How are bots able to blend in with a human audience? How do they appear at the correct geo-location?

Bots are small programs that are basically modified browsers (or headless browsers) managed by software that is programmed to let them pretend to be humans by setting their location and assigning them a unique cookie profile. Since they are altered browsers, they use browser code – usually based on the code of Chrome or Firefox.

They can do pretty much everything a real browser can do – execute JavaScript, render pages and interact with the pages as a human user would do in a browser. If you want to get an idea of how widespread these are, here is a list of (almost) all of the different headless browsers that are known.

Just like the browser you use on your device, these browsers have many add-ons available to them that allow them to perform different tasks easily – such as letting them look like whatever they need to look like for the job at hand. They use tactics like anti-fingerprint, anti-fraud detection, multi host-emulation and multi-client emulation. When they are set up by a fraudster, they can adjust the browsing session geo-location, browsing history, device fingerprint and cookies to make one single bot appear to be any number of actual humans. What’s more, once a settings profile is saved, it can be shared between different bots and stored in the cloud for easy access when using multiple machines in multiple locations.

For example, dedicated bots are active on Facebook, Instagram, Pinterest, LinkedIn, etc. to create profiles, join groups, like posts, pin an image, follow people or companies, etc. A second group of bots are dedicated to browsing the web, executing search queries, etc. which will be looking for specific advertisements to click on. A third group of bots will click on those specific advertisements and arrive at the landing page to fill in and submit forms.

All these independent bots use and can update the same cookies, geo-location, and device information in order to have a consistent appearance over the browsing session’s lifetime.

In other words, simple programming by a fraudster can make you believe you’ve been visited by thousands of humans (with repeat visitors thrown in for good measure) when all that really happened was one bot visited your site and was up to no good.

In our next post, we’re going to take a look at these tricks specifically so you can see how bots are made to trick you and your detection solutions.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply