Are You Ready for Bots-as-a-Service?
It’s a tale as old as tech: as automation sophistication goes up, the barrier of entry goes down.
Everyday automation has replaced the manual drudgery of everything from sweeping the floors (robotic vacuum cleaners) to bank visits for check deposits (take a picture on your phone). Even as I write this blog post, my automated spell check means I don’t have to reference the Dictionary (or even hit the spell-check button).
The advanced tech of genAI has lowered the barrier of entry to the floor for all kinds of tasks—including criminal activity. Fraud bots, already advancing at a rapid-pace, are now extremely user-friendly. They’re more deployable at scale by advanced fraud rings and by anyone willing to pay for “Bots-as-a-Service” (BaaS).
According to Interpol’s Global Financial Fraud Assessment, BaaS “business models” have opened up a new vector of fraud entrepreneurs who aren’t just taking advantage of easy loopholes (which was the calling card of low-level cybercriminals that we previously called “citizen fraudsters”). These “new and less technologically proficient cybercriminals [are] facilitating more online fraud and enabling threat actors to conduct more sophisticated fraud campaigns” by using BaaS. In essence, now your neighbor can compete with sophisticated fraud rings in a race to attack your digital business.
BaaS and other automated attack styles have profound impacts for fraud stacks, especially in the financial services sector, where targets are most highly prized. Here are the major bot trends we’re keeping an eye on and what you need to know to be prepared for BaaS and other hyper-efficient, hyper-malicious bot deployments.
Understanding Bots-as-a-Service
First, a level-set: The relatively new (but fast evolving) fraudsters’ tool of Bots-as-a-Service (BaaS) refers to the offering of ready-made, customizable bots that can be deployed for various digital activities (not always malicious, but we’ll focus on the fraud use cases). In the fraud world, these “services” are designed to give even those with limited technical skills the ability to execute sophisticated attacks.
The rise of BaaS is closely linked to the broader trend of crime-as-a-service (CaaS), where cybercriminals offer their customizable skills and tools for hire en masse. There’s even money-laundering-as-a-service (made even easier with crypto) . . . think of any cybercrime, and there’s likely someone offering it as a packaged, out-of-the-box system for your neighbor to use. Crime of all kinds is in its digitization era, where sophisticated software, digital platforms, and fraudsters converge to fill in any gaps left in attack methodologies. BaaS platforms have democratized cybercrime.
These services primarily live on the dark web, along with other genAI fraud tools such as FraudGPT. The cybercriminal world there mirrors our own in many ways, with providers offering customer support, patch updates, customization options, and Black Friday sales.
This rise in accessibility has raised alarms within the NeuroID ecosystem, where we track new and emerging trends in fraud attacks. In analyzing bot-driven attacks, we’ve noted some new, alarming trends:
- Increased Volume and Sophistication: Bot attacks have more than doubled in volume from January to June 2024. 71% of customers experienced bot attacks within a 7-week study period, with bots accounting for twice as many attacks in June compared to January.
- Heavy Prevalence of Next-Gen Bots: Nearly 50% of customers encountering bots faced attacks where more than 95% were next-generation bots. These bots often target unsophisticated behavior solutions by nearly perfectly imitating traditional behavioral bot-tells such as typing speed and mouse movements. Unless they’ve done the heavy work to advance their solution, most behavioral analytics solutions are going to be fooled by these newly humanistic movements.
- Industry-Wide Impact: While fintech and sub-verticals are often thought of as the primary targets of fraud, our analysis found that every business of every size is at risk. In our 7-week study, top banks and large lenders had more than 3% of their traffic flagged as bots. Bots are everywhere, targeting everyone.
While we can’t know how these micro-trends are rippling out across the industry (fraudsters, unfortunately, don’t release yearly reports on their successful attacks!), there’s no question that BaaS and similar technology is having a huge impact. BaaS lowering the barrier to deploying sophisticated bots, and genAI as a whole making bots a lot faster to create, has undoubtedly contributed to a significant rise in fraud types like synthetic identity fraud (SIF), which now comprises 85% of all fraud in the United States. It’s also likely having a bottom-line business impact, as digital companies reported an average of 25% increase in costs related to mitigating bot-related incidents.
The Evolution of Bots: From Basic Scripts to Advanced AI
Traditionally, bots were scripts or programs designed to perform automated tasks. Think of your first-gen fraud bots, who executed simple, basic scripting that made cURL-like requests to websites using a limited number of IP addresses. They can’t store cookies, execute JavaScript, or imitate human behavior—making them very easily detected with behavioral analytics and other fraud systems.
Bots continued to evolve with advancements targeted at every new layer of detection. Second- and third-generation bots introduced more complex behaviors, such as using headless browsers and mimicking basic human interactions. While these bots were more challenging to find, they still fell short of replicating the intricate behavioral patterns of genuine, human users.
Today’s latest generation of bots, referred to as fourth-generation bots, can replicate human actions such as mouse movements, typing speeds, and even the subtle nuances of user behavior. These advancements make them incredibly difficult to detect using traditional fraud prevention methods. They can even perform “behavior hijacking,” where they record real user interactions to mimic human behavior closely. They rotate through thousands of IP addresses, change user-agent strings, and even use mobile emulators to extend their capabilities beyond traditional browsers. As a result, they can bypass most traditional fraud detection systems and even less-sophisticated behavioral analytics, making them a significant threat to businesses.
Combating the Threat of Bots-as-a-Service
Given the sophistication and scale of BaaS, there’s no question that a multi-layered approach to fraud prevention is key. Relying solely on traditional methods and lengthy step-ups is ineffective (and cumbersome to your true customers). Advanced scalable tech is needed to combat advanced, scalable fraud: that’s why best-in-class behavioral analytics is still your best front-line of fraud defense, even against advanced bots.
NeuroID behavioral analytics uses machine learning to analyze user behavior patterns and identify anomalies that may indicate bot activity. This approach is particularly effective against fourth-generation bots, which are designed to mimic human behavior. By focusing on intent-based deep behavioral analysis (IDBA), even the most sophisticated bots can be spotted, without adding friction.
The future of fraud is here, and it’s powered by bots, deployable at scale, and run as a hyper-efficient business model. Are you prepared to fight back?
