Attacks/Breaches
6/1/2010
05:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Botnets Target Websites With 'Posers'

Tens of thousands of bots are cracking CAPTCHAs and joining websites in order to steal information, extort money

Botnets increasingly are creating phony online accounts on legitimate websites and online communities in order to steal information from enterprises.

This alternative form of targeted attack by botnets has become popular as botnet tools have made bots easier to purchase and exploit. Merrick Furst, botnet expert and distinguished professor of computer science at Georgia Tech, says bots are showing up "en masse" to customer-facing websites -- posing as people.

"We are seeing tens of thousands of false registrations getting through existing defense-in-depth to get accounts on websites," says Furst, who is also a member of the board of directors at Pramana and a co-founder of Damballa, both security firms that specialize in botnet mitigation. And these bots can walk off with data from those sites, either for competitive purposes or for selling the stolen information on the black market, according to new data from Pramana, a startup that spun off from Georgia Tech.

"Instead of humans, bots are showing up en masse" on auction, social networking, and various other websites that require registration for participation or comments or webmail, he says. "If job listings are your valuable content, what if your competitors set bots to screen-scrape and take your content out the door? This screen-scraping is costing a lot of money and becoming way more prevalent."

Botnet operators are poking holes in CAPTCHA defenses. Pramana, which uses what it calls "HumanPresent" technology that looks at online activity in real-time in order to catch fraud before it occurs, saw 60 percent of bots crashing through CAPTCHAS and other defenses at one Fortune 100 client's website.

David Crowder, CEO of Pramana, says his firm sees anywhere from a couple of thousand to tens of thousands of new bots per hour registering on legit websites -- and about 200,000 in a 15-hour period. "When we saw botnets creating a couple hundred thousand accounts ... that was not how we anticipated seeing botnets in the wild," Crowder says.

This newer form of bot abuse is a result of how simple botnet technology is to acquire these days, he says, with do-it-yourself kits and underground botnet marketplaces springing up. "It's becoming so easy to get hold of. If you want to be a botmaster, for $238 you can buy it," Crowder says.

Gunter Ollmann, vice president of research at Damballa, says this type of botnet activity -- where bots are used to create phony user accounts for nefarious purposes -- has been on the rise during the past four to six months. "There are new tools or methodologies for abusing reputation systems and where abuse of these reputation systems relies on having access and control of many thousands of identities, which don't have to belong to real people, but just look like it," Ollmann says.

One type of attack is for a botnet to use extortion on sites such as eBay or Craigslist, he says. If a bad guy gets control of thousands of identities on one of these sites, he can influence the reputations of other buyers and sellers and extort money, for instance, Ollmann says. "If you're a small business, [such as] a handyman, criminals can reach out via email and explain that for a few thousand dollars they can guarantee you have dozens or hundreds of positive reviews on your service. If you refuse, they [will post] negative comments and your reputation will go down."

This approach lets the bad guys commit fraud from outside the victim organization, Georgia Tech's Furst says. So if a competitor wants to build a jobs website, he could join an existing one via bots and siphon the information for his own site, he says. "Imagine that I could turn loose an army of bots and subvert that site for my own purposes," he says.

One of Pramana's clients recently discovered that bots were stealing its requests for quotation (RFQ) off of its website. "They found their RFQ on a competitor's website," Crowder says.

And the bots often take on human qualities to blend in -- at least when it comes to some online behaviors. Pramana's Crowder says the bots do things like mimic keyboard entry by slowing down how they enter data, rather than just injecting data into online forms, for instance. "They use mouse clicks so their movements between controls will be like that of humans," he says.

Other tactics they use: operating in the light of day during business hours and, in some cases, registering a smaller number of bots in an hour. "They try to intersperse their traffic so they won't get caught. And they are almost always operating during corporate business hours, from 8 a.m. until 6 or 7 p.m.," Crowder says. "We see lots of bot activity during the busiest parts of the day."

Using identities set up on these legit websites or even on webmail accounts is a stepping stone to other cybercrime. "This opens doors to launch more interesting attacks," Damballa's Ollmann says. "Webmail tends to have a higher reputation score in anti-spam technology, so if you're sending an email via Gmail, you have a higher probability of not getting stopped by mail filtering because there's a higher trust with Gmail -- you see the same with social networking sites," he says.

Ollmann says the bad guys basically use bots to build reputable online identities that they then can use against other -- human -- users on those sites. "These details are collated and sold to other [underground] suppliers," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6649
Published: 2014-09-23
The MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application 3.9.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6650
Published: 2014-09-23
The NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application 3.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio