Considering that half of the Internet traffic is generated by bots of which 29% is represented by “bad bots” (according to Incapsula 2015 Bot Report), it’s fair to say they form a force to be reckoned when talking about online security.
While good bots are information gatherers used by organizations, bad bots are considered unlawful tools used by cyber-criminals. With the rise of “impersonator” bots capable of bypassing security solutions bot abuses have become more automated, increasingly sophisticated and as damaging to the business as the conventional vulnerability exploits such as SQL injection and XSS.
From false clicks and fraudulent display of web placed advertisements, solving of anti-automation CAPTCHA tests and launching DDoS attacks to scraping, spamming, sniping and skewing, or even token cracking, automated bots are the preferred tool. Bot operators continue to improve their software, creating more advanced persistent bots (APBs).
The increase of automated bot abuses has since alerted the Open Web Application Security Project (OWASP) online community which has been creating methodologies, documentation, tools and technologies in the field of web application security since 2001. Many business look to OWASP for direction on what threats are being posed to their web applications. Along with their well known yearly “Top 10 threats” list, the community has launched a complementary project called Automated Threats to Web Applications Project in order to better understand and respond to the bot trend. Beside all the threats that we mentioned before, the OWASP Automated Threat Handbook profiled three major subsets of automated threats. Based on common targets, bot pose threats respectively to account credentials, payment cardholder data and vulnerability identification.
1. Threat subset: Account Credentials
Automated bots can execute account aggregations, which mainly consists of gathering multiple accounts and then interacting on their behalf by using an intermediary application. They are often used for creating multiple ghost accounts for subsequent misuse (account creation), identifying valid login credentials by trying different values for username and/or passwords (credential cracking) or for mass log in order to verify the validity of stolen username/password pairs (credential stuffing).
A synchronized bot network can practically harvest enough credentials to create a serious security and privacy issue with consequences ranging from fake traffic and stolen data to scams and identity theft.
2. Threat subset: Payment Cardholder Data
If automated bots can easily gather account credentials then its obvious they can be used by cybercriminals to target payment cardholder data as well. Bots can often be deployed to spy sensitive data and launch multiple authorisation attempts to verify the validity of bulk stolen payment card data with the ultimate goal of trafficking credit card, bank account and other personal information online, a process also known as carding.
OWASP also reports an increased usage of automated bots used in common card cracking, also referred to as card popping. Card cracking is a debit card fraud scheme in which the perpetrators recruit bank account owners to share their debit card number and PIN in exchange for a compensation. Card-cracking fraudsters leverage the sharing culture of today’s social media community to recruit accomplices in order to execute those frauds. Bots have been used to identify missing start/expiry dates and security codes for payment card data by trying different values but also to automate and further leverage social media exposure which is considered the main recruiting channel.
Beside carding and card cracking bots are being used for cashing out too. Automated procedures can be instructed to acquire goods or obtain cash utilising validated stolen payment card or other user account data. Theoretically, if a well deployed bad bot setup targets you, it could easily gather your cardholder data, steal your allowance and resell your personal accounts before you get the chance to even notice it or react.
3. Threat subset: Vulnerability Identification
According to OWASP, there are hundreds of issues that could affect the security of a web application, and it only takes the discovery of one to allow a hacker an access path to valuable customer or business information. The process of finding potential targets is ideally suited to automation and automated attacks.
In order to trace application vulnerabilities bots have been used to collect and simulate digital footprints which is the data that exists as a result of actions and communications online that can in some way be traced back to an individual.
Digital footprints are broken down into active and passive data traces. Active data traces are the ones that the user leaves intentionally. Social media and blog posts, social network connections, image and video uploads, email, phone calls and chats are among the ways users generate active digital footprints.
On the other hand, passive data traces connected to an individual are left by others or gathered through activities that the user does without purposefully putting out data. Sophisticated bots are then used in automated footprinting actions to probe and explore an application in order to identify its constituents and properties. By doing so the attacker gathers valuable info about security processes which can later be used for launching a quick and damaging attack.
Hackers use bots to uncover website security vulnerabilities on a large scale. Vulnerability scanning involves crawling and fuzzing an application by bots acting like humans in order to identify weaknesses and possible vulnerabilities. Any vulnerabilities found are potential targets for further exploration.
Automated threats consist in elicit digital fingerprinting too. Just like every person has a unique fingerprint, every piece of media or software has identifying features that can be spotted by another smart software. It’s the same approach with good and bad bots, with the key difference that bad bots fingerprinting consists in harvesting information about the supporting software and framework types and versions for future misuse.
To sum up
Numerous reports over the last few years suggest that the level of bot sophistication has continuously risen. Thanks to the advent of cheap or free cloud computing resources, anyone with basic computer skills can download open source software and get into the bot game. The bad bot landscape continues to evolve rapidly, in relation to the sophistication of bot software but also with an increased number of bots coming from Chinese service providers. 2015 saw a dramatic increase in APBs which have “smart” capabilities.
According to the Distil Networks report, not only are the bad guys lying about who they are, they’re repeatedly changing their identities over and over again with around 36% of bad bots disguised using two or more user agents, with the worst APB cases that changed identities over 100 times.
Meanwhile, IT teams are under increasing pressure to accurately forecast and provision web infrastructure to meet the speed and availability demands of legitimate users. And marketing teams seek accurate data on website and conversion metrics.
Yet most companies still have little or no control or even visibility over malicious bot website traﬃc. Luckily, the OWASP and other good guys have kept pace and are now providing improved bot protection knowledge and solutions. If you suspect bad bot abuses you should always turn to experts like GlobalDots to quickly turn the tables. Contact us today to help you out with your performance and security needs.