Bots are besieging e-commerce sites. They cost businesses millions of dollars. Research shows that bots attacked almost three-quarters of e-commerce websites and 83 percent of e-commerce mobile apps last year. Bots infiltrate almost every site by scraping content, buying up goods before anyone else, or using stolen passwords to take over accounts. Businesses continue to not fully understand the threats that bots pose, leaving their organizations vulnerable to growing threats.
A recent report of 440 businesses across e-commerce, travel, entertainment, financial services, and telecoms sectors in the U.S. and the U.K. found that two-thirds of companies are at higher risk of malicious attacks due to the common misconceptions held around bots. While most businesses were aware that bots were an issue, many were confused about where attacks originate and what technologies and techniques are effective to combat them.
Here are the five biggest myths believed by e-commerce businesses:
- Web Application Firewalls (WAFs) and Distributed Denial of Service (DDoS) protection will stop sophisticated bots. More than three-quarters (77 percent) of e-commerce businesses believe that WAFs will keep them secure against bot attacks. This is a false assumption. This tool is valuable and recommended, but doesn't provide a defense against sophisticated bots. As a result, businesses think they're protected but remain vulnerable and subject to extreme loss of profits. Why? Because WAFs prevent attacks that target vulnerabilities in security through techniques such as injecting code. But many bots exploit websites by attacking "business logic." For example, a bot can find an item and keep it in a cart while reselling it on another site. The sale goes through once the other purchase is made. It's not exploiting any faults in the code. The attacker uses an understanding of how the site works against it. As a result, a WAF won't help. A lot of products offer basic bot mitigation as an add-on, but the reality is that they cannot cope with the sophistication of the bot attackers' tactics and techniques.
- Distributed Denial of Service (DDoS) protection can defend your business from bot attacks. Seventy percent of e-commerce companies feel this way — but they're wrong. Here's where the confusion sets in: a DDoS attack will often use a network of compromised machines (aka a botnet) to launch an attack that overwhelms a site with traffic and ultimately takes it offline. Bots want to take advantage of a working site; they don't want it offline. While bots can overwhelm a site with traffic, they do it in a way that limits how frequently they repeat actions so they don't get shut down. Some bots can even learn the limits of specific sites to avoid termination.
- Bot attacks only come from Russia and China. More than half of businesses (63 percent) believe that the risk is only from Russia and China. That's false. While many attacks do stem from these regions, bot attacks come from all over the world. Over half of threats detected come from the U.S. (51 percent). The bots that businesses need to be worried about are the homegrown ones, specifically those aiming to make a profit, not necessarily those influencing elections or spreading propaganda. Companies falsely believe that limiting or banning traffic based on the country of origin will prevent attacks. That's not an effective strategy. Bot operators can impersonate legitimate users from another country, making those restrictions pointless.
- Buying bots only happens on the dark web. More than half of e-commerce operators (61 percent) think bots are only purchased underground, in places like the dark web. However, today we see bots and lists of usernames and passwords accessible to everyone on the public web. It's easy to find a bot for purchase, especially if you're looking to get access to hard-to-find or limited-edition goods like sneakers or gaming consoles, which are marketed out in the open directly to consumers. We're also seeing people hire professional businesses (hackers for hire) to institute bot attacks. This means that more people can subvert websites and try to take over accounts, use scalper bots, and disrupt businesses.
- Bot users are criminals. Right now, it's not a crime to use a bot when it comes to buying goods for resale. Proposed legislation is in play to ban it in the U.S. and U.K., but it's not approved yet. Fifty-six percent of e-commerce businesses believe using bots is an illegal offense. The truth is that not everyone using a bot is trying to break the law overtly. Those trying to use stolen passwords to take over accounts are deviant and committing a crime. Still, others may be regular people trying to access a popular product. It doesn't mean the damage to a business isn't devastating, but there are different implications.
Bots will continue to plague online retailers. Companies need ongoing education about the latest threats that bots pose. They can't manage the risk without a clear understanding of what bots are and what they're trying to achieve. Organizations that don't know how bots are being used against them won't be able to prevent attacks, and their bottom lines will suffer.
Matthew Gracey-McMinn is head of threat research at Netacea, a revolutionary bot management solution.
Related story: How Reseller Abuse is Harming Retail — and What to Do About it

Matthew Gracey-McMinn is an experienced Cyber Threat Intelligence professional with an MPhil from the University of Oxford. In his current role at Netacea, he researches and investigates the impact of malicious bots on online businesses and their customers.