By Erez Hasson, Strategist, Application Security at Imperva

Since the start of the digital era, financial institutions have been at the forefront of the battle over cyber security. The finance industry hold some of the most sensitive data in the world, and hackers have spent decades finding new ways to steal and monetise that data. From customer credit card information to credit and employment status, pricing structure, and more, today’s online banking services and applications are the doorway to virtual vaults filled with data, not dollars.

It should come as no surprise, therefore, that these virtual vaults are increasingly under attack. A key driver behind this is the rise of bad bots that enable cybercriminals to launch successful widespread attacks with greater efficiency and at lower costs. So, what are these bad bots, and why are they becoming such a big issue for financial institutions?

The threat of bad bots

Bots are applications that run automated tasks on the internet – some that are helpful; some that are nefarious. Take Googlebot, for example, which builds a searchable index of documents and web pages on the internet, or on social media crawlers. This is an example of a good bot. Conversely, bad bots are applications that run automated tasks with malicious intent and are harder to detect and stop. They allow cybercriminals, unprincipled competitors and fraudsters to perform malicious tasks – such as transaction fraud and financial data harvesting – around the clock.

The 2021 Bad Bad Report from Imperva found that 40.8% of all internet traffic in 2020 was not human while bad bot traffic – the automated activity that is harder to detect and stop — increased by 6.2%, a new record. Bad bots have been terrorising the internet for the past few years, growing in sophistication and persistence. In fact, some advanced bad bots can mimic human interactions with web applications in an extraordinarily persuasive way – making this a difficult problem for financial services to manage.

Cracking the virtual vault

Throughout 2020, 34% of all login attempts to private financial accounts originated from malicious bots, determined Imperva, contributing to a 51% increase in account takeover attacks in November-December. With the threat rising, it’s vital that banks get to grips with the threat of bad bots, what it means for their business and take time to understand the tactics used by bad bot operators. Here are the top five types of attack banks should look out for:

1. Account takeover fraud: These brute force style attacks use lists of compromised user credentials to breach a system. The attack uses bots for automation and scale and assumes that most users reuse their usernames and passwords across various services. The financial services sector is often a key target for attackers, with stolen online banking logins sold for as little as $40. A successful account takeover attack can result in significant ramifications for organisations: noncompliance with data privacy regulations, loss of personally identifiable information (PII), significant brand damage, customer dissatisfaction, increased fraud and customer support costs and customer churn.
2. Credit card fraud(Card Cracking or Carding): Bad actors apply bots in two different methods. First, bots can be used to authorise stolen credit card information. Second, they’re used to guess missing parts of partial credit card information – often gained through phishing, skimming or data taken from the dark web. Such attacks can result in damage to the fraud score of a business, while also triggering increased customer service costs to process fraudulent chargebacks – not to mention lost revenues from the fraud itself.
3. Custom content theft(including financial data scraping): Competitors and aggregators often implement bots to scrape proprietary content and rates to stay a step ahead of rivals and their offerings. It’s important to note that unlike screen scraping, which only copies pixels displayed onscreen, some web scraping tools can extract underlying HTML codes and accompanying data that’s stored in a database. The scraper can then replicate entire website content elsewhere to make themselves look more reputable. This leads to revenue and market share loss to competition, or IP infringement.
4. API attacks: APIs have become an essential part of the online ecosystem in recent years. Bad bots exploit API endpoints to access to important data through attacks like API scraping or web and mobile API hijacking. Many organizations are struggling to manage API security, relying on simple authentication tokens or basic IP rate limiting to protect these critical attack vectors.
5. Denial of service at the application layer: Automated application layer attacks are different from a volumetric denial-of-service (DoS) attack. While volumetric attacks are primarily aimed at the lower-level network protocols, bad bot activity targets the application layer. Often attackers don’t intend to focus on the application. Instead, these incidents occur as an indirect consequence of the sheer volume of requests to the web server coming from automated bot traffic, creating a successful DoS attack. These attacks slow down web applications, hampering performance and elevating the risk of downtime. This results in loss of revenue due to the website’s unavailability, as well as damage to brand reputation.