Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/19/2017
10:30 AM
Ido Safruti
Ido Safruti
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Invisible Invaders: Why Detecting Bot Attacks Is Becoming More Difficult

Traditional methods can't block the latest attackers, but a behavioral approach can tell the difference between bots and humans.

In a recent automated attack, a large bot army hacked into accounts using brute-force methodology and a highly accurate username and password list. PerimeterX researchers discovered that by overwhelming sites with requests from a network of tens of thousands of Internet of Things devices such as Canon printers and network devices, and with each bot sending just a single request every 10 minutes or so, the attacker completed more than 5 million attempts per day. Furthermore, the attack was successful on 8% of attempts, breaching a shocking 400,000 accounts per day.

How can such an attack be so successful? Attackers and the bots they create are in a technological arms race with companies always on the defense, trying to catch up. Next-generation bots are outsmarting companies every day. Detecting and deterring these often invisible attacks is difficult, and the standard tricks of the trade such as logfile analysis, are inadequate.

What These Next-Gen Bots Can Do
The new bots are today's sophisticated automated attackers — but they're standing on the shoulders of 20 years of bot evolution. They originate as malware, often infiltrating through a browser extension. However, these newer bots have one unique marker in common: they latch onto a host user. In effect, they're parasites. Under the guise of their host, they go undetected as they perform account takeover, malware distribution, and fraud.

Past bots could be defeated by blacklisting their IP address or detecting the absence of cookies or their inability to perform simple tasks, like running a JavaScript code. Bots eventually evolved into "headless browsers," which can run on a scripting engine that behaves like a real browser, which runs JavaScript and fully renders the pages. Headless browsers can be “outed” by challenge tests, such as asking them to render a sound or an image to prove the actual browser identity.

Because these next-gen bots are more sophisticated and look as if they're operating in a real user environment, traditional detection methods can't identify them, let alone block them.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

How They Attack
Disguised as normal users, these next-generation bots perform numerous types of attacks on a company's website, but remain invisible to a Web application firewall, for example.

The attacker will find various ways to extract money from the website. These techniques include account takeover, in which the stolen accounts are then sold on the Dark Web and used for fraud, fake account creation, testing stolen credit cards, and brute-forcing gift cards by guessing their number to cash out their balances. There's also click-fraud, in which bots are instructed to invisibly browse different sites and click on ads to extract money from advertisers.

Another disruptive and damaging attack is checkout abuse. Nearly everyone has encountered this when purchasing concert tickets. Within a minute, the event is sold out, and it's guaranteed that none of the tickets was bought by a human.

Steps for Detection and Protection
Since the Internet became commercialized in the mid-1990s, nearly all bot attacks have involved bots performing functions on a website in ways that a human also could. Newer and more versatile bots are much harder to detect, as they are malware running on real users' browsers or devices, hiding behind real people's activity by shadowing their legitimate sessions and injecting hidden activities of their own. How can these bots be detected?

Signature-based systems, once the best available method for detecting bots, look for specific patterns in a request, such as a sequence of words in the request packet. They can also pattern match on malformed requests designed to find problems in how a site is set up or coded. However, this is akin to playing catch-up, with the attacks constantly changing their "look." These older defenses fail to detect next-gen bots because their increased sophistication allows them to convincingly duplicate a real user's behavior and environment, and they make requests that are indistinguishable from those made by humans.

With signature-based detection systems not offering a viable solution, companies can consider a behavioral approach, which distinguishes bots from humans. (Disclosure: PerimeterX is one of many vendors that offer behavioral-based solutions.)  Behavioral approaches work by identifying behavior that is not human as opposed to recognizing known bot behavior. A simple example: humans move the mouse in a somewhat random fashion while interacting with a website page, and are certain to move the mouse toward the button before clicking it. If the mouse begins clicking the same pixel in a checkbox instantly and without any mouse movement before that, the user almost certainly isn't human.

This analysis can be applied at the user, browser, and network levels, and offers the possibility of staying ahead of the newest bad bots and their even-trickier descendants in the coming years. Companies on the offense against advanced automated attacks need to take new routes like these. Only then can they confidently answer this question: which users on our website are human?

Related Content:

Ido Safruti is the founder and CTO at PerimeterX, a provider of behavior-based threat protection technology for the Web, cloud, and mobile apps that protects commerce, media, and enterprise websites from automated or non-human attacks. Previously, Ido headed a product group ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Security Pros Value Disclosure ... Sometimes
Dark Reading Staff 9/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I wish they'd put a sock in it.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10754
PUBLISHED: 2019-09-23
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
CVE-2019-10755
PUBLISHED: 2019-09-23
The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
CVE-2019-1255
PUBLISHED: 2019-09-23
A denial of service vulnerability exists when Microsoft Defender improperly handles files, aka 'Microsoft Defender Denial of Service Vulnerability'.
CVE-2019-1367
PUBLISHED: 2019-09-23
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
CVE-2019-11277
PUBLISHED: 2019-09-23
Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2.x versions prior to 2.3.0, is vulnerable to LDAP injection. A remote authenticated malicious space developer can potentially inject LDAP filters via service instance creation, facilitating the malicious space developer to deny se...