Digital Transactions Authoritative, insightful and timely information for payments professionals
Being Number 1 when it comes to malicious online bot traffic is not the highest praise for the financial-services industry. But, that’s where the industry stands in the “2019 Bad Bot Report: The Bot Arms Race Continues,” released Wednesday by Distil Networks.
Of the traffic tracked in the report, 42.2% of bad bots targeted financial services and favored credential stuffing or account takeovers. Ticketing, 39.3%, and education, 37.9%, rounded out the top three spots. Eighteen percent of the traffic to e-commerce sites was bad bots.
San Francisco-based Distilnotes good bots may include search-engine crawlers to index Web sites. Distil’s report is based on 2018 data collected from its network that included billions of bad-bot requests anonymized over thousands of domains.
Within financial services, most of the online traffic—56.2%—is humans and 1.6% is good bots. Among e-commerce domains, 69.4% of traffic is human and 12.8% is good bots.
So-called bad bots may test credit card numbers to identify missing data, such as expiration dates and card verification codes. They also may be used to check gift card balances in efforts to steal money from the accounts.
The dilemma, however, is that bad-bot sophistication is improving, Distil says. “Bad bots are evolving and are more sophisticated than ever,” the report notes. “Increasingly they’re mimicking real human workflows across web applications to ‘behave’ like real users. Bots are obfuscating their activity by reverse engineering detection systems. Advanced attackers now show definitive behavior that they know about the technology they’re trying to defeat, and they’re continuously learning how to adapt their tactics.”
The more sophisticated bad bots, known as advanced persistent bots, accounted for 76.3% of 2018’s bad-bot traffic, almost matching the 2017 figure. The majority—84.5%—of the bad bots that attacked financial-services domains were moderate to higher in sophistication, Distil says.
By country, the United States, at 53.4%, experienced by most ill-intended bots, followed by the Netherlands, 5.7%, China and Germany, each at 3.9%, and Canada, 3.2%.
