6 Ways Bots Attack Your eCommerce Site this Holiday Season - Download Whitepaper
Back to posts

Invisible Invaders: Why Detecting Bot Attacks Is Becoming More Difficult

June 19, 2017
  • Ido Safruti
  • CTO & Co-Founder

As originally published in DARKReading

Traditional methods can’t block the latest attackers, but a behavioral approach can tell the difference between bots and humans.

In a recent automated attack, a large bot army hacked into accounts using brute-force methodology and a highly accurate username and password list. PerimeterX researchers discovered that by overwhelming sites with requests from a network of tens of thousands of Internet of Things devices such as Canon printers and network devices, and with each bot sending just a single request every 10 minutes or so, the attacker completed more than 5 million attempts per day. Furthermore, the attack was successful on 8% of attempts, breaching a shocking 400,000 accounts per day.

How can such an attack be so successful? Attackers and the bots they create are in a technological arms race with companies always on the defense, trying to catch up. Next-generation bots are outsmarting companies every day. Detecting and deterring these often invisible attacks is difficult, and the standard tricks of the trade such as logfile analysis, are inadequate.

What These Next-Gen Bots Can Do

The new bots are today’s sophisticated automated attackers — but they’re standing on the shoulders of 20 years of bot evolution. They originate as malware, often infiltrating through a browser extension. However, these newer bots have one unique marker in common: they latch onto a host user. In effect, they’re parasites. Under the guise of their host, they go undetected as they perform account takeover, malware distribution, and fraud.

Past bots could be defeated by blacklisting their IP address or detecting the absence of cookies or their inability to perform simple tasks, like running a JavaScript code. Bots eventually evolved into “headless browsers,” which can run on a scripting engine that behaves like a real browser, which runs JavaScript and fully renders the pages. Headless browsers can be “outed” by challenge tests, such as asking them to render a sound or an image to prove the actual browser identity.

Because these next-gen bots are more sophisticated and look as if they’re operating in a real user environment, traditional detection methods can’t identify them, let alone block them.

How They Attack

Disguised as normal users, these next-generation bots perform numerous types of attacks on a company’s website, but remain invisible to a Web application firewall, for example.

The attacker will find various ways to extract money from the website. These techniques include account takeover, in which the stolen accounts are then sold on the Dark Web and used for fraud, fake account creation, testing stolen credit cards, and brute-forcing gift cards by guessing their number to cash out their balances. There’s also click-fraud, in which bots are instructed to invisibly browse different sites and click on ads to extract money from advertisers.

Another disruptive and damaging attack is checkout abuse. Nearly everyone has encountered this when purchasing concert tickets. Within a minute, the event is sold out, and it’s guaranteed that none of the tickets was bought by a human.

Steps for Detection and Protection

Since the Internet became commercialized in the mid-1990s, nearly all bot attacks have involved bots performing functions on a website in ways that a human also could. Newer and more versatile bots are much harder to detect, as they are malware running on real users’ browsers or devices, hiding behind real people’s activity by shadowing their legitimate sessions and injecting hidden activities of their own. How can these bots be detected? … Read full article

Back to posts comments powered by Disqus