It’s estimated that between 40 to 70% of internet traffic is automated. In short, around half of all the activity on the internet is performed by software such as web crawlers or spiders, and an army of bots.

And, of this automated traffic, a sizeable chunk is thought to be from bad bots.

For anyone running an online business or managing a website, these bad bots can be more than an annoyance. They can be used to perform a huge variety of malicious activities and damage more than just your website.

So what exactly is a bad bot, and what makes it so bad?

What are bad bots?

Bad bots are automated software programs designed to either defraud or damage internet based networks. They can be used to perform relatively benign but annoying tasks such as posting spam comments on websites or social media. Or they can be used to commit serious cyber crimes such as data theft, credit card fraud or ad fraud.

Modern bad bots also often use machine learning algorithms to help them improve their performance and automate more of their tasks.

However, a bot does need a task master to perform its duties. And this usually comes in the form of either a human controller, or they can also be operated as part of an automated process such as spreading copies of themselves or collecting data via fraud. 

These bad bots have often spread with the help of viruses or other forms of malware. Because bots need a host computer to operate from, they can either be operated from a central location  – for example a click farm or bot farm

Or they can also be distributed in data centers or infected devices across the world, creating a network of connected bots, also known as a botnet.

In fact, most bad bots have been found to operate from Amazon Web Server (AWS)and Microsoft Azure data centers.

What are the different types of bad bots?

Bad bots come in a broad range of flavors and levels of sophistication. Many bots are built specifically for a certain type of activity, but they can also be repurposed and used for other forms of cyber fraud at a later date.

And because there is already a huge network of existing botnets, these bad bots can be mobilized easily by willing fraudsters. In fact, these botnets can be hired for relatively low costs on the darknet.

Most bad bot attacks online are done using older botnets as their attack vectors.

not all bots have malicious intent but they can be used for identity theft and more

The most common types of malicious bots you’ll see online include:

Spam bots

We’ve all experienced spam, often in our inboxes. But spam can be much more insidious than just cluttering up your email. For starters, spam bots can be used by black hat SEO practitioners to post crappy comments with backlinks on websites and forums.

But there are also advanced spam bots which can perform spam injection. This is where a bot accesses your website’s file management system and adds in hidden content such as spam comments, redirects and even hidden pages.

The aim of this form of spam injection is to generate backlinks for clients, or to generate traffic for a low quality site such as gambling, adult themed or narcotics themed sites. Obviously this is a hugely disruptive way of adding backlinks and totally against best practice guidelines. And, for your site, the implications can be hugely damaging with multiple penalties and the added headache of disruption for you and your customers.

Read more about SEO spam injection here.

Content scraping bots

Some good bots can be used to collect information and data from across the internet, something that would take a human a lot of time. But content scraping bots can also be used to copy or spoof entire websites.

Website spoofing is a common practice used by fraudsters operating phishing scams or fake product scams. And by copying your website in it’s entirely (or even partly) a scammer can deceive your customers who might not be able to tell the difference.

A common target is popular ecommerce sites, where scammers might want to copy the entire layout and product lines to deceive customers. But content scraping can affect any business, not just those selling products online.

Check out our blog about content scraping.

Fake engagement bots

One of the most common reasons to use bots is for fake engagement, usually on social media. In fact, stats show that many popular influencers have fake followers numbering between 10 to 40% of their total audience.

These fake engagement bots can also be used to view videos on YouTube, watch Twitch livestreams or even listen to music on sites like Spotify. Because the like or view count metrics affect the algorithms on most of these sites, inflating engagement can help boost an account’s popularity – albeit fraudulently.

Fake engagement can also include fake traffic on websites. This is often done to inflate the views or clicks on ads hosted on websites, known as ad fraud.

And the worrying thing is that this fake traffic isn’t even expensive or hard to find. People can generate huge volumes of fake traffic for slightly more than the price of a coffee.

Read more about viewbots and the world of fake engagement on social media

Talking of which…

Ad fraud or click fraud bots

Fake engagement on paid ads is known as click fraud and is thought to affect around 90% of all Google Ads campaigns. There are several levels of click fraud.

Casual click fraud is often carried out by competitors or brand haters who simply click on an ad each time they see it to waste their rivals’ budget.

