Detecting & Stopping Bot Attacks With Better AI

Bottom Line: AI shows the potential for thwarting the growing number of bad bot attacks on e-commerce sites and digital channels. Radware finds 58% of bad bot attacks are comprised of distributed, mutating bots that defy easy detection.

From selling subscriptions for bad bots to Instacart shoppers willing to pay hundreds of dollars a month in fees to dominating mobile phone providers’ contests to capture one of every three prizes, bad bot producers are having a busy year. Cloudflare estimates 40% of all Internet traffic is bot-related. Two recent incidents show how sophisticated bad bots have become in a short time and how AI-driven approaches can help shut them down.

Bad Bots Redirect A T-Mobile Promotion

To reward loyal customers and attract new ones, T-Mobile ran a promotion called T-Mobile Tuesdays that began earlier this summer. T-Mobile offered a series of prizes, including thousands of dollars in gift cards, prizes including electronic devices and cash.  Cybercriminals created a bad bot that submitted thousands of entries automatically to the promotion, filling in fields on a web form in less than a second. That’s a relatively easy task for a bot to be programmed to do. Players of the T-Mobile Tuesday promotion went online to Reddit to discuss why nearly a third of winners were from a small Pennsylvania town of 4,000 people. Initially, everyone thought it was an accidental coding error, or there was a slight time advantage of submitting entries from the town’s location.

CNBC contacted T-Mobile to find out why so many customers from Chadds Ford, Pennsylvania were winning the contest. CNBC published their story last Sunday, Bots kept winning T-Mobile’s promotional contests and sparked a Reddit whodunit — here’s how it may have happened. T-Mobile told CNBC the high number of Chadds Ford winners was related to bots submitting multiple entries. T-Mobile could easily make a case that it’s illegal to use bots to participate and win its contests. T-Mobile Tuesdays’ rules state that they prohibit “mechanically reproduced, illegible, incomplete, forged, software-generated, third party or other automated or robotic participation.” The PR and brand reputation implications of deciding to revoke prizes or not make for a complex decision for any business, which is why bad bots need to be thwarted with AI.

Bad Bots Snap Up The Most Lucrative Instacart Orders

Instacart shoppers and the grocery workers keeping shelves stocked and stores open are among the true heroes of this pandemic. Without them, many of us wouldn’t have been able to get groceries and keep our families safe. Instacart shoppers will often wait in grocery store parking lots for a lucrative order to appear on their app, then accept it and go inside to fulfill the order. For many shoppers, working for Instacart fulfilling orders is the majority of their income. Shoppers can make up to $1,800 a week during busy periods, according to a recent Seattle Times story, Instacart shoppers besieged by bots that snatch lucrative orders.

Bad bot developers see the exponential growth and popularity of Instacart during the pandemic as the perfect market opportunity. Creating and selling subscriptions to bad bots that automatically capture the largest, most lucrative orders in less than a second are taking orders away from all the other shoppers. The average cost of Instacart apps ranges from $250 to $600, with many bot developers requiring a monthly fee of at least $130 or more to keep the bot active. Bot developers only take payment in cryptocurrency to preserve their anonymity, according to the dark web research firm, DarkOwl.

Instacart says this is a small percentage of their total order sales and is taking action to combat the bots by banning any violator found using one to re-route orders. One hundred fifty shoppers have been deactivated and Instacart claims several bot selling sites are now down. Instacart is also instituting new procedures such as prompting shoppers to verify their identity with a selfie and not permitting shoppers to switch devices in the middle of an order. Shoppers using the updated app can also choose to review a single order for 30 seconds before claiming it or passing it to another shopper. Instacart also last month enlisted the help of security platform HackerOne to battle bots by offering a bounty program, according to the Seattle Times.

Using AI To Detect and Stop Bad Bot Attacks

Interested in how AI can differentiate between good and bad bots and help T-Mobile and Instacart solve their bot-based challenges, I recently spoke with Kount, the leader in digital fraud protection and identity trust. ‘If you are a big online commerce presence, a big part of your success is based on your promotions. They work to expand your brand presence and enrich your audience and generate leads and sales, but for abusers, the goal is to take those things and the easiest way to do that is through bots. You need advanced bot protection’, Gary Sevounts, Chief Marketing Officer from Kount, told me.

Kount’s Fraud Prevention Platform relies on AI techniques, including supervised and unsupervised machine learning algorithms, to distinguish between good and malicious bots in real-time, making it uniquely capable of identifying known and emerging attacks. It can be a challenge to block bad bots without impacting the good ones and it’s even more difficult to deal with questionable bots, which could be good for some companies but bad for other ones. Identity trust platforms can help distinguish and address different kinds of bots in real-time and without a negative impact on business. The following graphic illustrates how Kount’s Identity Trust Global Network works:

Kount’s approach is noteworthy in that it has an Identity Trust Global Network that includes 32 billion annual transactions in its Network of trust and fraud signals. The Identity Global Trust Network has proven effective and reliable for continually training machine learning algorithms to identify good or bad bots. Kount’s customers also rely on the Network to block Fraud in real-time and enable personalized customer experiences. With this data, Kount’s AI can accurately gauge identity trust – the relative risk associated with the numerous signals behind each interaction – to enable quick and accurate decisions that stop Fraud without adding unwanted friction or reducing profits. By combining automated adaptive protection, transparent data and advanced policy options, Kount’s 6,500 customers can detect and stop Fraud immediately, as well as define outcomes based on their needs, even as those needs change over time.  After speaking with several of Kount’s customers, it was apparent how their approach to AI is helping businesses identify and stop malicious bots without disrupting the customer experience, enabling them to deliver safe digital services that scale without risk.


AI techniques including and supervised and unsupervised machine learning show the potential to stop bad bots from defrauding unsuspecting buyers and shoppers on the digital channels everyone relies on today. Digital businesses spend massive amounts of money on promotional activities. They shouldn’t let bots capture the funds and not deliver the results that were expected. It’s one thing to stop bots, but it’s more complicated to distinguish between good and malicious bots in real-time. It can be a challenge to block bad bots without impacting the good ones and it’s even more difficult to deal with questionable bots, which could be good for some companies but bad for other ones. Identity trust platforms can help distinguish and address different kinds of bots in real-time and without a negative impact on business.


Original post:–stopping-bot-attacks-with-better-ai/

Leave a Reply

Your email address will not be published. Required fields are marked *