfaces (APIs) had been compromised. 

The Business Case for (Good) Bots 

Bots are efficient tools for automating a number of mundane, but labor-intensive tasks, like parsing data and fetching information. Thus, there are a number of business use cases for them, from simulating human conversation to searching and indexing reams of information.

Good bots come in several common varieties.

• Chatbots: In addition to customer support chatbots, organizations also deploy chatbots for internal tasks, such as helping onboard new hires, automating routine training and troubleshooting everyday operational issues. 
• Web Crawlers: Bots that search and index web content are commonly used for search engine optimization (SEO) and market research. Search engine spiders look at the content of a web page and rank it based on factors such as links on the page and page views. Some organizations use crawlers to scan their own websites to see how their content stacks up against peers and identify areas where their SEO may need help. 
• Scrapers: Bots excel at scanning code and retrieving information. Many organizations use them to review large volumes of websites and pages that would be impossible to do manually. Web scrapers can comb through the source code and extract relevant information, such as prices for comparison-shopping sites or social media feedback for market research. 
• Trackers: Just as crawlers can help organizations improve their search engine rankings, web trackers can record and analyze data such as where a page’s traffic came from, which device a visitor was using, and how long visitors stayed on the site. Such analytics are useful for developing new content and functionality and improving the user experience.

When Bots Attack 

Unfortunately, just as legitimate businesses continue to develop new use cases for bots, so do the bad guys. Cyril Noel-Tagoe, principal security researcher at bot management provider Netacea, said in a recent episode of Mimecast’s Phishy Business podcast that he expects cybercriminal gangs to increasingly package and sell bots-as-a-service tools. So, scammers won’t need a great level of technical sophistication to launch their bot-enabled attacks.

Some of the most common use cases for malicious bots include: 

• Phishing: Bots are a valuable tool at several stages of phishing attacks, noted Dr. Kiri Addison, senior product manager at Mimecast, during the Phishy Business podcast. Bad guys use them to plant malware in networks, scrape sites for valid credentials, and offload the repetitive work of validating those stolen credentials. Since users often recycle passwords, scammers can use bots to test credentials across multiple sites, looking for access. 
• Denial of Service: Botnets can be used to swamp websites with fake traffic for a number of reasons, but perpetrating a distributed denial of service (DDoS) attack is one of the more common aims. In a DDoS attack, bots repeatedly connect to a website address, overwhelming servers and crashing the site. 
• Malicious Scraping: Just as legitimate businesses use bots to scrape the Internet for data, cybercriminals can use bots to scrape websites for information. Rival companies or nation states might do this to find out competitive data. Other bad actors will use scrapers to gather sensitive information to sell. 
• Scalping: Remember when Taylor Swift fans were locked out of ticket sales for her 2023 tour? Scalper bots were purportedly to blame. These bots can act as buyers of high-demand products or services, such as concert tickets, diminishing supply and driving up prices. Their cousins, “sniper bots” can be programmed to step in at the last second to beat any human bidding to complete a transaction. When COVID vaccinations were limited, pharmacies had to boost protection against scalper bots scooping up appointments.[2] Such bots can cause reputational damage to a brand by artificially inflating prices and keeping legitimate customers away. 
• Click Fraud: Bots that never tire of clicking on a link are a danger to budgets and brands. They can game search engine rankings by creating traffic to fake links and reroute real traffic to fake web addresses or keywords. The conversational capabilities of a chatbot can be used to produce fake reviews of products and services. Some commit ad fraud, using bots that will repeatedly click on pay-per-click ads, exhausting the advertiser’s budget. Some bots flood sites with fake traffic, polluting the data streams companies use to guide sales and marketing decisions.

How to Let the Right Bots In 

The technology behind botnets, including artificial intelligence and machine learning capabilities, is advancing, resulting in more successful and profitable attacks, said Garrett O’Hara, Mimecast’s field CTO for APAC, during a recent podcast.[3] AI and machine learning can likewise help botnet detection, but some automated responses risk blocking access to good bots or legitimate machine users like Salesforce and productivity tools. 

There are, however, a few best practices to help businesses let the right bots in and keep the bad bots out: 

• Assess Your Risk: The right solution for an organization will depend on the specifics of the organization and the potential impact of bots. Think of scenarios where bots could be used to attack your organization and identify which types of bots could be involved. Some bot attacks focus on one type of industry (such as scalper bots targeting ecommerce), but those tactics could be adapted for other industries (such as scalper bots taking vaccination slots). So, it’s important not to overly narrow your focus.
• Know Your Bot Enemy: Netacea created an open source tool, The BLADE (Business Logic Attack Definition) framework, that can be helpful in understanding and protecting against bot attacks.[4] It spells out different tactics and how to overcome them. 
• Create a Holistic View of Network Activity. Leverage technologies that can look at a whole range of behaviors and different ways bots might interact with the organization. Any way a human or machine interacts with the organization is fair game for a bot: email, websites, mobile app, APIs. Invest in technologies that protect both the server and client sides. By both analyzing keystrokes on the client side and IP connections on the server side, for example, you can get a clearer picture of possible bot traffic and distinguish botnets from legitimate users. 
• Batten Down the Hatches: Email is a primary vehicle for planting malicious bots in organizations’ networks, and secure email gateways are the first line of defense against them.
• Leverage Bots for Cyber Good: Thanks to AI and machine learning, bots can mimic human behavior, which makes them an ideal tool for gathering threat intelligence and improving defenses. For example, bots help Mimecast’s email gateway defend against phishing emails with links to fake websites that steal credentials or deliver malware. Because cybercriminals can block some automated URL scanners, Mimecast deploys bots that interact with suspect URLs, all the while grabbing the content to analyze and defend against it (read more about Mimecast’s AI-powered tools here).

The Bottom Line

Bots are widely used for legitimate business purposes, but the same technologies are proving beneficial for cybercriminals as well. Defenders have the double responsibility of protecting against malicious botnets while enabling good bots to perform their work. For more on bots, botnets and bot detection, listen to the Mimecast Phishy Business podcast episode: Shining a Light on Bots: The Good and the Bad.

[1] “What Are Bots Costing Your Business?” Netacea

[2] “Walgreens, CVS beef up protections against threat of 'bot' attacks on vaccine program,” Reuters

[3] “PodChats for FutureCISO: Battling the darker side of bots,” Future CIO

[4] “Introducing BLADE: Netacea's MITRE ATT&CK Style Framework for Bots,” Netacea