The big bad bots

Organizations across the globe seek more efficient ways to connect with new customers and retain existing clients. Secure and easy-to-use applications are critical to ensure success in rapidly changing market conditions. Many firms report increasing bad bot attacks on their web applications, mobile apps and APIs.

In 2019, overall bot traffic grew 24% in comparison to 2018. Bad bot traffic accounted for a quarter (24.5%) of the total traffic. In Q4 when more people shop online, bad bot traffic spiked to 29.3% of the total internet traffic.

Types of Bots:

Bots have evolved significantly since their origins as simple scripting tools that used command-line interfaces. Bot developers now use JavaScript and HTML5 web technologies to enable bots to leverage

full-fledged browsers. The bots are programmed to mimic human behavior when interacting with a website or app to move the mouse, tap and swipe on mobile devices and generally try to simulate real visitors in order to evade security systems.

First Gen: Script Bots:

• Typically use just one or two IP addresses to execute thousands of webpage visits to scrape content or spam forms.
• Easy to detect and blacklist thanks to repetitive attack patterns and a small number of originating IP addresses

Second Gen: Headless Browsers

• Leverage headless browsers — which are website development and testing tools — to tap their abilities to run JavaScript and maintain cookies

Third Gen: Single Interaction

• Mimic human behavior such as moving the mouse, scrolling and clicking links to navigate websites
• Exhibit sophisticated behaviors that may overcome certain challenges but cannot fool interaction-based detection, such as CAPTCHA or invisible challenges

Fourth Gen:  Distributed, Mutating Bots

• Rotate through large numbers of user agents and device IDs — generating just a few hits from each to avoid detection
• Make random mouse movements (not just in a straight line like third-generation bots) and exhibit other humanlike browsing characteristics
• Record real user interactions, such as taps and swipes on hijacked or malware laden
• mobile apps, to be able to replicate the movements and blend in with human traffic and circumvent security measures

The Increasing Sophistication of Bad Bots

In 2018, the third and fourth generations of bad bots accounted for 22.1% and 16.6% of internet traffic, respectively. In 2019, the number reached 27.2% and 18.3%, respectively.

Classification of Bad Bots

Cybercriminals leveraged humanlike and distributed humanlike bad bots. On the login page of the credit union’s platform, 63.9% of bad bots can mimic human behavior.

Bad Bots Behavior

The behavior of bad Bots is continuously changing. Cybercriminals now leverage cutting-edge technologies to advance the sophistication of the attack capabilities of bad bots.  In 2019, cyberattackers favored fourth generation bad bots that mimic human behavior when executing automated attacks. For example, 37.9% of bad bots used to execute account takeover attacks are classified as fourth generation.

Applications Most Exploited by Bad Bots

• Cybercriminals use a combination of tools to exploit vulnerabilities in the infrastructure of businesses with an online presence. businesses. Attackers deploy exploit kits that consist of a combination of tools such as proxy IPs, multiple user agents (UAs) and programmatic/sequential requests to disguise the identity of bots, evade detection, and perform sophisticated automated attacks. Bots masquerade as genuine traffic by using popular browsers and devices in combination with their exploit kits to target different channels of communication such as web APIs.
• Web applications are the most exploited attack surface across industries. In 2019, 35% of the total traffic were bad bots on web applications, an increase of 10% from 2018
• Automated attacks on mobile devices have also increased exponentially in recent years. The widespread adoption of mobile devices and the personal data that these devices store are two of the critical reasons behind the rise in attacks.
• The widespread adoption of internet of things (IoT) devices, emerging serverless architectures hosted in public clouds and the growing dependency on machine-to-machine communication are the reasons for changes in the modern application architecture.
• APIs have emerged as the bridge to facilitate interaction between different application architectures. APIs assist in quicker integration and faster deployment of new services. Despite their rapid and widespread implementation, APIs remain poorly protected and are a vulnerable surface for automated threats.
• Personally identifiable information (PII), payment card details and business-critical services are at risk due to bot attacks on APIs. Attacks on APIs have ramped up in the last few years. In 2019, 16.6% of the traffic on APIs were bad bots, rising from 14.3% in 2018.

So what should organisations do ; recommendations:

• Assess the Real Impact of Bad Bots on Your Organizations: Bot management is complex and requires a dedicated technology with experts behind it who have a deep knowledge of good and bad bot behaviors
• Build Capabilities to Identify Automated Activity in Seemingly Legitimate User Behaviors : Purpose-built bot mitigation solutions can detect sophisticated automated activities and help you to take preemptive actions. Traditional solutions are limited to tracking spoofed cookies, UAs and IP Reputation
• Enforce Authentication via MFA and Challenge-Response Methods
• Block Origins of Bad Bot Traffic: Public cloud services can safe harbor bad bots. Organizations can block suspected public cloud services and internet service providers (ISPs). However, blocking all the traffic coming from data centers or ISPs without considering the user behavior can cause false positives
• Adopt Strict Authentication Mechanism on APIs: APIs are the key channels that enable seamless intercommunication between websites, applications and smart devices. They have become crucial in facilitating the flow of data from where it is stored to where it is needed
• Monitor Anomalous User Behavior and Key Performance Indicators (KPIs) : Bad bots that visit your website to perform scraping, account takeover or any type of automated activity will result in sharp spikes in traffic. Monitoring failed login attempts and spikes in traffic can help webmasters and security teams take preemptive mitigative measures.

By Nikhil Taneja                                                                                             

Managing Director-India, SAARC & Middle East

For more information, visit www.radware.com