Latest Bot Trends and OWASP (Open Web Application Security Project)

Dr. Eduardo Rocha Senior Solutions Engineer & Security Analyst @ GlobalDots
6 Min read

Considering that half of the Internet traffic is generated by bots of which 29% is represented by “bad bots” (according to Incapsula 2015 Bot Report), it’s fair to say they form a force to be reckoned when talking about online security.

Tweet this: Half of the internet traffic is generated by bots

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs by over 50%

While good bots are information gatherers used by organizations, bad bots are considered unlawful tools used by cyber-criminals. With the rise of “impersonator” bots capable of bypassing security solutions bot abuses have become more automated, increasingly sophisticated and as damaging to the business as the conventional vulnerability exploits such as SQL injection and XSS.

From false clicks and fraudulent display of web placed advertisements, solving of anti-automation CAPTCHA tests and launching DDoS attacks to scraping, spamming, sniping and skewing, or even token cracking, automated bots are the preferred tool. Bot operators continue to improve their software, creating more advanced persistent bots (APBs).

Bad Bot

Image Source

The increase of automated bot abuses has since alerted the Open Web Application Security Project (OWASP) online community which has been creating methodologies, documentation, tools and technologies in the field of web application security since 2001. Many business look to OWASP for direction on what threats are being posed to their web applications. Along with their well known yearly “Top 10 threats” list, the community has launched a complementary project called Automated Threats to Web Applications Project in order to better understand and respond to the bot trend. Beside all the threats that we mentioned before, the OWASP Automated Threat Handbook profiled three major subsets of automated threats. Based on common targets, bot pose threats respectively to account credentials, payment cardholder data and vulnerability identification.

Tweet this: OWASP – Open Web Application Security Project

1. Threat subset: Account Credentials

Automated bots can execute account aggregations, which mainly consists of gathering multiple accounts and then interacting on their behalf by using an intermediary application. They are often used for creating multiple ghost accounts for subsequent misuse (account creation), identifying valid login credentials by trying different values for username and/or passwords (credential cracking) or for mass log in order to verify the validity of stolen username/password pairs (credential stuffing).

Image Source

A synchronized bot network can practically harvest enough credentials to create a serious security and privacy issue with consequences ranging from fake traffic and stolen data to scams and identity theft.

Tweet this: What is Credential Cracking?

Tweet this: What is Credential Stuffing?

2. Threat subset: Payment Cardholder Data

If automated bots can easily gather account credentials then its obvious they can be used by cybercriminals to target payment cardholder data as well. Bots can often be deployed to spy sensitive data and launch multiple authorisation attempts to verify the validity of bulk stolen payment card data with the ultimate goal of trafficking credit card, bank account and other personal information online, a process also known as carding.

OWASP also reports an increased usage of automated bots used in common card cracking, also referred to as card popping. Card cracking is a debit card fraud scheme in which the perpetrators recruit bank account owners to share their debit card number and PIN in exchange for a compensation. Card-cracking fraudsters leverage the sharing culture of today’s social media community to recruit accomplices in order to execute those frauds. Bots have been used to identify missing start/expiry dates and security codes for payment card data by trying different values but also to automate and further leverage social media exposure which is considered the main recruiting channel.


Image Source

Beside carding and card cracking bots are being used for cashing out too. Automated procedures can be instructed to acquire goods or obtain cash utilising validated stolen payment card or other user account data. Theoretically, if a well deployed bad bot setup targets you, it could easily gather your cardholder data, steal your allowance and resell your personal accounts before you get the chance to even notice it or react.

Tweet this: What is Carding?

3. Threat subset: Vulnerability Identification

According to OWASP, there are hundreds of issues that could affect the security of a web application, and it only takes the discovery of one to allow a hacker an access path to valuable customer or business information. The process of finding potential targets is ideally suited to automation and automated attacks.

In order to trace application vulnerabilities bots have been used to collect and simulate digital footprints which is the data that exists as a result of actions and communications online that can in some way be traced back to an individual.

