US corporations lose an average of 4.3 percent of their online revenues to malicious ‘bots,’ malware designed to resemble human communications. Malware attacks of this nature accounts for an average annual loss of $86.5 million a year for corporations with average annual online revenues of $1.9 billion, according to a new report from cybersecurity firm Netacea, “Death by a Billion Bots: The Accumulating Business Cost of Malicious Automation”.
To put the figure of $86.5 million in context, the report calculates that, as the average ransomware demand for the corporations surveyed was $1.5 million, malicious bots are 57 times more financially damaging. Malicious bot attacks being a more costly threat is contrary to many companies’ understanding that ransomware is the main threat in cyberspace. The reason is that bot attacks are far more numerous than ransomware attacks and siphon money from the target company slowly over a lengthy period. Ransomware attacks are, by their nature, more dramatic and, therefore, attract media attention.
It is also a legal requirement, in the US at least, to report any significant attack to the authorities immediately. As any single bot attack is not of any major significance on its own, the bot threat has slipped under the radar of many organizations. Bots are also particularly well-suited to modern communications as most staff members have smartphones, and many use them in preference to laptops or tablets. This rapid growth in devices has radically increased the number of endpoints the company has to secure.
Mobile applications are the main target
“Malicious automation is diversifying to take advantage of a swelling attack surface. As of 2023, mobile applications have become the predominant target over websites. A credential stuffing bot is used to test previously leaked credentials to determine if they are valid on a target web service,” says the report.
Exploiting the fact that much of the value in online businesses now lies in their ability to automate the scaling of accounts, fake-account-creation bots abuse the signup process of a web service to create fake users. Such bots can also bypass email, phone, and CAPTCHA verifications. Netacea reports that attackers currently make up three percent of all new accounts for malicious purposes. For high-value sectors, this figure is much larger. For example, 30 percent of financial services businesses say 6-10 percent of all accounts are fake, meaning that the financial losses total over six percent of online revenue, with 80 percent also reporting a fall in customer satisfaction.
While it’s no secret that a high proportion of cyber-attacks conducted against countries such as the US emanate from regions such as Russia, China, Iran, and North Korea, where the West has no jurisdiction. Netacea’s report adds Vietnam to the list.
“Despite having less of a reputation for cyber statecraft and playing a quieter role in global politics, nearly 48% of all businesses surveyed had been attacked in the past year by bots originating in Vietnam. Interestingly, this puts it third on the list of countries driving attacks against enterprises,” says the report.
