We sat down with Antoine Vastel, PhD, VP of Research at DataDome, 2023's Enterprise Security Tech Cyber Influencer of the Year, to discuss how automated bot attacks have recently evolved and how organizations can go about protecting themselves and their customers. You can also listen to Antoine's episode on The Cyber Jack Podcast.
How has the bot ecosystem changed over the past year?
Automated bot attacks—whether carried out through scraping, credential stuffing, scalping, or other tactics—are evolving and growing in sophistication every day. Attackers already leverage a wide variety of techniques to distribute their attacks, and with the development of bots-as-a-service, scaling these attacks is becoming easier than ever.
Adding to this as we’ve seen over the past year, the evolution and development of artificial intelligence and the advent of LLM tools such as ChatGPT is shifting this bot ecosystem landscape at a breakneck pace. For example, progress in audio and image recognition techniques have made it easier for attackers to forge even complex 3D CAPTCHA challenges at scale, while advances in LLMs enable bots to generate personalized and realistic spam content at a scale never reached before – for almost no cost.
Which verticals have become the prime targets for bots and do you expect this trend to continue in 2024?
Bots have increased in sophistication with their ability to mimic human behavior and bypass basic security tools like traditional WAFs and CAPTCHAs, making retail a prime target over the past year. Specifically, we have seen an increase in attacks on clothing, footwear and electronic goods companies, among others.
Proving how mainstream bots have become, another industry we saw take some major hits was the ticketing industry, most famously around the Taylor Swift Eras Tour ticket fiasco. This is a prime example of both the increasing sophistication of bots and the massive payday threat actors see in scalping tickets and other in-demand goods like sneakers and game consoles. When earning potential is high from a premium brand or event, it creates a greater incentive to build and use sophisticated bots.
With that in mind, it will likely continue to be difficult for consumers to access limited edition products or experiences. In fact, we have recently seen this evolve to target the restaurant industry as well. We are now seeing situations where scalpers are buying up restaurant reservations - especially impactful for smaller businesses like most restaurants who can’t afford this kind of hit to their bottom line or reputation. I don't know what will come next, but I’m sure it won't stop there!
Wasted time and customer churn are just the tip of the iceberg when it comes to bad bots and online fraud costs. Can you highlight additional financial damages for businesses to consider?
Bot and online fraud attacks have significant impacts on bottom-line business costs, as well as customer satisfaction, brand reputation and other key factors for e-commerce and other enterprises. In recent years, we have seen bot attacks cripple online marketplaces, and rob consumers—and businesses—of their money.
From an internal cost perspective, employees can easily spend hours manually mitigating such attacks, resulting in a tremendous amount of frustration and burnout, while pulling focus from revenue-driving activities. In terms of the external impacts of bot attacks, loss of customer trust, declining customer satisfaction and reputational damages are top of mind.
But wasted time and customer churn are just the tip of the iceberg when it comes to bad bots and online fraud costs. There are additional financial damages to consider including:
Revenue Loss - While it is possible for the financial impact of a bot attack to be sudden, sharp, and obvious, bad bot traffic often hurts your revenue in more subtle ways, including website downtime and poor site performance. For example, consider application layer DDoS attacks. While they are typically “low and slow,” they can still take down your company’s site, which can be quite costly.
Operational Expenses - in addition to revenue loss, bot attacks and fraud can drive up operational costs, in the form of customer loyalty rewards abuse, inflated content delivery network (CDN) bills, and increased authentication costs, among others.
Indeed, loyalty and reward program fraud is a very lucrative business for hackers, making these types of programs vulnerable to attacks. Industry experts estimate that loyalty and reward point fraud results in around $1 billion lost every year.
With regards to increased authentication costs, if any of your online services require extra authentication, it may be associated with extra fees. For example, with two-factor authentication (2FA), you may pay for an SMS text to be sent any time a user logs in.
If your login page is hit with a massive volume of malicious bot requests, it can generate an SMS bill of tens or hundreds of thousands of dollars fast.
Regulatory Penalties - As both attackers and the cybersecurity industry evolve, regulatory bodies are taking notice—and action. For example, the Biden administration announced a newly formed National Cybersecurity Strategy earlier this year, and the SEC released new rules and regulations on cyber risk management as well as incident reporting. In turn, C-suite and cybersecurity executives must bear these new regulations and standards in mind, or else risk pricey penalties.
The negative financial impacts of malicious bot traffic and online fraud attacks can range from immediate to delayed and be both severe and long-lasting. That’s why most enterprise leaders will tell you that finding the right bot protection will save you money in the long run, from averted costly attacks to employee hours saved from manual bot mitigation.
Finally, how are DataDome’s bot protection solutions solving the challenges of these sophisticated threats?
DataDome’s award-winning bot and online fraud solution detects and mitigates attacks on mobile apps, websites, and APIs in real time, protecting 300+ enterprises from account takeover, scraping, payment fraud, DDoS, credential stuffing, and more.
Traditional methods (such as WAFs and siloed CAPTCHAs) are no longer effective against today’s advanced threats. With that in mind, DataDome continues to innovate and has ramped up its bot protection offerings to a whole new level by enabling a new challenge response for customers, called Device Check. This invisible challenge works behind the scenes, validating device-specific signals with proofs of work – all without prompting any visible interaction with end users.
Device Check excels in identifying even the most advanced and evasive bots right from their initial requests. Unlike traditional security measures that may only catch bots after repeated suspicious behavior, Device Check's advanced algorithms are finely tuned to spot telltale signs of automation and malicious intent.
Additionally, it analyzes device-specific signals in real-time such as requestor environment, automation framework usage, or any bot cloaking techniques, and enforces device-level proofs-of-work via JS challenges, thereby substantially increasing detection accuracy and further reducing the frequency of visual CAPTCHAs.
As we move into 2024, DataDome remains committed to stopping bad bots and online fraud with speed and accuracy—without damaging UX. We will continue to expand our capabilities to offer our customers the most holistic, advanced bot mitigation solution on the market.
For regular product updates, please check https://datadome.co/changelog/.