Let’s play a game of chance: What are the odds that your gaming website is being targeted by bad bots? Imperva research suggests they’re higher than you may think. Imperva’s 2022 Bad Bot Report reveals that 53.9 percent of traffic to gaming and gambling websites comes from bad bots. With the remarkable volume of transactions on these websites, it’s little wonder, then, that fraudsters and other cyber criminals leverage sophisticated automation to target them. But how exactly are they targeting this industry, and what are they attempting to achieve by doing so?
- Account Takeover (ATO) Fraud: ATO attacks are an increasingly common and costly problem on gaming and gambling websites. Fraudsters use bots to automate brute force login techniques such as Credential Stuffing (OAT-008) and Credential Cracking (OAT-007), in an attempt to take over user accounts belonging to someone else. If successful, an attacker can fraudulently change account details, withdraw funds or loyalty benefits, make online purchases, and because many people reuse their passwords, even access other accounts on different websites. There are extensive damages for the business as well – revenue loss from dissatisfied customers, loss of VIP customers, brand damage, stolen loyalty points, accounts being used for money laundering, increased customer support costs with 2-6 week fraud investigations, increased chargebacks, customer churn, and more.
- Odds Scraping (OAT-011 Scraping): Web scraping is the process of using bots to extract content and data from a website. There can be good use cases for web scraping, like search engine crawlers that help create and maintain a searchable index of web pages. But in the gaming and gambling industry, fraudsters use scrapers with malicious intent. Competitors and aggregators scrape betting odds from multiple websites, then use the scraped data to manipulate odds to their own advantage or deliberately promote bets that will be detrimental to a certain business. Another use case of odds scraping is Arbitrage betting. There are bots specifically designed for this, called Arbitrage betting bots. They leverage web scraping to identify and exploit imbalances in the odds between different bookmakers. They then place bets which cover all possible outcomes, which guarantees a profit. This activity increases the chances of the bookmaker being on the losing side and is detrimental to overall gross win percentage.
- New User Benefits Abuse (OAT-019 Account Creation): Incentives for new users such as sign-up bonuses or credits are common in the gaming industry. These bonuses are effectively free money that can be leveraged to maximize the player’s profits. Fraudsters target these offers – they use automation to create mass amounts of free accounts, which enables them to reap the rewards multiple times. Without a proper bot management solution, organizations face a challenge in preventing this large-scale account creation fraud, which ultimately hurts their bottom line.
- Gaming Automation (OAT-006 Expediting): Expediting is the use of bots to speed through an application’s processes in a manner that is not achievable by legitimate users. This is also known as Betting automation, Game automation, or Gaming bots. Gaming bots are programmed to run until the desired outcome is achieved. Depending on the game, this could be anything from obtaining large amounts of in-game currency, to acquiring rare items, to increasing winning chances in luck-based games. And because bots can continuously play without any breaks, they create an unfair playing field for legitimate players, which in turn leads to player complaints that negatively impact online game service providers’ reputations. Additionally, gaming bots can influence the in-game economy by creating inflation, which shortens the game’s lifecycle and causes a loss in subscription revenue. And it’s even worse if those hackers use fraudulent payments. Overall, expediting bot attacks cause significant brand damage, leading to a decline in user appeal, ultimately driving legitimate players to competitor gaming and gambling providers.
- Denial-of-Service (DoS/DDoS) (OAT-015): DDoS attacks are already high up the list of concerns for gaming and gambling websites. But automated application layer attacks are different from volumetric DDoS attacks which manipulate lower-level network protocols. Bot attacks target the application layer (layer 7 of the OSI model). Often, these attacks are a knock-on effect from bots that aggressively target websites, bombarding them with thousands, sometimes even millions of requests. This can lead to slow page-load times or even brownouts and downtime, damaged brand reputation, customer churn and retention issues, loss of future revenue, and more.
Protect your online gaming service from malicious automation with Imperva
Now more than ever, online gaming and gambling services must remain vigilant in protecting user accounts and their balances from account takeover and fraud. Unscrupulous competitors and other nefarious actors are also using bad bots. They scrape betting data, which they then use to capitalize on unique content, perform electronic arbitrage, and create an unfair playing field. If that’s not bad enough already, such aggressive web scraping can also lead to application denial of service, and a poor user experience as a result.
A Leader in The Forrester Wave™: Bot Management, Q2 2022 – Imperva offers bot management that is as adaptable and vigilant as the threat itself. Our Advanced Bot Protection solution is capable of mitigating the most sophisticated automated attacks, including every OWASP automated threat. It leverages superior technology to protect all potential access points, including websites, mobile applications, and APIs, providing you with various response options for bots. And most importantly, it does so without imposing unnecessary friction on legitimate users, maintaining the flow of business-critical traffic to your applications.
Imperva Advanced Bot Protection is part of the market-leading Imperva Web Application & API Protection (WAAP) solution. Start your Application Security Free Trial today to protect your assets from automated threats.
See how BETFRED, a leading UK bookmaker, used Imperva advanced bot protection to reduce traffic from 40 million page requests per day to 15 to 20 million across their digital platform, without impacting site performance for legitimate users. Get the BETFRED case study here.
Join us this summer to learn more about how Imperva helps protect gaming and gambling:
July 25-27, 2022 – Philippines, ASEAN Gaming Summit
August 24-26, 2022 – Singapore, G2E event
Try Imperva for Free
Protect your business for 30 days on Imperva.