The Changing Landscape of Automated Attacks on Web and Mobile Apps

In recent years, we have witnessed an unprecedented surge in automated attacks targeting online businesses. These attacks are aimed at validating stolen payment card details, scraping content, taking over accounts and sometimes even slowing down the target website.

In the last post, I had highlighted how competitors could be behind some of these attacks. Now, to dig deeper into the presence of bad bots across industries, recently we conducted quarterlong research, the findings of the study are covered in a report aptly titled “The Big, Bad Bot Problem Q3 2018.”

The research revealed that the latest breed of bad bots leverages cutting-edge technologies including machine learning and robotic process automation (RPA) to masquerade as genuine users and attack online businesses. The report that is based on the analysis of traffic on thousands of anonymized domains during Q2 and Q3 2018 unveils that cyberattackers target businesses across industries. However, a few industries are considerably more affected by bad bots than others. Travel (20.1 percent), e-commerce (18.3 percent) and real estate (13.7 percent) have the highest percentage of bad bot traffic.

Let’s take a closer look at the presence of bad bots in these industries:


Travel portals witnessed a dramatic increase in bad bot traffic during September 2018. Nearly 50 percent of the total traffic consisted of bad bots in the last month of Q3.


Automated attacks are inconsistent on e-commerce firms. On average, 25.74 percent of traffic was bad bots on e-commerce firms during Q2 and Q3. One of the reasons for this inconsistency is seasonal spikes in automated activity on e-commerce websites during festive seasons when there is a greater economic incentive for each successful account takeover.

Commonly Used OS and Browsers by Bad Bots

The next answer that we were looking for during the research is, how these attacks are executed across industries and what tools does an attacker use? We found that these cyberattackers are not limited to using one tool. They use a combination of tools (such as proxy IPs, multiple UAs, programmatic/sequential requests) to disguise the identity of bots, evade detection and perform sophisticated automated attacks. Bots masquerade as genuine users by using widely used browsers and devices.


Commonly Used Operating Systems

In Q2 and Q3, Windows continued to be the most popular operating system used by bad bots. 80.2 percent of bad bots used Windows OS as their user agent to commit attacks in Q2 and Q3.

Commonly Used Browsers

Chrome, Firefox and IE are the most commonly used user agents to execute attacks. Chrome is the first choice for bot herders. 79.5 percent of bad bots used Chrome as their user agent to attack online businesses in Q2 and Q3 combined.

Most Exploited Attack Surfaces

Attackers use these user agents along with various other components of their “exploit kit” to intrude into an online business’s internet infrastructure. Web applications are the first target for cyberattackers; however, there is a shift in this trend. We observed that attacks on mobile apps have increased in recent months.

Where Bad Bots Originate

Most of the bad bots detected during our study originated from Russia, followed by Germany and the Netherlands.

Prevention Measures to Combat Security Breaches by Bad Bots

The risk posed by bad bots requires dedicated measures to avert sophisticated automated attacks. There are various solutions that claim to eliminate bad bots. In recent years, however, bots have started to mimic human behavior, hence the risk of categorizing genuine users as invalid traffic is mounting. Bot management solutions need to take an optimized approach that blocks all types of bad bot traffic without impacting genuine user experience. This requires that various factors be considered, including domain-specific user behavior and implementation of measures such as challenge-authentication response to validate a visitor’s identity before categorizing the visitor as genuine or invalid traffic.

Featured eBook
Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Speed and Scale: How Machine Identity Protection is Crucial for Digital Transformation and DevOps

Digital transformation requires new approaches to security, demanding the protection of machine identities that enable authentication and encryption required for secure machine-to-machine communication. Solving machine identity protection challenges within DevOps environments, requires a fundamentally new approach. Information Security teams must deliver a frictionless, automated solution that allows DevOps engineers to seamlessly provision and manage certificates ... Read More
Rakesh Thatha

Rakesh Thatha

A frequent speaker at various national and international forums, Rakesh Thatha is the CTO of ShieldSquare. He writes and speaks on cybersecurity, automated threats, and prevention measures to combat bad bots.

rakesh-thatha has 3 posts and counting.See all posts by rakesh-thatha