019 is officially over. Now we are starting not only a new year but also a new decade. But what can we expect in this new decade? What will we need to protect ourselves from? What will be the “next big thing” in Web Security? We can sum it up in one word—Bots!
In the last few years, we’ve seen a steady rise in cyber attacks on all levels. In fact, in 2019 about 40% of all web traffic was non-human! Think about this: almost half of all people visiting your website are not people at all. Instead, they are Bots.
Sadly, in 2020 the situation is not going to get any better. Every year, the sophistication of malicious bots improves. Already, many security solutions are unable to distinguish them from legitimate users. In 2020, we can expect this to get worse.
Bots: An easy and simple way to attack
Why are malicious bots so popular? Bots allow for automated cyberattacks, and most threats use bots in one way or another. In fact, many attacks rely partially or fully on automated traffic. Here are three examples of popular bot attack vectors:
Credit Card Fraud:
Bots are the foundation of a card criminal’s arsenal. They are used in a variety of methods to obtain or validate stolen card numbers. Later, the numbers are used fraudulently, which results in lost revenue and chargebacks to the unfortunate merchant.
To steal card data, bots scan for vulnerabilities within retailers and other sites that process payments. When a vulnerability is found, the hacker breaches the site and steals the data. One successful attack can produce a windfall of cards: thousands, or even tens of thousands of active numbers.
Threat actors also use bots to validate stolen card numbers. Bots enter the numbers into web applications to see if they are accepted or rejected. A similar technique is used to discover new cards: bots cycle through potential numbers and enter them into web applications. This is a crude, but effective, way to steal additional cards that were previously unknown to the attacker.
The scale of online credit card abuse is illustrated by the prevalence of “card not present” fraud. This is growing, thanks in part to the rise of EMV chip cards. EMV makes physical card fraud more difficult, which discourages criminals from monetizing stolen numbers by printing physical cards. Thus, more criminals are moving online to monetize their stolen numbers. According to US Payments Forum, over one-half of a percent of all eCommerce sales now involve “card not present” fraud.
User credentials are highly coveted commodities on the dark web. Hackers discover credentials by sending out bots to wage brute-force attacks; the bots attempt to gain access to a web application by trying every possible combination of letters, numbers, and symbols, to see which combinations work. Or, they steal credential sets (personal identification data, account logins, and passwords, contact data, etc.) in massive data breaches.
Valid credentials can then be used in a variety of cyberattacks, and can also be sold in illicit marketplaces for others to use. Credentials can allow attackers to take over the affected accounts within the targeted web application. Another common attack is to use bots to “stuff” the credentials into the login pages of many other web applications (especially high-value targets like bank websites, payment providers, and so on). Unfortunately, many people still use the same credentials across a variety of websites. Therefore, credential stuffing allows an attacker to leverage a single data breach into the successful takeover of multiple accounts across different websites.
Scraping and Data Theft:
Scraper bots steal data from online sources. This is commonly seen in verticals such as data aggregators and other providers which gather or generate data and content, and then sell access to it. Scraping is obviously a direct threat to these business models. Elsewhere, scraping can cause indirect damage. For example, retail sites contain prices and other product data which, when stolen, can destroy a competitive advantage.
Sophisticated scraper bots can eventually steal entire databases, even when they aren’t directly available to users of the targeted site or application. This can be done through repeated queries or requests, using different parameters each time. For example, insurance companies provide rate quotes for specific combinations of input criteria. A scraper bot can submit continual requests for quotes, with a different combination of criteria each time, and capture the quotes that are returned. Eventually, the complete database of rates can be obtained.
Buy an attack
Today, to deploy a massive cyber attack, you don’t need to be a sophisticated hacker. In fact, you don’t even need to be a savvy computer wiz at all. Today, you can simply purchase an attack on the darknet.
For a low price of $1000, you can buy a Ransomware and Remote Access Trojan campaign, and a total phishing campaign including hosting starts will cost you only $30 a month. You can also purchase DDoS for hire services starting from $100.
Protecting your assets in 2020
As we see it, 2020 (and probably even the following several years) will be the year of the Bots. You should protect yourself accordingly. As Bots grow more and more sophisticated, traditional protection methods are becoming less effective, and a new approach is needed. In general, a combination of approaches such as static rules, statistical analysis, and Machine Learning will be the best solution for real-world applications. Some bots can still be blocked with fast, inexpensive methods. More sophisticated bots can then be detected with more intensive analysis.
To learn more about malicious Bots and how to protect your web applications from them, we invite you to read our latest report: 2019 The State of Bot Protection.