Following the 2016 US presidential election, an increasing number of people have become aware of online bot attacks. The scale of the problem, however, is hard to imagine for a common web user. In the financial industry, for instance, bots can make up to 42% of the total traffic. Elsewhere, their activity accounts for 1 in 5 website requests.
But what exactly are bots, and how do they damage online businesses? And more importantly, how do we prevent them from attacking organisations?
Automating for Mass Attacks
Bots, also known as Internet robots, spiders, crawlers, and web bots are essentially programs designed to perform repetitive jobs. Good ones can index a search engine. Bad ones, however, will infect computers and send back gathered data such as passwords, logged keystrokes, or captured packets. They can also be used to multiply attempts at infiltrating a website.
Their advantage is that they are scalable, automated, and easy to launch on a large scale. Human interaction is limited, and maintenance is quasi non-existent. In the context of fraud, it’s therefore easy to launch bots and multiply attacks on thousands of websites at once in order to:
- At signup: Create fake user registrations (account farming)
- At logins: Perform account takeovers (ATO attacks)
- At the checkout: Pay with stolen credit card numbers
Increasing Sophistication
An important thing to note about bots is that they tend to involve considerable investments in time, resources, and financial cost. These are not cheap to develop, and are therefore the work of organized fraud rings with vast available resources.
This is particularly true since their sophistication needs to increase with every detection. As fraudsters play a constant game of cat and mouse with fraud-prevention teams, the bots need to evolve, becoming more complex, agile, and harder to stop.
Breaking Down a Fraudulent Bot Attack
Every fraudulent bot attack comes in two stages.The first step involves building a database of legitimate user information.
These are generally acquired on the darknet, and can require a large investment. To multiply their success rates, fraudsters have to acquire many thousands of data points. These can be:
- FullZ: packages containing a first name, last name, date of birth and address. Optionally they can include a precreated email address and credit card information
- Stolen credit card details: gathered from fake websites or phishing attack
- Login information: an email/username and password combination. Usually acquired from large data breaches
Once they have built their database, fraudsters will use bots to replicate the behaviour of a legitimate user. Once again, this involves significant resources designed to:
- Spoof devices: Because it would be inefficient to use a singular PC or smartphone for each attempt, fraudsters will use software that can emulate multiple browsers, operating systems, and devices. Each attempt will tweak minor parameters to appear like a new device ID in order to avoid blacklisting and detection from velocity rules. Sometimes they just completely ignore any JavaScript or Cookie storing, which is a red flag as well.
- Fake IPs: IP spoofing is usually done through server type of ISPs, VPNs or TOR server connections. However, more sophisticated attacks can use genuine residential connections from official proxy services, infected computers, or companies that specialise in selling bulletproof residential networks.
- Replicate human behavior: The most sophisticated bots will have a set of pre programmed actions, such as pages to visit and specific cursor movement designed to make them look like genuine user interactions.
Captchas Vs Digital Footprint Analysis
Historically, the immediate solution to flag suspicious online behavior was to implement a captcha. An acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart, captchas usually show distorted texts and images, and ask you to type what you read, something computers were bad at solving themselves. In short, they used to be a great way to separate human traffic from automated one.
These days, however, fraudsters are all caught up with the technology: there are now hundreds of captcha solvers on the market that will defeat the security measure.
The other – and only – solution is therefore to create a full digital footprint of your users. Risk assessment needs to cover as many data points as possible in order to provide a clear picture of who is accessing your website. This can be done via a combination of tactics, such as:
- Email analysis: measuring things like address validity, domain quality and social media links is a great step in creating an accurate profile of the user.
- Device fingerprinting: creating hashes based on numerous parameters can reveal the true nature of your users’ connections.
- Data enrichment: Cross referencing gleaned data against known databases of stolen ID, social media profiles, or even shared blacklists.
- Machine-Learning: Feeding all the data gathered from the aforementioned tools into an AI-powered system can automate the generation of rules. They can also improve overtime as you gather more data and refine your online protection measures.
Key Bot Attacks Takeaway: No One-Size-Fits-All Solution
As criminal rings pour more and more resources into their bot attacks, it becomes increasing challenging to detect them. And the problem is growing for a number of verticals, including ticketing, where 39% of all traffic comes from bad bots, or gambling and gaming (25.9%).
Sadly, the magic bullet that once was captcha isn’t effective anymore for bot attacks. These days, organisations have to multiply their fraud detection tools at login, signup and checkout in order to flag bots.
Hopefully, combining multiple tools such as email analysis, device fingerprinting, data enrichment and machine learning, you should be able to put all the odds in your favour and block future bot attacks from damaging your business.
