Bot Attack Costs Double Since 2020: Netacea 

According to a new report Death by a Billion Bots from Netacea, due to malicious, automated bot attacks, the typical business in the US and UK annually loses over 4% of their online revenue, averaging $85.6m, up from $33.3m per business in 2020.  

Attacks observed varied with the majority (65%) targeting mobile devices, followed by websites (63%) and APIs (40%). The most common bot strategy seen by 49% of respondents was from sniper bots, which monitor time-based activities, such as online auction sites, that submit information at the very last moment. These attacks are particularly damaging to dynamic pricing environments in financial services.

Unfortunately, these attacks often go unspotted and can persist for months. Netacea calculated the average “dwell time” to be four months, with 97% of respondents saying it took over a month to respond to malicious automated attacks.

“The cumulative effect of these attacks is wiping tens of millions of dollars in value from online businesses, not to mention the effect on their reputations and operations, yet this activity is low key enough to remain undetected for months,” warned Netacea co-founder, Andy Still.

George McGregor, VP, Approov has this comment:

   “There is an interesting trend in the report: Website attacks down slightly in the last 2 years while mobile up nearly 50% and API attacks up 74%  in the same period.

   “This is not really a surprise given the massive uptick in mobile app deployment and the way apps rely on owned and third-party APIs to do their job.

   “The good news is that unlike the web/browser use-case where distinguishing bots from humans is tricky – and annoying, a good mobile app attestation solution can identify fake apps, scripts, and modified devices and block bot traffic at the source before it even gets to the API. “

Ted Miracco, CEO, Approov follows up with this:

   “The bot arms race demands continual improvement especially against persistent nation-state threats. Bots are ingenious, but proper defense in depth strategies can recognize and repel sophisticated bot attacks before they compromise valuable data or revenue.

   “Mobile attestation validates the integrity of client devices and apps using cryptographic measurements to detect if code has been altered, thus ensuring bots can’t modify functionality or bypass security. Consider authentication schemes specific to devices/platforms like app attestation on mobile instead of just username/password.

   “The goal is one of using proven, secure protocols and short-lived credentials rather than complex user authentication schemes. Monitoring for anomalies in traffic patterns also helps identify stealthy bots masquerading as human users.”

Emily Phelps, Director, Cyware add this:

   “As a tool, AI is leveraged by defenders and threat actors alike. Adversaries are using AI-powered bots for brute force attacks and credential stuffing, rapidly testing username-password combinations faster than humans could ever do alone. They are training them to bypass traditional bot detection methods. In short, these bots can move and scale at a speed beyond human capabilities so security defenses must match pace. We must implement automation that can break down data, tech, and team silos and more rapidly deliver context-rich intelligence to the right people who can then swiftly respond.”

Attacks by bots are a today problem and need to be factored into how an IT environment is defended. Because if that doesn’t happen, the costs to the organization can be significant.

Leave a Reply

%d bloggers like this: