Vulnerabilities / Threats
6/24/2014
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Battling The Bot Nation

Online fraudsters and cyber criminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to quickly spot bots in action.

There are massive distributed denial-of-service (DDoS) attacks that saturate a targeted website or network with unwanted traffic and knock it offline -- and then there are what renowned security expert Dan Kaminsky calls "resource-based DDoS" attacks that his startup White Ops increasingly is catching in action.

It's where stealthy bots are used to automate database lookups such that they ultimately sap performance for legitimate site visitors. Take a recent case where more than 20% of a major global retailer's website traffic during the Christmas holiday season came from stealthy bots recruited by its competitors to scrape in bulk pricing information from the retailer. "It's competitive intelligence" and it's happening en masse, says Michael Tiffany, CEO of White Ops, a bot-detection firm. "Everyone is spying on everyone to get everyone's prices."

Tiffany wouldn't name the retailer, a White Ops customer, but says it's so big that retailers tend to attempt to normalize around its pricing structure. "To succeed and hide in the noise, these are full... browsers in compromised machines scraping the websites from a major retailer," he says. "It was somebody who pretending to be a Google bot. They [the retailer] said, 'we don't mind scraping our prices, but they're doing it too fast and damaging the [online] experience for our real customers.'"

So White Ops' mission was more about "rate-limiting" the bots they found hitting the site, some of which were running 50 database lookups a second. "You take all of these bots doing database queries, relatively slowly but still high from a database lookup standpoint, and identify those bots so they can be put into a rate-limiting bucket," says Kaminsky, chief scientist at White Ops.

Such is the pervasive use of the bot -- basically a malware-infected machine remotely controlled by cybercriminals -- today. White Ops, which today announced that it has secured $7 million in funding from investors Paladin Capital Group and Grotech Ventures, offers technology it says can tell a bot from a real online user.

The new funding should help propel White Ops' move into the enterprise business, where it's already selling not only to e-commerce firms like the large retailer under resource-based DDoS attacks, but also to financial services firms adding another layer to detect man-in-the browser online banking fraud, e-commerce fraud, and resource-sapping DDoS attacks. Kaminsky and Tiffany say they can't give specifics or names of their customers.

White Ops' initial customers were in the online ad space, where botnet-driven click fraud abounds, but Kaminsky says the technology initially was built with financial services fraud in mind. "It just so happened the ad [industry] came running to us asking for help with this... threat, so we shifted our attention to ads because there was so much excitement there," Kaminsky says.

Botnets are the main weapon of most cybercriminals, as well as nation-state cyberspies. A recent study by Check Point Software found that a bot is born every 24 hours, and nearly three-fourths of enterprises have at least one bot-infected endpoint living in their corporate network. Some 77% of bots reside undetected for more than a month, and according to White Ops, experts estimate that 22% of online advertising is bot-driven worldwide, costing billions in lost revenue yearly.

White Ops basically relies on a single line of JavaScript inserted on the customer side. It collects telemetry about a session that is sent to White Ops cloud-based service, which determines whether the session is a bot or a human, and sends that intelligence to the customer's SIEM or other security system. "We find deterministic signs that this browser is not being driven by a human, but by a bot," Kaminsky says. "No matter how clever you [the attacker] are, you're not going to teleport to the machine in question. You're never looking at the physical machine or touching the keyboard," and there are some characteristics of physical versus remote control that White Ops studies, according to Kaminsky.

"We detect what that browser is doing," he says.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Whoopty
50%
50%
Whoopty,
User Rank: Strategist
6/25/2014 | 9:53:13 AM
Re: Time to Upgrade Your DB and Search Engine
I'd have to agree with Christian. As it stands there doesn't seem to be a particularly good way of mass shutting down botnets apart from cutting them off at the source. Individual machine infections are down to the owner to fix, so if retailers are getting hit, keeping your database in order and up to date is probably the safest bet. 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/25/2014 | 1:15:59 AM
Time to Upgrade Your DB and Search Engine
One thing to consider from this article is that, if bots are so pervasive and right now they are a given in the ecosystem, perhaps one way to battle them is to improve upon your database hardware, software, schemas and query code. If your marketplace can't survive a 20% bot load where that activity is affecting your human customers, it may be a sign to upgrade your database and search engine. This is the age of fast databases that run at teraflops speed on economy hardware. With Hadoop and related search/database applications out there (open source, no less), sites can certainly do better. Granted, that's not a permanent solution to the growing problem cited in the article, but retailers need to also make changes where able to their technology to lighten the load and keep bot activity from being a problem as much as possible.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5104
Published: 2014-07-28
Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action ...

CVE-2014-5105
Published: 2014-07-28
Multiple cross-site scripting (XSS) vulnerabilities in ol-commerce 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) a_country parameter in a process action to affiliate_signup.php or (2) entry_country_id parameter in an edit action to admin/create_account.php.

CVE-2014-5106
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php.

CVE-2014-5107
Published: 2014-07-28
concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.ph...

CVE-2014-5108
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.