Latest Bot Trends and OWASP (Open Web Application Security Project)

Dr. Eduardo Rocha
image 6 Min read

Considering that half of the Internet traffic is generated by bots of which 29% is represented by “bad bots” (according to Incapsula 2015 Bot Report), it’s fair to say they form a force to be reckoned when talking about online security.

Tweet this: Half of the internet traffic is generated by bots

While good bots are information gatherers used by organizations, bad bots are considered unlawful tools used by cyber-criminals. With the rise of “impersonator” bots capable of bypassing security solutions bot abuses have become more automated, increasingly sophisticated and as damaging to the business as the conventional vulnerability exploits such as SQL injection and XSS.

From false clicks and fraudulent display of web placed advertisements, solving of anti-automation CAPTCHA tests and launching DDoS attacks to scraping, spamming, sniping and skewing, or even token cracking, automated bots are the preferred tool. Bot operators continue to improve their software, creating more advanced persistent bots (APBs).

Bad Bot

Image Source

The increase of automated bot abuses has since alerted the Open Web Application Security Project (OWASP) online community which has been creating methodologies, documentation, tools and technologies in the field of web application security since 2001. Many business look to OWASP for direction on what threats are being posed to their web applications. Along with their well known yearly “Top 10 threats” list, the community has launched a complementary project called Automated Threats to Web Applications Project in order to better understand and respond to the bot trend. Beside all the threats that we mentioned before, the OWASP Automated Threat Handbook profiled three major subsets of automated threats. Based on common targets, bot pose threats respectively to account credentials, payment cardholder data and vulnerability identification.

Tweet this: OWASP – Open Web Application Security Project

1. Threat subset: Account Credentials

Automated bots can execute account aggregations, which mainly consists of gathering multiple accounts and then interacting on their behalf by using an intermediary application. They are often used for creating multiple ghost accounts for subsequent misuse (account creation), identifying valid login credentials by trying different values for username and/or passwords (credential cracking) or for mass log in order to verify the validity of stolen username/password pairs (credential stuffing).

Image Source

A synchronized bot network can practically harvest enough credentials to create a serious security and privacy issue with consequences ranging from fake traffic and stolen data to scams and identity theft.

Tweet this: What is Credential Cracking?

Tweet this: What is Credential Stuffing?

2. Threat subset: Payment Cardholder Data

If automated bots can easily gather account credentials then its obvious they can be used by cybercriminals to target payment cardholder data as well. Bots can often be deployed to spy sensitive data and launch multiple authorisation attempts to verify the validity of bulk stolen payment card data with the ultimate goal of trafficking credit card, bank account and other personal information online, a process also known as carding.

OWASP also reports an increased usage of automated bots used in common card cracking, also referred to as card popping. Card cracking is a debit card fraud scheme in which the perpetrators recruit bank account owners to share their debit card number and PIN in exchange for a compensation. Card-cracking fraudsters leverage the sharing culture of today’s social media community to recruit accomplices in order to execute those frauds. Bots have been used to identify missing start/expiry dates and security codes for payment card data by trying different values but also to automate and further leverage social media exposure which is considered the main recruiting channel.


Image Source

Beside carding and card cracking bots are being used for cashing out too. Automated procedures can be instructed to acquire goods or obtain cash utilising validated stolen payment card or other user account data. Theoretically, if a well deployed bad bot setup targets you, it could easily gather your cardholder data, steal your allowance and resell your personal accounts before you get the chance to even notice it or react.

Tweet this: What is Carding?

3. Threat subset: Vulnerability Identification

According to OWASP, there are hundreds of issues that could affect the security of a web application, and it only takes the discovery of one to allow a hacker an access path to valuable customer or business information. The process of finding potential targets is ideally suited to automation and automated attacks.

In order to trace application vulnerabilities bots have been used to collect and simulate digital footprints which is the data that exists as a result of actions and communications online that can in some way be traced back to an individual.

Digital footprints are broken down into active and passive data traces. Active data traces are the ones that the user leaves intentionally. Social media and blog posts, social network connections, image and video uploads, email, phone calls and chats are among the ways users generate active digital footprints.

On the other hand, passive data traces connected to an individual are left by others or gathered through activities that the user does without purposefully putting out data. Sophisticated bots are then used in automated footprinting actions to probe and explore an application in order to identify its constituents and properties. By doing so the attacker gathers valuable info about security processes which can later be used for launching a quick and damaging attack.

Hackers use bots to uncover website security vulnerabilities on a large scale. Vulnerability scanning involves crawling and fuzzing an application by bots acting like humans in order to identify weaknesses and possible vulnerabilities. Any vulnerabilities found are potential targets for further exploration.

Vulnerability Scanning

Image Source

Tweet this: What is Vulnerability Scanning?

Automated threats consist in elicit digital fingerprinting too. Just like every person has a unique fingerprint, every piece of media or software has identifying features that can be spotted by another smart software. It’s the same approach with good and bad bots, with the key difference that bad bots fingerprinting consists in harvesting information about the supporting software and framework types and versions for future misuse.

To sum up

OWASP Handbook of automated Threats

Numerous reports over the last few years suggest that the level of bot sophistication has continuously risen. Thanks to the advent of cheap or free cloud computing resources, anyone with basic computer skills can download open source software and get into the bot game. The bad bot landscape continues to evolve rapidly, in relation to the sophistication of bot software but also with an increased number of bots coming from Chinese service providers. 2015 saw a dramatic increase in APBs which have “smart” capabilities.

Many analytic tools, such as Google Analytics, function via a JavaScript code snippet. If bots can load analytic tools resources, they easily end up skewing analytic tools and throwing o key business and operational metrics. According to Distil Networks 2016 Bad Bot Landscape Report, 53% of bad bots will end up falsely attributed as humans in Google Analytics and similar tools.     

According to the Distil Networks report, not only are the bad guys lying about who they are, they’re repeatedly changing their identities over and over again with around 36% of bad bots disguised using two or more user agents, with the worst APB cases that changed identities over 100 times.

Tweet this: 36% of Bots are “Bad Bots”

Meanwhile, IT teams are under increasing pressure to accurately forecast and provision web infrastructure to meet the speed and availability demands of legitimate users. And marketing teams seek accurate data on website and conversion metrics.

Yet most companies still have little or no control or even visibility over malicious bot website trac. Luckily, the OWASP and other good guys have kept pace and are now providing improved bot protection knowledge and solutions. If you suspect bad bot abuses you should always turn to experts like GlobalDots to quickly turn the tables. Contact us today to help you out with your performance and security needs.



There’s more to see

slider item
Your Innovation Feed

eBook: Don’t Fortify, Amplify: The New Cloud Security Stack

Steven Puddephatt 25.11.21

2021’s Security leaders deal with everything from cloud-native insider threats to staying one step ahead of the unknown. While the cloud is made to amplify and speed up core business processes, the pressure to fortify cloud-borne assets from possible cyber threats painfully slows things down.  GlobalDots harnessed its 17-year cloud security experience to rethink cloud […]

Read more
slider item
Identity & Access Management (IAM)

How IT can Breeze through Onboardings without Additional Hirings

Dror Arie

Which IT Nuisance Would You Automate First? Employee onboarding is one of the heaviest, most complex operations on a company’s IT. This is especially true in fast-growing companies that may see multiple onboardings per day. And, of course, the wider a company’s software tools array, the more accounts to create and permissions to manage. In […]

Read more
slider item
Cloud Workload Protection

GlobalDots Partners with CWP Innovator Lacework

Li-Or Amir 23.11.21

In its constant endeavor to enrich its cloud security offering with the latest innovation, GlobalDots has recently introduced security unicorn Lacework to its vendor portfolio. Founded in 2015, Lacework offers a cloud security monitoring platform which brings together some of today’s top needs: Workload protection, container & K8s security, compliance monitoring. Last weekend (Nov. 18th, […]

Read more

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Contact us
figure figure figure figure figure