form-bots-and-computers-bot-fraud

How Easily Can a Form Bot Beat Basic Bot Filters?

March 23, 2022

Bot-based fraud is a constant risk for anyone running an online ad campaign. Form bots are an especially dangerous threat—one that can quickly drain your marketing budget and leave you with no results for all the money you’ve spent.

A lot of advertising platforms promise that they can perfectly block bot traffic—protecting your ad spend from waste. However, how effective are their basic form bot filters against the ever-increasing sophistication of bot programs?

Let’s start by taking a look at how form bots work and some common uses for them:

How a Form Bot Works

A form bot works on the same principles as any other automated program—the botmaster/programmer behind the bot writes up some code to carry out a specific task. In the case of form bots, that task is to fill out forms online. More advanced form bots even mimic human web browsing behaviors to trick bot filters into ignoring them.

The problem is that while the task of creating a program to seek out and fill forms online sounds like it should be difficult, it really isn’t that hard. Even someone without in-depth knowledge of computers or any coding skills can simply go out and buy a ready-made botnet on the internet for prices averaging roughly $0.50 a bot.

Someone with actual coding skills could create a fairly complex form bot with basic coding tools in an afternoon and set it loose before going to bed.

Common Uses for Form Bots

So, what does being able to automate the process of filling out forms do for people? There are a few things that a person could use a form bot for. Surprisingly, not all of these use cases are strictly malicious, either (though many are).

Automating Basic Form Fills for Convenience’s Sake

Form-filling bots are a native part of some modern web browsing add-ons. For example, a password manager can remember the login information (and in some cases, even create a randomized password) and enter it for the browser’s user the next time they use that password-protected online service.

This particular use case is benign and even beneficial. When using a password manager, users can set much more complicated, difficult-to-remember passwords than they might otherwise use. Doing so makes their passwords harder to guess without making them more tedious to enter.

Also, some browsers can remember basic info about their users and recognize common form fields they might deal with on a regular basis. For example, if you’ve ever been entering your address on some online shopping site, and had a prompt show up offering to automatically fill the form out for you after typing in a couple of digits of your address, that’s the web browser acting as a form bot to help save you a bit of time.

This is one of the more benign uses for a “form bot” that you will find—even though these shouldn't really be considered form bots since they’re part of a different program.

Committing Lead Generation Fraud to Make Money

An extremely common use for form bots is as a tool for lead generation and affiliate fraud. Basically, the fraudster uses a bunch of form bots collected under a larger botnet to fill out forms related to an ad campaign.

In many cases, the fraudster is registered under the ad campaign as an advertising affiliate and claims credit for the fraudulent form fills. The company running the campaign sees that they’ve gotten a ton of form fills from their “really effective and hard-working” affiliate and pays them for each “lead” they’ve generated. The only problem is that all of these leads are fake and won’t generate any real results.

By the time the victim realizes that they’ve been had, the fraudster has already moved the money to a different bank account and has erased all traces of the affiliate identity they had used to commit fraud. Then, they may come back under a different name and do it all over again—or target a different company with the same scheme.

Interfering with Other Companies’ Online Ad Campaigns

Instead of looking to make money from claiming credit for providing leads, some fraudsters might use form bots simply to drain a competitor’s ad campaign budget as quickly as possible. The actual activity is largely the same—the fraudster uses a large botnet to supply fake leads to a target victim.

For you as the victim, the immediate effect is largely the same. They get a bunch of bad leads that they need to sort through—possibly risking fines from TCPA violations if you try to use any of the bad leads you’ve received.

However, what makes competitively-motivated bot form fraud different is the aftereffect of the fraud. Here, there’s usually a competitor who has bid on the same keywords in Google ads and other auction-based advertising channels who, when your budget runs out, their ads will start appearing before customers. This gives the fraudster an unfair competitive advantage and the ability to steal a large portion of the market before you can get your ads in front of potential customers.

Here, the strength of the anti-bot filters used by the advertising network can prove crucial for avoiding getting your marketing crippled by an unscrupulous competitor.

Skewing Poll Data

Here’s an interesting example of how a form-filling bot could be used: having the bot fill out responses to random polls conducted online. A fraudster might do this just for the satisfaction of knowing that they’ve messed with someone’s day or to test their latest bot filter penetration measures against a “hard” target.

