The on-going war against malicious bots

bad Internet robots

Since the early 1990’s, internet robots were introduced with the intention to assist online users. Nowadays, they are becoming increasingly intrusive on websites and most notably, used to spread fake news articles on Social Media, create fake emails to share spam and malicious malware from computer to computer.

But, what are internet robots?

Commonly known as bots, they were originally designed to do simple, boring, repetitive tasks on the web that humans don’t particularly want to do or can’t complete as quickly. They’re software programmes that run automated tasks (scripts), and most famously, search engine bots (sometimes called spiders) are used to crawl through websites and index the website content.

Similar to the reason there are villains and superheroes, it’s the good and bad of the digital world. In fact, research by Incapsula studied online visitors and collected data in 2019 and found 37.2% of all internet users were robots. This was made up of 62.8% humans, 13.1% good bots and 24.1% bad bots.

To help differentiate the good from the bad, will be clarifying the differences and providing some guidance to help prevent bad bots from affecting your online business.

The ‘Good’ Bots

As we mentioned previously, these internet robots were developed to complete the boring day to day tasks that humans would prefer not to do. They keep the digital world moving by passing along data and enabling social media and online retail to function the way they do. Some of these helpful bots include;


  • Chatbots, Instant Messenger (IM) bots or social bots are used to improve or streamline customer service by using Artificial Intelligence (AI) to respond to simple keywords or prompts to provide in-depth responses based of previous questions. However, the benefits of the chatbots are not limited to answering simple questions as they can lead customers to complete transactions and schedule appointments.
  • A ShopBot (short for Shopping Robot) offers price and feature comparisons from a large number of online stores when a specific product is searched to help the customer save money and time from their search.



  • Monitoring bots works round the clock to ensure that your website is running without any issues. Any problems they encounter, such as slow loading pages or broken URLs will be flagged up.
  • Many feed fetcher bots use RSS feeds to collect and send information to a website, or send subscriber lists real-time data such as blogs, weather services and the latest news.
  • Copyright bots, also known as content recognition software, is used to combat plagiarism for stolen content across the web, such as music and audio clips. Websites such as YouTube will disable any videos that violate the copyright laws.
  • Aggregation bots are useful for businesses who need to gather information from different websites. IT and Financial sectors may need to collect credit card amounts or investment balances to help people better manage their money by reducing the time-consuming work of gathering and manually entering data.


The ‘Bad’ Bots

Unfortunately, with the power that bots have upon the internet, it is inevitable that people will want to create malicious, infective malwares or wreak havoc for a business by scraping the content off websites so they can upload it to their own.

Scammers will mostly never use just one bot but have a whole army of bots to attack users, which is known as ‘Botnets’. There can be thousands of botnets used from one hacker, each using a different IP address to prevent blocking.


Distributed Denial-of-Service

Distributed Denial-of-Service (DDoS) botnets are one of the most common styles of bot across the web, according to a bot report conducted by PPCProtect. A DDoS attack can result in disrupting the normal traffic of a targeted server, service or network by overpowering the target or its surrounding infrastructures with a flood of internet traffic which have been infected with malware and can be controlled remotely by the attacker.

Impersonator bots fall under this category by affecting the normal traffic flow, as they disguise themselves as ‘human users’ to get past site security.


Spam Bots

Like a bad smell that won’t go away, Spam bots are programmed to distribute large numbers of spam emails, which can be devastating for a business’s reputation. Not only will you be sending out harmful malware to trusted partners and clients, but they will also start to re-consider their partnership with you if your cyber security is not up to a professional standard.

Alongside sending out harmful attachments to unsuspecting users, spam bots are also programmed to phish, by sending out emails that appear to come from legitimate websites such as PayPal, Netflix and any other websites that require online banking in order to steal personal information.


Scraper Bots

Web Scraper bots works quite similarly to Aggregation bots where they extract content and data from other websites to add to their website. Unfortunately, whilst there are good scraper bots, there are also bad scraper bots. The bots steal other business’s high quality, keyword-rich content to appear authentic and trustworthy, and encourage traffic from innocent online users. If this happens to you, the fraudulent website will be taking advantage of customers that should be finding your website.


Account Takeover

If your website is attacked by an Account bot, it can be devastating for both yourself and your customers. These bots will takeover and lock customer accounts to prevent them from accessing their logins. Once the bots are in, they can conduct fraud through accessing loyalty points, unauthorised purchases and credit card details. For a business, this can damage your customer reputation and result is costly chargebacks to try and resolve the issue.

The Ugly Truth

As a business, these bots can tarnish your reputation and cost you a lot of money.

One of the bots that I didn’t mention above are Click bots, which are programmed to carry out a variety of different click fraud tasks. Scammers build click bots to pretend to be a legitimate human, copying details such as mouse movements or varying the pauses before scrolling and clicking to keep its disguise.

The problem with this is it can affect data collecting and marketing efforts as the bots can flood contact forms with useless data which can make it a lot harder to filter out the genuine enquiries or leads.

From a financial perspective, it can be a costly strike against your business as the bot will target a company and their Pay-Per-Click (PPC) adverts, forcing you to pay for each ad click. If you have a set budget for your ads, and its being used only by the bots, your ad will then be removed once it has reached the limit, meaning actual users will miss out on the chance of seeing your advert and you will miss out on a potential customer.


As an online user, it is very easy to be deceived by click fraud.

Scammers will create websites which may have malicious download content, as by using the click botnets they will build artificial click-through rates to increase their website relevancy on google organic listing, helping it reach the first page. Unsuspecting users will then enter the website which will appear legitimate and ultimately download these virus-ridden documents.

This is also an issue for businesses as once again, the scammers are gaining valuable customers to their fraudulent websites by creating their own content or using scraper bots on a high-ranking website.

How can this be prevented?

In imperva’s report, an attack in 2019 that Imperva intercepted lasted 60 hours and included 44 million login attempts which can cause significant strain on a website and result in DDoS as they organisation is unprepared for this high volume of submissions.

Hackers are attacking every industry all over the world with unique bots everyday. Websites are targeted for different reasons, so we understand it is difficult to determine what steps you can take to protect your website. Highly skilled developers are constantly updating security measures to proactively prevent the risk of these cyber-attacks.

So, what can be done?

Honeypot Fields

As bad internet robots are evolving very quickly, even the original CAPTCHA form submission is now not enough as bots have advanced and can disable JavaScript coding and still gain entry to your server to cause disruption.

As a method of resolving this issue, most website logins now use reCAPTCHA, which can ask website visitors to prove they’re human by checking words scanned from books or photographs of street signs. Alongside this, experienced developers use a “Honeypot field” to trick the bad bots. Your online users won’t be able to see this field as it is hidden (which is great for customer experience), but the spam bot is able to see this field and fill it in, and their activity is then known so the IP address for the bot can be blocked.


Are you having a bot problem?

It’s a difficult topic. You see these unknown click spikes in our analytics or a form submission from a spam bot, which makes you worry about your business!

We understand that website security is absolutely vital, and we do everything we can to ensure every clients’ website has the most up to date methods on preventing internet robots from affecting your business. If you would like to talk to us about your spam problems, then chat with us  at [email protected]