Vulnerabilities / Threats
6/24/2014
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Battling The Bot Nation

Online fraudsters and cyber criminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to quickly spot bots in action.

There are massive distributed denial-of-service (DDoS) attacks that saturate a targeted website or network with unwanted traffic and knock it offline -- and then there are what renowned security expert Dan Kaminsky calls "resource-based DDoS" attacks that his startup White Ops increasingly is catching in action.

It's where stealthy bots are used to automate database lookups such that they ultimately sap performance for legitimate site visitors. Take a recent case where more than 20% of a major global retailer's website traffic during the Christmas holiday season came from stealthy bots recruited by its competitors to scrape in bulk pricing information from the retailer. "It's competitive intelligence" and it's happening en masse, says Michael Tiffany, CEO of White Ops, a bot-detection firm. "Everyone is spying on everyone to get everyone's prices."

Tiffany wouldn't name the retailer, a White Ops customer, but says it's so big that retailers tend to attempt to normalize around its pricing structure. "To succeed and hide in the noise, these are full... browsers in compromised machines scraping the websites from a major retailer," he says. "It was somebody who pretending to be a Google bot. They [the retailer] said, 'we don't mind scraping our prices, but they're doing it too fast and damaging the [online] experience for our real customers.'"

So White Ops' mission was more about "rate-limiting" the bots they found hitting the site, some of which were running 50 database lookups a second. "You take all of these bots doing database queries, relatively slowly but still high from a database lookup standpoint, and identify those bots so they can be put into a rate-limiting bucket," says Kaminsky, chief scientist at White Ops.

Such is the pervasive use of the bot -- basically a malware-infected machine remotely controlled by cybercriminals -- today. White Ops, which today announced that it has secured $7 million in funding from investors Paladin Capital Group and Grotech Ventures, offers technology it says can tell a bot from a real online user.

The new funding should help propel White Ops' move into the enterprise business, where it's already selling not only to e-commerce firms like the large retailer under resource-based DDoS attacks, but also to financial services firms adding another layer to detect man-in-the browser online banking fraud, e-commerce fraud, and resource-sapping DDoS attacks. Kaminsky and Tiffany say they can't give specifics or names of their customers.

White Ops' initial customers were in the online ad space, where botnet-driven click fraud abounds, but Kaminsky says the technology initially was built with financial services fraud in mind. "It just so happened the ad [industry] came running to us asking for help with this... threat, so we shifted our attention to ads because there was so much excitement there," Kaminsky says.

Botnets are the main weapon of most cybercriminals, as well as nation-state cyberspies. A recent study by Check Point Software found that a bot is born every 24 hours, and nearly three-fourths of enterprises have at least one bot-infected endpoint living in their corporate network. Some 77% of bots reside undetected for more than a month, and according to White Ops, experts estimate that 22% of online advertising is bot-driven worldwide, costing billions in lost revenue yearly.

White Ops basically relies on a single line of JavaScript inserted on the customer side. It collects telemetry about a session that is sent to White Ops cloud-based service, which determines whether the session is a bot or a human, and sends that intelligence to the customer's SIEM or other security system. "We find deterministic signs that this browser is not being driven by a human, but by a bot," Kaminsky says. "No matter how clever you [the attacker] are, you're not going to teleport to the machine in question. You're never looking at the physical machine or touching the keyboard," and there are some characteristics of physical versus remote control that White Ops studies, according to Kaminsky.

"We detect what that browser is doing," he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/25/2014 | 9:53:13 AM
Re: Time to Upgrade Your DB and Search Engine
I'd have to agree with Christian. As it stands there doesn't seem to be a particularly good way of mass shutting down botnets apart from cutting them off at the source. Individual machine infections are down to the owner to fix, so if retailers are getting hit, keeping your database in order and up to date is probably the safest bet. 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/25/2014 | 1:15:59 AM
Time to Upgrade Your DB and Search Engine
One thing to consider from this article is that, if bots are so pervasive and right now they are a given in the ecosystem, perhaps one way to battle them is to improve upon your database hardware, software, schemas and query code. If your marketplace can't survive a 20% bot load where that activity is affecting your human customers, it may be a sign to upgrade your database and search engine. This is the age of fast databases that run at teraflops speed on economy hardware. With Hadoop and related search/database applications out there (open source, no less), sites can certainly do better. Granted, that's not a permanent solution to the growing problem cited in the article, but retailers need to also make changes where able to their technology to lighten the load and keep bot activity from being a problem as much as possible.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!