Some might even use form bots on polls to make an impact on the political process—making it look like public opinion sways one way when it really doesn’t. Companies that use surveys to collect and prepare data for industry and political reports need to be especially wary of the risk posed by form bots.

Breaking a Political Poll with a Quickly-Made Form Bot

Here’s a hypothetical situation that highlights how dangerous form bots could be to companies that don’t have sufficient fraud filters in place to stop them:

One day, a fraudster decides that they want to test a new form bot program to see just how much damage it could do before they try to sell it to the highest bidder. To test out their bot’s fraud filter penetration capabilities, they target a survey company that boasts about how secure their survey processes are.

After taking a political survey about an upcoming election to learn what questions are on it, the fraudster programs their form bot to take the survey and provide answers that skew towards a specific candidate. They leave their program to work for a few days—filling out the political poll over and over from different infected devices thousands of times.

The survey maker’s much-vaunted bot filters? Completely useless. The programmer behind the filter simply assumed that the bots would fill out the form as quickly as possible. So, they relied on some “time on page” metric to flag bot activity. The problem is that the bot’s programmer built their bot to mimic human web browsing patterns.

The bot held back on filling out the form just long enough to avoid triggering that “time on page” filter each time. So, after the poll closed, the survey maker had results that showed overwhelming support for one political candidate over the other. They reported these findings to the public.

The company’s CAPTCHA tool also proved useless, since modern bots can easily bypass CAPTCHA these days.

However, when the actual election took place, the voting results didn’t coincide with the poll at all. Instead of a landslide, it was a neck-and-neck race. Worse yet, voters for the candidate who was shown to be more popular in the poll didn’t show up to vote since they were so confident that their candidate had an enormous lead.

How long did the fraudster spend making this bot that caused such a major miscalculation of the political climate? Probably no more than a few hours to a couple of days at the most. With some previous experience and the right tools, creating a form-filling bot is extraordinarily easy.

And, once they have their proof of concept from their political poll manipulation, the fraudster will be able to sell their new bot to others for a profit. This way, even those with absolutely no programming know-how could use form bots to sabotage surveys or carry out other schemes.

How to Stop Form Bots

So, if a basic bot filter like CAPTCHA isn’t enough to stop a form bot, what can you do to protect your company from these automated form fillers? Here are some alternatives to CAPTCHA that you could use to protect your online ad campaigns from bots:

1. Honeypot Form Fields

A honeypot form field is a form field that is invisible to human users since it only exists in the page’s code. Because form bots “see” web pages by looking at their code instead of the visual display elements that normal people see, the bot will find this fake form field and try to fill it out.

If you get a form submission and see that the honeypot field was filled out, then you know the lead is from bot fraud and can ignore it. Of course, savvy fraudsters might personally check out your forms themselves if they’re targeting your campaigns and program their bots to ignore the honeypot fields.

2. Email Verification

Another way to thwart bot fraud in general is to use email verification. When a form is filled out, you would send an automated email to the email address given in the form to verify the sender’s identity and ownership of that email account.

This can be a great way to prevent fraudsters from simply overloading your ad campaigns with fake leads since it is less common for them to have a means of responding to these emails. If a lead doesn’t verify their email address, then you can safely ignore them.

B2B companies can even take this further by ignoring or rejecting all emails that don’t have a business domain attached. This works for B2B companies since they’re mostly interested in getting leads who are decision-makers in other businesses. However, B2C companies that want the attention of everyday consumers may not want to do this since most consumers would be using a free email address.

3. Ad Fraud Solutions

An ad fraud solution is a tool that helps companies identify false interactions with their web assets. What makes an ad fraud solution like Anura different from a bot filter? Where a bot filter might use a simplistic “vanity metric” that sounds good on paper to try to spot fraudulent interactions, a true ad fraud solution checks hundreds of data points in real time as visitors browse your website and compare them to a massive database of real conversions.

This provides a much more nuanced look at every form fill that helps you accurately identify fraud as it happens. Anura takes this a step further by sharing all of the data used in the decision to flag a form fill as fraud—showing you exactly why the activity was flagged and giving you the evidence you need to confront the fraudster if you need to.

Why wait to protect your online ad campaigns? Test your traffic with Anura now!

Download the Dirty Secrets of Ad Fraud Series