Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/24/2014
05:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Battling The Bot Nation

Online fraudsters and cyber criminals -- and even corporate competitors -- rely heavily on bots, and an emerging startup aims to quickly spot bots in action.

There are massive distributed denial-of-service (DDoS) attacks that saturate a targeted website or network with unwanted traffic and knock it offline -- and then there are what renowned security expert Dan Kaminsky calls "resource-based DDoS" attacks that his startup White Ops increasingly is catching in action.

It's where stealthy bots are used to automate database lookups such that they ultimately sap performance for legitimate site visitors. Take a recent case where more than 20% of a major global retailer's website traffic during the Christmas holiday season came from stealthy bots recruited by its competitors to scrape in bulk pricing information from the retailer. "It's competitive intelligence" and it's happening en masse, says Michael Tiffany, CEO of White Ops, a bot-detection firm. "Everyone is spying on everyone to get everyone's prices."

Tiffany wouldn't name the retailer, a White Ops customer, but says it's so big that retailers tend to attempt to normalize around its pricing structure. "To succeed and hide in the noise, these are full... browsers in compromised machines scraping the websites from a major retailer," he says. "It was somebody who pretending to be a Google bot. They [the retailer] said, 'we don't mind scraping our prices, but they're doing it too fast and damaging the [online] experience for our real customers.'"

So White Ops' mission was more about "rate-limiting" the bots they found hitting the site, some of which were running 50 database lookups a second. "You take all of these bots doing database queries, relatively slowly but still high from a database lookup standpoint, and identify those bots so they can be put into a rate-limiting bucket," says Kaminsky, chief scientist at White Ops.

Such is the pervasive use of the bot -- basically a malware-infected machine remotely controlled by cybercriminals -- today. White Ops, which today announced that it has secured $7 million in funding from investors Paladin Capital Group and Grotech Ventures, offers technology it says can tell a bot from a real online user.

The new funding should help propel White Ops' move into the enterprise business, where it's already selling not only to e-commerce firms like the large retailer under resource-based DDoS attacks, but also to financial services firms adding another layer to detect man-in-the browser online banking fraud, e-commerce fraud, and resource-sapping DDoS attacks. Kaminsky and Tiffany say they can't give specifics or names of their customers.

White Ops' initial customers were in the online ad space, where botnet-driven click fraud abounds, but Kaminsky says the technology initially was built with financial services fraud in mind. "It just so happened the ad [industry] came running to us asking for help with this... threat, so we shifted our attention to ads because there was so much excitement there," Kaminsky says.

Botnets are the main weapon of most cybercriminals, as well as nation-state cyberspies. A recent study by Check Point Software found that a bot is born every 24 hours, and nearly three-fourths of enterprises have at least one bot-infected endpoint living in their corporate network. Some 77% of bots reside undetected for more than a month, and according to White Ops, experts estimate that 22% of online advertising is bot-driven worldwide, costing billions in lost revenue yearly.

White Ops basically relies on a single line of JavaScript inserted on the customer side. It collects telemetry about a session that is sent to White Ops cloud-based service, which determines whether the session is a bot or a human, and sends that intelligence to the customer's SIEM or other security system. "We find deterministic signs that this browser is not being driven by a human, but by a bot," Kaminsky says. "No matter how clever you [the attacker] are, you're not going to teleport to the machine in question. You're never looking at the physical machine or touching the keyboard," and there are some characteristics of physical versus remote control that White Ops studies, according to Kaminsky.

"We detect what that browser is doing," he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
6/25/2014 | 1:15:59 AM
Time to Upgrade Your DB and Search Engine
One thing to consider from this article is that, if bots are so pervasive and right now they are a given in the ecosystem, perhaps one way to battle them is to improve upon your database hardware, software, schemas and query code. If your marketplace can't survive a 20% bot load where that activity is affecting your human customers, it may be a sign to upgrade your database and search engine. This is the age of fast databases that run at teraflops speed on economy hardware. With Hadoop and related search/database applications out there (open source, no less), sites can certainly do better. Granted, that's not a permanent solution to the growing problem cited in the article, but retailers need to also make changes where able to their technology to lighten the load and keep bot activity from being a problem as much as possible.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/25/2014 | 9:53:13 AM
Re: Time to Upgrade Your DB and Search Engine
I'd have to agree with Christian. As it stands there doesn't seem to be a particularly good way of mass shutting down botnets apart from cutting them off at the source. Individual machine infections are down to the owner to fix, so if retailers are getting hit, keeping your database in order and up to date is probably the safest bet. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13995
PUBLISHED: 2020-09-25
U.S. Air Force Sensor Data Management System extract75 has a buffer overflow that leads to code execution. An overflow in a global variable (sBuffer) leads to a Write-What-Where outcome. Writing beyond sBuffer will clobber most global variables until reaching a pointer such as DES_info or image_info...
CVE-2020-7735
PUBLISHED: 2020-09-25
The package ng-packagr before 10.1.1 are vulnerable to Command Injection via the styleIncludePaths option.
CVE-2020-15394
PUBLISHED: 2020-09-25
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
CVE-2020-15521
PUBLISHED: 2020-09-25
Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .
CVE-2020-26103
PUBLISHED: 2020-09-25
In cPanel before 88.0.3, an insecure site password is used for Mailman on a templated VM (SEC-551).