Common Web Attacks
Account takeover relies on either a brute force approach, trying many combinations of usernames and passwords on a popular login page, or on stolen login combinations. The bad news: the brute force method is astoundingly successful, in large part because many users choose passwords that are foolishly obvious.
PerimeterX studied a brute force attack that had an incredibly high success rate of 8%. This bot attack tried 5 million combinations daily, which suggests it broke into about 400,000 accounts per day. Once an account was taken over, the hacker had instant access to any stored credit card data and personal information of the real account owner.
Fake User Creation
Fake user creation may not sound nefarious, but it can be devastating. Minor consequences can include lost revenue when a fake account is used by a person to collect a discount code or to get another thirty days of free movie streaming. But hackers use this on an entirely different scale, amassing millions of fake profiles, effectively giving them control over a large army of registered (though fake) users on your website.
One danger is DDoS via hoarding. For example, a hacker with thousands of what look like legitimate user accounts reserves all of the cars that a particular rental car company has in a given city, but never ultimately rents the vehicles, causing massive disruption, confusion, and lost revenue.
Carding, or theft of gift card balances, is a significant problem. Attackers understand the number structure of gift cards and may try many millions of combinations to break into a gift card account and then steal the balance.
With 93% of Americans giving or receiving a gift card every year, there is plenty of rich, low-hanging fruit here for thieves. This erodes customer confidence in both the brand and the brand's ability to secure personal information.
Marketing fraud poses a serious threat to e-commerce and media businesses. Ever since companies began paying for clicks and traffic, criminals have had a motive to generate bogus traffic, so they can charge for the clicks and traffic. Marketing fraud has existed since the late 1990s but has evolved significantly.
Content theft often takes the form of scraping. If you own a commerce site, your competitors want your pricing, your current inventory, and your SEO-optimized product descriptions. If you own a news outlet or media content site, hackers want to steal your proprietary and confidential content and post it on third-party sites as their own.
This content theft can put you at a competitive disadvantage and dilute the optimization and ranking of original content you paid to have created, thus wasting your marketing dollars and dulling your competitive edge.
Checkout abuse is what happens when you try to buy a high-demand product online, like the latest Air Jordan sneaker or Taylor Swift concert tickets. As you know, it's nearly impossible. Within minutes, all of the inventory is gone. Bots are behind almost all of these near-instant purchases. The perpetrators hoard and then resell their inventory on the secondary market for huge profits.
The perpetrators create a scarcity by hoarding products and then exploit the scarcity by scalping, making huge profits on your products, whether they're sneakers on eBay or heavily marked up concert tickets on StubHub. This distortion of the efficient natural marketplace causes a range of problems for both retailers and consumers. For the retailer, it damages consumer trust and business profitability over the long term.
Price scraping differs from other bot attacks even though it is a specialized version of content theft, because the activity is probably directed by a competitor, or their helpers.
Price-scraping bots—which PerimeterX has traced back to major industry players—collect intelligence on competitor pricing and pricing strategy, category management, inventory levels, and marketing information like keywords. Regardless of anyone’s opinion on the ethics of price scraping, it helps retailers out-price their competitors and outrank them on search engines. Scraping veers toward illegality when bots scrape copyrighted content and it is reposted elsewhere.