You Are Not Scammed by Real People. You Are Scammed by Bots

It seems like everyone is going through some type of fatigue that is directly or indirectly caused by the COVID-19 pandemic. That is, everyone but cybercriminals. It would be great if they were too stressed out to come up with new ways to scam innocent users. Unfortunately, even though Coronavirus phishing scams seemed to have declined after March peak, they haven’t disappeared anywhere. In fact, COVID-19-themed infections and scams are bound to remain a big cybersecurity issue for quite a while. Keeping that in mind, we would like to draw your attention to a specific type of cybercrime activity where phishing scams are performed by bots.

The truth is that there is a very big portion of cybercrime activity that is performed by bots and not real people. Let’s take a closer look at how that happens and what those bots really are.

How do Internet bots work?

Inherently, Internet bots are not evil. Asim Rahal explains that essentially bots are software applications that perform automated tasks. Bot activity makes up around 25% of the Internet traffic, and they are mostly tasked with crawling through the web, looking for specific content. For instance, bots help Google find and index terms that users search for. Travel websites may employ bots to look up the latest flight and hotel information, and they can also be used by intelligence services to crawl through product reviews and social media comments.

To put it simply, these applications automate and speed up a process that would be extremely long, tedious, and full of errors if it were done manually. However, there are always two sides to the same coin, and bots could be easily exploited by cybercriminals, too. Keeping in mind that the bots are so prevalent on the Internet, it’s no surprise that they are often used for phishing scams, too.

What are the types of bad bot activity?

The most common negative aspect of bot activity is the hogging of resources. Just like any Internet activity, aggressive bot use can put a strain on server load and bandwidth. Also, the worst type of traffic comes from the so-called “bad bots.” Phishing scams are part of that activity, as well. However, the malicious bad bot activity isn’t limited solely to that.

For instance, bad bots can be used to steal website content, thus allowing cybercriminals to create identical pages to trick users into giving away their login information. That kind of activity is called web scraping. Aside from that, there’s also data harvesting. This activity focuses on using bots to steal sensitive personal information that can be found online. Data harvesting can easily be part of a phishing scam performed by bots. The same can be said about brute-forcing logins and credential stuffing. Malicious bots are used to try out all sorts of login credentials to steal usernames and passwords.

Bad bots can also be used for spam and distributed denial-of-service attacks (DDoS). You probably already know what spam is, but here we’re not talking about the spam you receive in your inbox. When it comes to bad bots and spam, they can automatically interact with buttons on all sorts of websites to leave fake reviews and comments. We’ll give you an example of such phishing scam further in the entry.

Also, you’ve probably encountered a DDoS attack before, but you weren’t aware of it. Was there ever an instance when you couldn’t enter your favorite website because it was down? Well, maybe that was because bad bots overwhelmed the site’s servers, and it was forced to go offline for the time being. For DDoS, hackers often employ extensive botnets. Botnets consist of devices that are turned into bots, and not only desktop computers and phones can be compromised. Even IP cameras and routers can be turned into bots because IoT devices are vulnerable to such exploitations, too.

Phishing scams can reach your social media

These bad bots can easily reach you directly through social media. For example, recently, Facebook users in New Zealand had to grapple with ticket scam bots. These scam bots can manifest as comments under Facebook event pages, offering ticket resales. If the event is already sold out, the user could be inclined to interact with these comments, but the longer you interact with these bots, the more discrepancies you will notice.

Although they are trying to mimic human behavior, there’s still something off bout them. Maybe there’s something weird with their location (why someone from Texas would have a ticket to an event in Auckland?) or about the way they’re avoiding answering specific questions? Maybe they are very pushy about the payment details, and they insist on using only PayPal (Seriously? For a local transaction?).

Essentially, double-checking the information should be enough to help you avoid a low-scale phishing scam. It’s always a good idea to remain vigilant and pay attention to details. However, on a bigger scale, phishing scams by bad bots is a big legal and economical headache for businesses and corporations because they can steal personally identifiable information and credit card details. They can also sometimes bypass security defenses because they can mimic human behavior. In reality, it’s not really up to regular users to block bad bot activity on Facebook or any other major website.

On an individual level, users can employ tools like Cyclonis Password Manager to ensure that they have unique passwords for every single account that they own. Also, using a password manager to encrypt and store their passwords in their own vault would make it harder for bots to steal their credentials. Don’t forget that reusing passwords eventually only helps bots to snatch important data through the credential stuffing.

On the corporate level, we have to hope that websites and companies constantly monitor their traffic, and they can prevent online fraud by restricting login attempts from unknown traffic sources. It is also only logical to invest in advanced forms of protection solutions that can stop bot traffic from accessing a site. And if the service hasn’t done that yet, it most definitely has to start with enabling multi-factor authentication.