Digital footprints are broken down into active and passive data traces. Active data traces are the ones that the user leaves intentionally. Social media and blog posts, social network connections, image and video uploads, email, phone calls and chats are among the ways users generate active digital footprints.

On the other hand, passive data traces connected to an individual are left by others or gathered through activities that the user does without purposefully putting out data. Sophisticated bots are then used in automated footprinting actions to probe and explore an application in order to identify its constituents and properties. By doing so the attacker gathers valuable info about security processes which can later be used for launching a quick and damaging attack.

Hackers use bots to uncover website security vulnerabilities on a large scale. Vulnerability scanning involves crawling and fuzzing an application by bots acting like humans in order to identify weaknesses and possible vulnerabilities. Any vulnerabilities found are potential targets for further exploration.

Vulnerability Scanning

Image Source

Tweet this: What is Vulnerability Scanning?

Automated threats consist in elicit digital fingerprinting too. Just like every person has a unique fingerprint, every piece of media or software has identifying features that can be spotted by another smart software. It’s the same approach with good and bad bots, with the key difference that bad bots fingerprinting consists in harvesting information about the supporting software and framework types and versions for future misuse.

To sum up

OWASP Handbook of automated Threats

Numerous reports over the last few years suggest that the level of bot sophistication has continuously risen. Thanks to the advent of cheap or free cloud computing resources, anyone with basic computer skills can download open source software and get into the bot game. The bad bot landscape continues to evolve rapidly, in relation to the sophistication of bot software but also with an increased number of bots coming from Chinese service providers. 2015 saw a dramatic increase in APBs which have “smart” capabilities.

Many analytic tools, such as Google Analytics, function via a JavaScript code snippet. If bots can load analytic tools resources, they easily end up skewing analytic tools and throwing o key business and operational metrics. According to Distil Networks 2016 Bad Bot Landscape Report, 53% of bad bots will end up falsely attributed as humans in Google Analytics and similar tools.     

According to the Distil Networks report, not only are the bad guys lying about who they are, they’re repeatedly changing their identities over and over again with around 36% of bad bots disguised using two or more user agents, with the worst APB cases that changed identities over 100 times.

Tweet this: 36% of Bots are “Bad Bots”

Meanwhile, IT teams are under increasing pressure to accurately forecast and provision web infrastructure to meet the speed and availability demands of legitimate users. And marketing teams seek accurate data on website and conversion metrics.

Yet most companies still have little or no control or even visibility over malicious bot website trac. Luckily, the OWASP and other good guys have kept pace and are now providing improved bot protection knowledge and solutions. If you suspect bad bot abuses you should always turn to experts like GlobalDots to quickly turn the tables. Contact us today to help you out with your performance and security needs.

Latest Articles

Justt – IaC

Justt is a chargeback mitigation startup based in Tel Aviv. Chargebacks, as defined, are demands by a credit card provider for a retailer to reimburse losses on fraudulent or disputed transactions. Justt’s objective is to assist merchants worldwide in combating false chargebacks using its proprietary artificial intelligence technology.

22nd February, 2024
8 FinOps Best Practices for Cutting Cloud Costs

The cloud used to be viewed as a place of significant cost savings: rather than purchasing and maintaining dozens of server stacks, organizations could outsource this and purchase compute power on an as-needed basis. In the ensuing rush to cloud architecture, however, many companies simply lifted-and-shifted their old financial bad habits. The sheer speed of […]

22nd February, 2024
How FinOps Capabilities Can Unlock Your Cloud Cost Goals

Cloud computing has transformed more than individual app architectures: it’s granted both start-ups and market leaders an equal platform for innovation. New products are no longer dependent upon complex revenue-draining in-house server stacks. Instead, cloud-native disruptors such as Uber and Airbnb have been able to harness the once-unthinkable degrees of agility, scalability, and cost-efficiency that […]

24th January, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential