Businesses are poorly informed and ill-prepared against bot attacks, with nearly two-thirds of companies believing wrongly that they originate only from Russia and China, a study has found.
Research by infosecurity company Netacea found that most of the 440 firms it surveyed held mistaken or “mythical” beliefs about the automated programs, which if not corrected could leave them wide open to cyberattacks.
Some of the most common misconceptions included thinking that a standard web application firewall (WAF) or distributed denial of service (DDos) protection would secure them against bot attacks – a belief held by 73% and 71% of companies respectively.
“A DDoS attack will overwhelm a site with traffic, using a network of compromised machines, also known as a botnet,” said Netacea. “Bot traffic is different. Unlike botnets, bots look to take advantage of sites, not take them offline. Taking a site offline means a bot attack will have failed.”
Regarding firewalls, it added: “WAFs are designed to prevent attacks that target vulnerabilities in security, through techniques such as injecting code. But many bots exploit websites by attacking ‘business logic’ – no security holes are needed.”
As well as identifying mythical beliefs, the report also highlighted “near myths” or “factoids” – beliefs held by companies that are only partially true or accurate.
“ReCAPTCHA and similar [puzzle-based] techniques do help to distinguish between bots and humans,” said Netacea, citing one of these near myths. “But it is not 100% effective – more sophisticated bots will be able to circumvent this technology.”
Puzzle-setting techniques were in “an arms race” against ever-advancing bots, and while being an “incredibly useful tool” were “not a complete solution on their own.”
Netacea added: “As bots get better at solving these puzzles then the puzzles must become more difficult and more frustrating. Even if we were able to create uncrackable CAPTCHAs, it’s possible to outsource solving them to low-paid workers to solve for pennies.”
Keep a close eye out
Netacea urged businesses to look closer to home for attacks and not fixate on known bad actors such as Russia and China – though it acknowledged that the threat from these countries cannot be ignored either.
“Our research has found that just over a third of businesses have detected threats from Russia and China,” it said. However, around half of firms surveyed had also detected threats from the US and UK, with three-quarters identifying attacks from Europe.
“In recent years, there have been many media reports into how Russia in particular may be using social media bots to influence elections and other events,” said Netacea. “But the bots that businesses should be most worried about are not run by nation states – they are operated by people out to make a profit. These can be professionally run businesses or amateurs, but they are just as likely to be in the same country as located abroad.”
Not all bots are bad
Moreover, not all bots are used by criminals or bought and sold on the dark web, another mythical belief held by more than half the companies Netacea spoke to.
“Increasingly we see not just bots, but ‘combo lists’ of usernames and passwords available on the clear web, accessible to everyone,” it said.
Many of these buyers were not in fact cybercriminals but legitimate customers turning to legal tech solutions to buy high-demand items before they sold out.
“Not everyone using a bot is doing so to break the law,” said Netacea. “There are some who undoubtedly are, like those who are trying to use stolen passwords to take over accounts, or checking the validity of stolen credit cards. But there are those who are in more of a grey area.
“As people are unable to buy [popular] goods, such as games consoles, using traditional means, they are turning to bots to beat the rush. And the bot market is responding. Interested buyers no longer have to navigate the dark web to get what they want.”
It added: “Many bot operators are now professional businesses, and to thrive they are making their services available to a much wider audience.”
More from Cybernews:
Subscribe to our newsletter