Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/19/2017
10:30 AM
Ido Safruti
Ido Safruti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Invisible Invaders: Why Detecting Bot Attacks Is Becoming More Difficult

Traditional methods can't block the latest attackers, but a behavioral approach can tell the difference between bots and humans.

In a recent automated attack, a large bot army hacked into accounts using brute-force methodology and a highly accurate username and password list. PerimeterX researchers discovered that by overwhelming sites with requests from a network of tens of thousands of Internet of Things devices such as Canon printers and network devices, and with each bot sending just a single request every 10 minutes or so, the attacker completed more than 5 million attempts per day. Furthermore, the attack was successful on 8% of attempts, breaching a shocking 400,000 accounts per day.

How can such an attack be so successful? Attackers and the bots they create are in a technological arms race with companies always on the defense, trying to catch up. Next-generation bots are outsmarting companies every day. Detecting and deterring these often invisible attacks is difficult, and the standard tricks of the trade such as logfile analysis, are inadequate.

What These Next-Gen Bots Can Do
The new bots are today's sophisticated automated attackers — but they're standing on the shoulders of 20 years of bot evolution. They originate as malware, often infiltrating through a browser extension. However, these newer bots have one unique marker in common: they latch onto a host user. In effect, they're parasites. Under the guise of their host, they go undetected as they perform account takeover, malware distribution, and fraud.

Past bots could be defeated by blacklisting their IP address or detecting the absence of cookies or their inability to perform simple tasks, like running a JavaScript code. Bots eventually evolved into "headless browsers," which can run on a scripting engine that behaves like a real browser, which runs JavaScript and fully renders the pages. Headless browsers can be “outed” by challenge tests, such as asking them to render a sound or an image to prove the actual browser identity.

Because these next-gen bots are more sophisticated and look as if they're operating in a real user environment, traditional detection methods can't identify them, let alone block them.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

How They Attack
Disguised as normal users, these next-generation bots perform numerous types of attacks on a company's website, but remain invisible to a Web application firewall, for example.

The attacker will find various ways to extract money from the website. These techniques include account takeover, in which the stolen accounts are then sold on the Dark Web and used for fraud, fake account creation, testing stolen credit cards, and brute-forcing gift cards by guessing their number to cash out their balances. There's also click-fraud, in which bots are instructed to invisibly browse different sites and click on ads to extract money from advertisers.

Another disruptive and damaging attack is checkout abuse. Nearly everyone has encountered this when purchasing concert tickets. Within a minute, the event is sold out, and it's guaranteed that none of the tickets was bought by a human.

Steps for Detection and Protection
Since the Internet became commercialized in the mid-1990s, nearly all bot attacks have involved bots performing functions on a website in ways that a human also could. Newer and more versatile bots are much harder to detect, as they are malware running on real users' browsers or devices, hiding behind real people's activity by shadowing their legitimate sessions and injecting hidden activities of their own. How can these bots be detected?

Signature-based systems, once the best available method for detecting bots, look for specific patterns in a request, such as a sequence of words in the request packet. They can also pattern match on malformed requests designed to find problems in how a site is set up or coded. However, this is akin to playing catch-up, with the attacks constantly changing their "look." These older defenses fail to detect next-gen bots because their increased sophistication allows them to convincingly duplicate a real user's behavior and environment, and they make requests that are indistinguishable from those made by humans.

With signature-based detection systems not offering a viable solution, companies can consider a behavioral approach, which distinguishes bots from humans. (Disclosure: PerimeterX is one of many vendors that offer behavioral-based solutions.)  Behavioral approaches work by identifying behavior that is not human as opposed to recognizing known bot behavior. A simple example: humans move the mouse in a somewhat random fashion while interacting with a website page, and are certain to move the mouse toward the button before clicking it. If the mouse begins clicking the same pixel in a checkbox instantly and without any mouse movement before that, the user almost certainly isn't human.

This analysis can be applied at the user, browser, and network levels, and offers the possibility of staying ahead of the newest bad bots and their even-trickier descendants in the coming years. Companies on the offense against advanced automated attacks need to take new routes like these. Only then can they confidently answer this question: which users on our website are human?

Related Content:

Ido Safruti is a co-founder and CTO at PerimeterX, provider of application security solutions that keep businesses safe in the digital world, detecting risks to web and mobile applications and proactively managing them. Previously, Ido headed a product group in Akamai focused ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.