Website publishers may also perform click fraud by hiring traffic bots to visit their sites and improve their viewing metrics. This isn’t just for ad revenue but can also be done to dupe partners into thinking the site has a bigger audience than it does, usually to win higher paying guest posts as part of the problems with domain authority based guest posts.

Organized click fraud, or ad fraud, is where criminals manage a campaign to purposely perform high levels of click fraud for profit. Some of the best known ad fraud campaigns include Methbot, Hyphbot and Drainerbot.

Read all about the ad fraud click bots hall of infamy

Credential stuffing bots

Also known as brute force login bots, or account takeover bots. These bad bots are designed to crack passwords, enter websites and steal data or takeover accounts. A similar type of bot is also used to perform credit card fraud, or carding – a process where multiple payment cards are tried in a short period of time to work out which works.

These sophisticated bots can be used to crack the code in seconds. If you ever wondered why you need to have unique complex passwords for all of your accounts, that’s because credential stuffing bots use commonly used passwords to great success. If your password is ‘admin’ or ‘password’ for any of your logins anywhere, go change that ASAP.

Crypto mining

A case in point of the multi-use botnet is the crypto mining bot. This form of malware is often either injected into websites or web browsers from infected software (often email attachments or bootleg software) and will then remotely mine bitcoin or other crypto currencies for the fraudster.

However, crypto mining botnets are often also repurposed for DDoS attacks or for other coordinated bot attacks. 

Attack bots

Some malicious bots are built specifically for damage and for fraud and extortion. The most infamous of these types of attack bots are those used for ransomware. By accessing a website, ransomware bots can shut down a website and cause huge disruption to business until a (usually huge) ransom is paid.

Estimates of the cost of ransomware attacks put the cost at around $20 billion a year as of 2022. 

Another form of attack on websites is the DDoS or distributed denial of service. By overloading the server with trash bot traffic, a website can be taken offline or compromised. DDoS attacks can be coordinated by fraudsters looking to extract a ransom, or sometimes by malicious individuals simply looking to cause disruption. 

How bad bots get around security controls

Although many platforms use a number of security measures to block bad bot traffic, the truth is that some of the systems are not good enough. For example, although Google uses filters to spot and block fraudulent traffic (invalid traffic as it is called); these bots can get through by changing their IP addresses, mimicking behavior to look like genuine human users and using device spoofing.

Device spoofing allows bots hidden in data centers to appear as if they are mobile devices or desktop computers anywhere in the world. 

Now, with these more sophisticated bots constantly changing and evolving, many of the big platforms are playing catch up. 

And with so much traffic coming from bad bots, this has seen a boom in the bot blocking industry and fraud prevention.

The cost of bad bots to the online economy

The impact of global cybercrime is thought to have cost the global economy between $1 trillion and $6 trillion in 2021.

This includes everything from ransomware to ad fraud.

In fact, ad fraud is the biggest slice of the cybercrime cake, accounting for over $41 billion in 2021. Compare that to credit card fraud which took a relatively modest $31 billion in the same year.

Can you use robots.txt to block bad bots?

As many website owners are aware, the robots.txt command can be used to stop certain bots from crawling or indexing specific pages on your website. So can you use robots.txt to block bad bots?

Unfortunately, no, not really.

Bad bots will often either totally ignore robots.txt, or will use it as a sign to check that page for useful information. So in the fight against bad bots, robots.txt can’t help you…

Block bad bots for better business

The options for blocking bad bots are many and varied. But one thing is clear; businesses need some form of bot protection to safeguard their clients and their own security.

Whether that is stopping scammers from injecting malware or spam content into your website; or preventing fake traffic on your ads.

ClickCease has been blocking malicious bot traffic and fake clicks on PPC ads since 2015 and is now the industry leader in click fraud prevention. But it’s not just about blocking bots from your paid search engine results.

Bot Zapping from ClickCease is a new tool, currently available for WordPress sites, designed to block bad bots and fraudulent direct web traffic. This includes spam bots, credential stuffing bots, content scrapers and more.

Block bad bot activity on your website and try ClickCease and Bot Zapping today as part of your cyber security suite.

With a 7 day free trial, you can run an audit on your websites and check the validity of your traffic sources.

Sign up for your FREE trial today.