Special Feature
Part of a ZDNet Special Feature: A Winning Strategy for Cybersecurity

Google: Bad bots are on the attack, and your defence plan is probably wrong

Bot attacks are on the rise as businesses move online due to the pandemic, according to Google.

Google is warning that bots are causing more problems for business – but many companies are only focused on the most obvious attacks.

At the outset of the COVID-19 pandemic Microsoft chief Satya Nadella said Microsoft had seen "two years' worth of digital transformation in two months." Google now sees that attackers have adapted to these changed conditions and are boosting attacks on newly online businesses, with bots high on the list of tools used. 

Bot attacks can cover anything from web scraping where bots are used to gather content or data, to bots that try to beat Captchas, to ad fraud, card fraud and inventory fraud. Of particular concern are distributed denial of service attacks (DDoS), where junk traffic is directed at an online service with the purpose of flooding it to the point of knocking it offline. 

According to the advertising giant, 71% of companies experienced an increase in the number of successful bot attacks, and 56% of companies reported seeing different types of attacks, but it said many companies are using the wrong mix of technology to protect themselves.

SEE: Kubernetes security guide (free PDF) (TechRepublic)

Google's research has found that while 78% of organizations are using DDoS protection, such as web application firewalls, and content distribution networks (CDN), less than a fifth of them are using a "full bot management system". 

"Bots attack an application's business logic, and only a bot management solution can protect against that sort of threat," says Google cloud platform's Kelly Anderson, a product marketing manager. 

"To effectively safeguard web applications from bot attacks, organizations must use tools like DDoS protection, WAF, and/or CDNs, alongside a bot management solution."

According to Anderson, there's a missing link between application security and security operations teams and e-commerce, fraud, and network security pros, which allows for bots to pose a threat to business operations. 

"Effective bot management relies on collaboration between many teams within an organization, including security, customer experience, e-commerce, and marketing. But on average, only two teams are involved in bot management, usually the application security and security operations teams. Yet, it's the e-commerce, fraud, and network security professionals that most commonly consume the data from bot management tools. This disconnect can lead to the commerce or fraud teams being left out of critical bot management decisions," she explains. 

Because of this disconnection between security and anti-fraud teams, firms spend 53 working days – or nearly two months – across roles resolving attacks.

Anderson wants businesses to invest in a bot management system that can detect the most sophisticated bots. 

"Good automated traffic comes from approved partner applications and search engines, while bad traffic comes from malicious bot activity. Bots account for over half of all automated web traffic and nearly a quarter of all internet traffic in 2019, leaving professionals to thread the needle," Google says in a research paper. 

SEE: Cybercrime groups are selling their hacking skills. Some countries are buying

Google commissioned the research to analyst firm Forrester Consulting, which looked at bot management approaches. The survey gained 425 respondents with responsibilities over fraud management, attack detection and response, and the protection of user data.

The company found that most organizations are only protecting themselves on card fraud, ad fraud, and influence fraud attacks. 

"Only 15% of businesses are currently protecting themselves against web scraping attacks, yet 73% face such an attack on a weekly basis," Forrester Consulting says. 

Almost two-thirds of respondents said they lost between 1% and 10% of revenue to web scraping attacks alone. 

"Many businesses focus on the types of attacks that are mostly commonly in the news, rather than the attacks that can cause the most damage to their bottom lines," the consulting firm says.