Securing Applications from Sophisticated Bot Attacks with HUMAN

Sophisticated Bots Represent an Increasingly Disruptive, But Often Overlooked Threat Vector

Most businesses today rely on e-commerce capabilities, customer-facing web applications, and open APIs that are susceptible to abuse by sophisticated bots. Yet while many organizations know they have experienced these types of attacks, the sophistication modern bots exhibit by mimicking human behavior and executing legitimate transactions that become malicious only by their scale or outcome can make detection difficult (see Figure 1).1 Some of the most common fraudulent and abusive bot-based attacks include:

• Account takeover (ATO) – Nearly one-third (31%) of ESG research respondents have experienced ATO attacks from sophisticated bots. In an ATO attack, existing user accounts are compromised and exploited by cyber-criminals, typically through credential stuffing or credential cracking, activities which can run at a high scale through sophisticated bots.

• New account fraud – Almost half (45%) of respondents cite automated account creation by sophisticated bots as an attack they have seen. In this case, fraudulent accounts created by sophisticated bots can be used for social media disinformation, phony product reviews, and other reputation-based attacks, or more direct financial attacks such as inventory holding and spoofing, payment and wire fraud, and money laundering.