In this digital age, bots have effectively become one of the most disruptive tools within a cybercriminal’s arsenal, capable of performing a wide array of malicious activities – including web scraping, competitive data mining, personal and financial data harvesting, credential stuffing, scalping, carding, denial of inventory, and distributed denial of service (DDoS). According to reports, more than 40 percent of all internet traffic is made up of bots – and a single bot attack can cost an enterprise up to US$500,000.
Additionally, the presence of bots alone can significantly slow down the site speed for users. This implication has a significant adverse impact on their overall user experience as well as conversion rates as just 100-millisecond added latency can decrease shopping conversion rates by 10 percent according to a study by Google.
With this, organizations and businesses – especially e-Commerce platforms – should proactively address the malicious activity caused by bad bots for the sake of their bottom line and their reputation.
Bad bots impact on the e-commerce industry
Account takeovers
No doubt, bot traffic is a major threat to E-commerce. In addition to slowing down site speed, these bots can also hijack customer accounts with credential stuffing attacks leading to account takeover (ATO) fraud – which can reveal valuable and sensitive information such as credit card and personal details. It can also lead to expensive chargebacks and a loss of consumer confidence.
This digital equivalent of identity theft incurs losses averaging US$12,000 per account and is at an all-time high with almost a quarter (22.6%) of all logins on retail websites being malicious account takeover attempts – compared to just over a tenth (11.6%) in all other industries.
Price scraping and inventory hoarding
Due to the highly competitive e-commerce landscape, certain competitors or third-party resellers have resorted to utilizing bots for scraping pricing information from e-commerce platforms. This practice provides them with a distinct advantage as they can closely monitor pricing trends, enabling them to potentially undercut prices and engage in price manipulation strategies. This results in an unjust market environment that can have negative effects on the competitiveness and profitability of retail companies.
Furthermore, bad bots can be employed to amass limited inventory by automatically purchasing substantial quantities of products, deliberately creating scarcity, and driving up prices. By swiftly buying out limited-edition or high-demand products, scalpers utilizing these bots cause shortages, effectively preventing customers from accessing these items at fair prices. Consequently, this leads to frustrated customers, damaged brand reputation, and the potential loss of revenue for retail companies.
DDoS
Similarly, DDoS, another disruptive automated attack carried about by bots, has the capacity to take down or slow down targeted websites by flooding the network, server, or application with bogus traffic. Considering that it is designed to exhaust processing resources by using a high number of requests, this form of attack is projected to reach new records in rate, frequency, and complexity and can potentially cost a company up to $20,000-$40,000 hourly according to a Cox BLUE report.
Website disruptions negatively impact the purchasing experience for potential customers and significantly decrease conversion rates as the website performance is compromised. Additionally, it can also cause a complete shutdown of the website or application. Needless to say, when the entire application is offline, it significantly hampers business operations and directly affects e-commerce bottom lines.
Gift card and coupon abuse
Gift card and coupon abuse by malicious bots refers to the fraudulent and unauthorized use of gift cards and coupons carried out by automated agents. Malicious bots exploit vulnerabilities in retail websites and applications to redeem gift cards and coupons without proper authorization or payment. This abuse has a significant impact on the e-commerce sector as bad actors deplete gift card balances and purchase inventory allocated for legitimate customers, only to resell the goods on secondary, and sometimes dark markets.
This can have a direct negative impact on the revenue and profitability of e-commerce companies. Additionally, when customers encounter issues with redeeming valid gift cards or coupons due to bot abuse, they lose trust in the e-commerce platform or brand, potentially deterring other potential customers through word of mouth.
Mitigation
In order to effectively mitigate the impact of malicious bots, it is imperative for retail companies to invest in robust bot management solutions that:
- Continuously monitor and analyze website traffic and user behavior using machine learning to look at multiple dimensions, to promptly identify anomalies and thwart any suspicious activities perpetrated by bots.
- Detect, categorize, and allow benign or “good” bots – that are critical to the success of e-commerce sites -to do their jobs. These include SEO bots, internal marketing analytics tools, monitoring agents, and more.
- Include available response types including CAPTCHAs, browser challenges, and other custom responses for use on critical e-Commerce services including account registration, login, or checkout pages to validate the authenticity of users and deter malicious bots.
- Deploy holistic web application and API protection (WAAP), backed by highly scalable edge networks, that can detect and effectively block Distributed Denial of Service (DDoS) attacks, ensuring stability and availability of apps and sites against a full range of automated threats.
- Implement multi-factor authentication and enforce strong password policies to fortify defenses against account takeover attacks.
- Have a patch management strategy and regularly update and patch software and systems to address security vulnerabilities.
- Build strong working relationships with leading cybersecurity vendors, leveraging their expertise and accessing up-to-date threat intelligence, enabling proactive defenses against emerging bot attack techniques.
By diligently implementing these comprehensive security measures and maintaining a proactive stance, e-commerce platforms can significantly reduce the risks associated with bot attacks. In doing so, they can provide their valued customers with a safer and more reliable shopping experience, solidifying their reputation as a trusted and secure destination.
Cybersecurity practices & strategies for CISO
Moving forward, to safeguard the bottom line and protect business operations, it is necessary for CISOs to prioritize service providers that are able to classify good bots, mitigate malicious bots, and also offer end-to-end, holistic application security solutions. This means having multi-layer security to protect against a wide range of attacks from the network/transport layers (layers L3/4 of the OSI model), all the way to the application layer. Additionally, any chosen solution should have centralized control and a single pane of glass views as this reduces blind spots and ensures consistent policies are applied across all applications within the CISO’s purview.
In conclusion, the prevalence of bot attacks in the e-commerce industry poses a significant threat to enterprises, with potential costs reaching up to millions of dollars. By implementing these comprehensive cybersecurity practices and strategies, e-commerce platforms can enhance their security posture, protect their customers, and establish themselves as trusted and secure destinations for online shopping.
Richard Yew is Senior Director Product Management – Security, Edgio, Inc. (Nasdaq: EGIO), where he leads security portfolio and is responsible for building industry-leading solutions. His remit includes Web Application and API Protection, Bot Management, DDoS protection, DNS, Web PKI, IAM, Managed Security and SOC services. At IaaS and Security companies, he’s helped implement hundreds of enterprise security and performance solutions.
TechNode Global INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Limelight completes acquisition of Yahoo’s Edgecast, rebrands as Edgio