Vulnerabilities / Threats
6/24/2014
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Battling The Bot Nation

Online fraudsters and cyber criminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to quickly spot bots in action.

There are massive distributed denial-of-service (DDoS) attacks that saturate a targeted website or network with unwanted traffic and knock it offline -- and then there are what renowned security expert Dan Kaminsky calls "resource-based DDoS" attacks that his startup White Ops increasingly is catching in action.

It's where stealthy bots are used to automate database lookups such that they ultimately sap performance for legitimate site visitors. Take a recent case where more than 20% of a major global retailer's website traffic during the Christmas holiday season came from stealthy bots recruited by its competitors to scrape in bulk pricing information from the retailer. "It's competitive intelligence" and it's happening en masse, says Michael Tiffany, CEO of White Ops, a bot-detection firm. "Everyone is spying on everyone to get everyone's prices."

Tiffany wouldn't name the retailer, a White Ops customer, but says it's so big that retailers tend to attempt to normalize around its pricing structure. "To succeed and hide in the noise, these are full... browsers in compromised machines scraping the websites from a major retailer," he says. "It was somebody who pretending to be a Google bot. They [the retailer] said, 'we don't mind scraping our prices, but they're doing it too fast and damaging the [online] experience for our real customers.'"

So White Ops' mission was more about "rate-limiting" the bots they found hitting the site, some of which were running 50 database lookups a second. "You take all of these bots doing database queries, relatively slowly but still high from a database lookup standpoint, and identify those bots so they can be put into a rate-limiting bucket," says Kaminsky, chief scientist at White Ops.

Such is the pervasive use of the bot -- basically a malware-infected machine remotely controlled by cybercriminals -- today. White Ops, which today announced that it has secured $7 million in funding from investors Paladin Capital Group and Grotech Ventures, offers technology it says can tell a bot from a real online user.

The new funding should help propel White Ops' move into the enterprise business, where it's already selling not only to e-commerce firms like the large retailer under resource-based DDoS attacks, but also to financial services firms adding another layer to detect man-in-the browser online banking fraud, e-commerce fraud, and resource-sapping DDoS attacks. Kaminsky and Tiffany say they can't give specifics or names of their customers.

White Ops' initial customers were in the online ad space, where botnet-driven click fraud abounds, but Kaminsky says the technology initially was built with financial services fraud in mind. "It just so happened the ad [industry] came running to us asking for help with this... threat, so we shifted our attention to ads because there was so much excitement there," Kaminsky says.

Botnets are the main weapon of most cybercriminals, as well as nation-state cyberspies. A recent study by Check Point Software found that a bot is born every 24 hours, and nearly three-fourths of enterprises have at least one bot-infected endpoint living in their corporate network. Some 77% of bots reside undetected for more than a month, and according to White Ops, experts estimate that 22% of online advertising is bot-driven worldwide, costing billions in lost revenue yearly.

White Ops basically relies on a single line of JavaScript inserted on the customer side. It collects telemetry about a session that is sent to White Ops cloud-based service, which determines whether the session is a bot or a human, and sends that intelligence to the customer's SIEM or other security system. "We find deterministic signs that this browser is not being driven by a human, but by a bot," Kaminsky says. "No matter how clever you [the attacker] are, you're not going to teleport to the machine in question. You're never looking at the physical machine or touching the keyboard," and there are some characteristics of physical versus remote control that White Ops studies, according to Kaminsky.

"We detect what that browser is doing," he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
6/25/2014 | 9:53:13 AM
Re: Time to Upgrade Your DB and Search Engine
I'd have to agree with Christian. As it stands there doesn't seem to be a particularly good way of mass shutting down botnets apart from cutting them off at the source. Individual machine infections are down to the owner to fix, so if retailers are getting hit, keeping your database in order and up to date is probably the safest bet. 
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/25/2014 | 1:15:59 AM
Time to Upgrade Your DB and Search Engine
One thing to consider from this article is that, if bots are so pervasive and right now they are a given in the ecosystem, perhaps one way to battle them is to improve upon your database hardware, software, schemas and query code. If your marketplace can't survive a 20% bot load where that activity is affecting your human customers, it may be a sign to upgrade your database and search engine. This is the age of fast databases that run at teraflops speed on economy hardware. With Hadoop and related search/database applications out there (open source, no less), sites can certainly do better. Granted, that's not a permanent solution to the growing problem cited in the article, but retailers need to also make changes where able to their technology to lighten the load and keep bot activity from being a problem as much as possible.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.