New Arkose Labs Survey Reveals the True Impact of Bot Attacks

The survey findings show the impact bot attacks have on businesses, the difficulty in detecting modern, intelligent bots and the impact it has on their customers. How prepared are you to fight the intelligent bot revolution? 

Owing to their evolving capabilities and growing digital presence, bots are becoming a headache for businesses. Proliferation in the number of devices consumers have to come to use – from always-on smartphones, tablets, smart TVs, gaming consoles to smart appliances, connected automobiles, and virtual reality – is further exacerbating the problem. This explosion in the number of devices provides fraudsters with a vast attack surface and several touch points to exploit.

2021 was a runaway year for bots, constituting 86% of all attacks. They are becoming advanced with human-like capabilities, allowing for better interaction with fraud defenses that require nuanced interactions. Some of the most common bot-driven attacks include credential stuffing that power account takeover attempts, new fake account creation, scraping, scalping, OTP interception, DDoS, inventory hoarding, disseminating spam, and many more.

The popularity of bots stems from the fact that they are readily and cheaply available and allow fraudsters to scale up the attacks at minimal personal cost. Large-scale attacks allow attackers to extract higher returns even if a small percentage of their efforts succeed. Attackers are also using bots to orchestrate more complex and sophisticated hybrid human-bot ‘cyborg attacks.’ Intelligent bots can fool fraud defenses as they can simulate mouse movements and key presses. Multiple scripts to perform different functions of an attack is further making bot signatures complex, causing elevated problems for businesses.

The cat-and-mouse game between attackers and businesses

Digital businesses, today, are more wary of bot attacks. However, they still end up playing the cat-and-mouse game with attackers. Traditional bot defenses are obsolete as even basic bots can now easily bypass them. To understand how bot attacks affect businesses and why they fail to prevent attacks, we teamed up with the market research firm, Pulse and polled technology leaders for our survey entitled ‘Modernizing Bot Attack Prevention.’

The survey findings are revealing of the helplessness businesses face due to bot attacks. According to most respondents, bad bots that significantly impact business revenues are spam bots (76%), scraping bots (51%), and credential stuffing bots (48%). When it comes to the most targeted touch points, 60% of executives identified account takeover and credential stuffing targeting the user login point as the most frequent bot attacks on their organizations.

The survey reveals bad bots usually target externally facing forms (60%), in-application actions (56%) and APIs (40%) when attacking a business. The biggest damage according to the survey report is to the brand reputation followed by operational costs and lost net-new customers. Hacking of accounts, spam, and incessant phishing attacks can cause consumers to take to social media platforms and voice their complaints. Large attacks find adverse coverage in news media that erodes brand equity of the business and can even take months or years to reverse. When asked about the biggest impact bot attacks have on end users, nearly half (46%) of the respondents cited disrupted user experience.

Intelligent bots make real-time detection difficult

Another grim revelation of our survey is that intelligent bots are powering attacks that are extremely difficult to detect as they happen. Nearly 75% of respondents found detecting bot attacks in real time either extremely or somewhat difficult. This inability is due to the high velocity with which automated attacks can be launched. The greatest hurdle in fighting bots, according to 54% of the executives surveyed, is the difficulty in distinguishing between bots and human users, while 35% cited lack of real-time bot detection.

This difficulty in telling bots from humans is because advanced bots can mask their true intent and appear as human traffic. They can ‘blend in’ with good traffic making it difficult for businesses to detect these attacks as they happen. Often, even after days or weeks after an attack, businesses are not able to detect them. 

A growing gray area adds to the challenge

Smarter, human-like bots are adding to the ‘gray area’ of digital traffic, where risk signals are inconclusive. Regardless of the platform, this gray area is only getting bigger, causing false positives or false negatives. Not only the evolution of bots, but outdated bot defense solutions are also adding to the ‘gray’ signals. These solutions are ineffective when it comes to telling bad actors from genuine consumers. 

Since businesses do not know how to respond to inconclusive signals, many of them choose to block such traffic, which leads to blocking good users. On the other end of the spectrum, being too lenient lets too many bad bots through.

That said, outrightly blocking any user is not ideal, as it may filter out a potentially revenue-generating legitimate consumer. Although many businesses are using some form of challenge-response mechanism to stop automated attacks, these solutions fail to stop bots and cause unnecessary friction and frustration for good consumers. This failure can be attributed to advances in machine vision technology that enable bots to solve them rather easily.

Current bot defense approaches are subpar

While bots are evolving at a rapid pace, bot defense solutions have not kept pace. Most of them lack clarity on how they assess risk. This lack of clarity leads to a blackbox situation where there is no reason available for risk decisioning and, therefore, no insights. These solutions neither have a feedback loop that can improve the models for future decisioning nor access to risk data that can inform downstream decisioning.

Unlike bots that come with 24/7 support services, bot detection solutions have no dedicated managed services team to provide support, when needed. Our survey reveals that only 34% of the respondents are satisfied with the protection their bot prevention solutions are able to provide.

Does that mean there is no way to beat these intelligent bots? The answer is a resounding No. Some of the steps that businesses can take to beat bots are: early detection, ability to deal with inconclusive signals, and a sophisticated attack response.

A novel approach to stop the intelligent bot revolution

Arkose Labs takes a novel approach to stop the intelligent bot revolution, long-term. The Arkose Labs Fraud Deterrence Platform combines sophisticated attack detection risk analysis with an innovative challenge-response mechanism to defeat persistent bots and coordinated human click-farm attacks on targeted user action points. Continuous feedback loop between real-time bot detection, user challenges, and advanced analytics not only stops and deters future attacks but also provides transparency in risk-decisioning.

To defend against automated solvers, we create context-based enforcement challenges and train them extensively against the latest innovations in machine vision. This hardening makes it expensive and time-consuming for bad actors to clear the challenges at scale, forcing them to give up in the wake of dwindling returns.

To learn more about the survey results and ways to modernize prevention of bot-attacks, request your copy here.

*** This is a Security Bloggers Network syndicated blog from Arkose Labs authored by Lizzie Clitheroe. Read the original post at: https://www.arkoselabs.com/blog/new-arkose-labs-survey-reveals-true-impact-of-bot-attacks/