E-commerce sites present a rich target for bad bots. Attacks fall into two types: generalized bots that are just looking for vulnerabilities they can exploit, and custom bots that specifically target your website with custom code.

This generalized bot activity is by far the most prevalent on E-commerce sites. Once a bot has successfully breached the initial defences, the site is much more likely to become a candidate for a custom bot. The website has proven to have a poor initial security layer, which means it can be compromised.

Custom bots are seldom written - but when they are they often cause the most damage as they target your site’s particular business model for commercial gain.
Having a full verified access list in place is a simple and cost-effective way to protect your business online and secure your data.

THE BOT RECONNAISSANCE PARTY Early warnings of Bot activity

Let’s understand what the attacker is doing here: the tool of choice for cybercriminals is an automated bot army that crawls the internet looking for vulnerabilities on your website. E-commerce sites are rich in potential opportunity - payment gateways, personal data, inventory, pricing, content, and customer accounts that may have gift cards, points, credits or be tied to a store credit card or other forms of credit.

Often the bot attack is completely automated. The attackers are just loading in the domain names, and hitting the button, just as a car thief may walk down the street looking for an open car window, or a door that isn’t locked. If your website passes basic security tests, the bots will move onto the next target that offers easier pickings.

Cybercriminals often aren’t even targeting your site specifically. For example, they may have lists of millions of credit card details, and just want to hi-jack a payment gateway to check if the cards are valid. If you allow automated bots to access your payment gateway page, further damage is much more likely to happen.

How do the Cybercriminal bots work?

The initial bots will perform a scan across your website and infrastructure looking for vulnerabilities. These crawler bots don’t seem to be harmful as they work in a very similar way to Googlebot and simply crawl each page looking for content. However, for the cybercriminals, this early reconnaissance work is far from innocent.

E-commerce bot threats The top five threat types

1. Email Phishing Attacks

The reconnaissance bots will first detect any email addresses which are contained in the web site copy. These bots can then examine your email records and determine the email format your organization uses. For example, it could be first name, last name, followed by the domain. These bots can then gather the names of the employees from the about us pages, and automatically compile an email directory of company employees. Many third-party services can be used to bulk check email validation before they are sent to ensure they are valid. This allows the cybercriminals to launch a phishing attack which is much more likely to be successful, and this process can be almost completely automated.

2. Payment Gateway Abuse

E-commerce sites are designed to easily take payments. If adequate defenses against automated traffic aren’t in place, the gateway can be flooded with credit card authentication attempts - overloading the payment gateway and can in extreme circumstances, cause the upstream provider to switch your entire service off.

3. Shopping Cart Abuse

If the e-commerce site manages inventory through the shopping cart, bad bots can impersonate buyers and add items into shopping carts to take them out of stock. Why? This can be a competitor simply making it difficult for legitimate customers to buy. Or, if a particular item has a great deal or special offer - the bots are smart enough to lock in the price on your website, and organize a flash sale on social media for the item via another site, making money from the price difference. Shopping cart abuse can also be used with ads and click-throughs to show your item is currently sold-out, pointing the consumers to the competition.

4. Price and content Scraping

Your website is your online store window, full of rich content and pricing data. Bad bots can steal your marketing content and product pricing or check service pricing, for example: your shipping rates. As well as providing competitors with pricing, you don’t want these bots sucking up bandwidth and causing processing overhead if you can prevent them.

5. Account takeover attempts

Allowing automated traffic can lead to account take over attempts, some of these attacks can be so large they appear like a full-on DDoS attack. If they are successful they can be very costly for a business to resolve when you consider the investigation, remuneration and reputation costs.

Why VerifiedVisitors?

Very simply, we provide you with a dedicated subscription service that only allows the bot visitors you want onto your web site, so you can deal with the others. Once you have locked down your website to prevent these unauthorized bot visitors, they won’t be able to report any vulnerabilities back to the cybercriminals. While our service can’t protect you from every single attack, it is a cost-effective and vital first layer of protection. Just like the car thief - they will move onto an easier target.

Our Portal Dashboard

Once VerifiedVisitors is active, our dashboard allows you to easily see all the legitimate activity of the bot visitors. After activating your VerifiedWatchList we can go ahead and block any unwanted and fake bots with confidence. We then do all the heavy lifting to ensure your bot visitors are constantly verified and your firewall is up-to-date.