Weaponized Bots And The Risk To Merchants

Blog updated November 17th, 2017

Online bot attacks are growing rapidly. Attempts to defraud apparel web sites were up nearly 70% in 2016, while attacks on food delivery sites jumped 49.8%, according to research by Forter and the Merchant Research Council. Many attacks are automated, and are driven by smarter bots. Several sources estimate that malicious bots make up 50% or more of all traffic to retail web sites.

You Are Probably Under Attack Now, But Have No Way to Detect It

There’s no reason to ponder “Could we be the next target?” because it is highly likely that your site or mobile app is already a current target. Many ecommerce sites have “traditional anti-bot defenses” including web application firewalls and signature-detection tools. They typically catch most attacks by earlier-generation bots, but not the latest botnet-driven attacks, which go undetected — in part because next-generation bots have improved capability to “act human.”

Newer bots can pose as legitimate, human users and this gives hackers a major advantage in carrying out more complex attacks.

Attackers have shown very detailed knowledge of the business logic and procedures used by different retailers. The bots can be invisible. Botnets contain vast numbers of bots, but each bot might make just one or two attempts to penetrate a site, thereby often going undetected by traditional tools retailers have in place today.

Attacks of Dizzying Complexity

Some real-life bot attacks are camouflaged by their ingenious combinations of multiple attack forms. A single attack might combine malware infection of the browsers of thousands of users, account takeover of their social media accounts, followed by social login abuse to create fake user accounts on a website-creation service, with each fake user immediately creating many malicious websites, to which friends and associates of the hijacked social media account are lured. The first sign of such an attack would probably be a sharp spike in new users on the SaaS service – where all the upsurge in new accounts is fed by social logins.

The most prevalent automated attack methods — the basic chords of bot schemes — are described below.

Bot Attacks On E-Commerce Sites

1. Account takeover (ATO) is frequently the first step in online frauds. According to Javelin Strategy and Research, ATO losses reached $2.3 billion in 2016, up 61% from 2015. Despite increased security measures by retailers, the success rate of break-in attempts appears to be climbing. In one attack documented recently by security firm PerimeterX, a remarkably high 8% of “educated guesses” were successful. Hackers now equip their bots with curated lists of stolen credentials. Since the same credentials are often valid across numerous sites, attackers easily penetrate multiple retail sites.
2. Fake user creation often exploits the trust inherent in social login, where Facebook or Google credentials are accepted and allow a user to immediately take actions without additional verifications. This allows bots to automatically create many more accounts, and persuade other social media users to download utilities that are, in fact, bot-carrying malware. Some ad-related frauds rely on hundreds of thousands of fake user accounts as well, according to Ad Age. Advanced bots use the accounts to simulate human ad viewers and defraud advertisers.
3. Gift cards – and especially digital, or e-gift cards – are attractive targets. Advanced bots make it easier to find valid numbers and required verification data, and either exploit the gift card balances or sell them on the black market. Another reason hackers love gift cards: over $100 billion is spent on them annually, with $14 billion going to e-gift cards versus physical gift cards. 97% of top retailers sell their cards online. Gift cards represent an enormous monetary target awaiting cybercriminals, and cybercriminals are notably successful attacking e-gift cards – CEB / Tower Group estimated that e-gift card fraud losses were $950 million in 2016.
4. Hoarding, or inventory exhaustion is a DoS (Denial of Service) attack that directly sabotages a retailer’s revenue generation. Bots can put high-demand (hot new sneakers) or limited-supply items (like hotel rooms) into a shopping cart and hold them there, which locks them out of available inventory. This can block legitimate buyers from purchasing; meanwhile, competitors are able to command higher prices as shoppers abandon the retailer that was victimized and go wherever the product is available. The target of the attack loses revenue and reputation; consumers who flocked to the website because claim availability leave frustrated, and feel misled. Adding further insult to injury, the retailer may be deceived by out-of-stock alerts, during a hoarding attack, and believe the hoarded item should be reordered. Often, the targeted retailer is only able to sell inventory once the peak demand has been fulfilled by competitors, and is forced to discount heavily.
5. New-generation malicious bots are also behind more marketing affiliate fraud, where a business wrongly claims credit and receives payment for web site traffic it did not generate. According to the Association of National Advertisers, ad-related fraud alone reached $7.2 billion in 2016.

Status Today: Automated Bot Attacks Have the Upper Hand

Automated attacks give hackers several significant advantages. The latest generation of bots can hijack real users’ sessions, which start with a legitimate human login showing normal human behavior. This causes volumetric and IP reputation measures, upon which most retailers rely on, to fail. These bots are continually updated by their criminal masters, and programmed with new capabilities.

Unlike earlier, more easily-blocked bots, the newest bots bring versatility and surprising abilities to the job. Waiting quietly in the browser extensions of a human user who logs into a web site using valid credentials, a bot can then go active and follow complex instructions to perpetrate frauds while “acting human” the entire time.

The Ecommerce Imperative: Detect All Attacks by All Bots

Attackers are extremely opportunistic and adaptable. If they earlier generation bot attacks are being stopped, they will quickly switch to more advanced bots. If the website is able to repel all bot attacks, they may switch within a single day to target the retailer’s mobile app, using a variety of techniques like emulation and impersonation.

The retailer must strive to recognize and block all attacks by all generations and types of bots, regardless of where they strike. You know why that has been impractical in past years: web application firewalls and signature-based defenses can see and stop Gen 1 and most Gen2 bots. Defenses against a new threat have no impact until they are included in a software update, it’s effectively invisible.

No single tool can identify every attack pattern, but there is a giveaway characteristic that all types of bots share: they can execute the same steps as a human user would, but they always do so in a “somewhat non-human way.”

There are many subtle aspects to how a human interacts with a specific web page or mobile app, and even the most advanced bots can’t pull off the impersonation. The deviations from human behavior can be picked up by an emerging web security defense analyst firm 451 Research labeled Web Behavior Analytics (WBA), calling it “the cornerstone of advanced bot defense.”

Drilling Down: Turning the Tables So Bots Have to Play Catchup

A behavior-based bot-detection and blocking service checks many behavior parameters of your user, your application and the network in real time.

The behavioral based service, on the other hand, works in two phases. The first is machine learning; it studies the behavior of users on each page and app. The second phase is applying what it has learned to either allow or block access. The bot-master lacks tools that can discern and fulfill what the behavior based system requires to conclude that user behavior is human.

In this way, behavior based systems have turned the tables; now the cybercriminals are in the position of catching up with defensive technology. This also suggests strongly that this new approach gives site operators an advantage against bots that will be long lasting, and as one of our customers put it, “Our security team could breathe a sigh of relief.”