The evolution of the bot: How they beat me to AC/DC tickets
Imagine this, it’s 9 a.m., and you’re the first in line to buy online tickets for an AC/DC concert.
You’re going big this time, getting the best tickets money can buy. Why not? You don’t do this every day. 9am rolls around and up comes the payment form, card details go in and…'sold out'.
How could they have gone so soon? Surely the whole world wasn't quicker than you?
This is the second time in the last week that this has happened to me. First the AC/DC tickets (I’ve always been a fan of AC/DC: it’s not very IT but everyone has their guilty pleasures) and then I attempted to get the latest trainers for my daughter. I went through a similar 'primed and ready' routine but alas, the same result. They were sold out before I could even imagine someone had the time to put in their credit card details. Sounds familiar?
Well, if this has happened to you, it's more than likely you lost to a bot - not a person. Bots are everywhere, and the bad ones can inflict a lot more damage than a disappointed daughter.
Bots have been around for quite some time now.
Around the late nineties the first generation of bots showed up in scripts, with names that - to be fair - weren't exactly that scary: GDbot or Sdbot for example. These bots targeted IP addresses with simple requests, which are all very easy to defend against in this day and age.
As time has moved on, we've seen a second, third and now fourth generation of bots entering our lives. As the bots have become more serious, the names have become more sinister too: Methbot in one case!
Nowadays 'Man-In-The-Browser Bots' (MITB) are typically used within financial fraud due to the high amount of resources and cost involved. MITB attacks are much harder to mitigate due to its ever-changing nature and ability to get in between a user and their security mechanisms in a ‘public space’, such as the internet.
These new types of fourth-generation bots use more advanced, human-like interaction which allows the bots to be distributed across tens of thousands of IP addresses; moving from storing cookies, to mimicking mouse movements, to triggering scripts and distributed sources. These bots are able to use machine learning to facilitate correlation and contextual analysis, even creating 'bot-farms' or ‘botnets’ that are able to generate millions of dollars in areas such as counterfeit inventory, by targeting the premium video advertising ecosystem.
So, what is a botnet?
When bots come together, a botnet is created. A botnet is a logical collection of internet-connected devices such as computers, smartphones or IoT devices whose security has been breached and control ceded to a third party. Each compromised device is created when a device is penetrated by software, usually from malware distribution channels such as email or poor access controls. The botmaster uses command & control (C&C) servers to direct the activities of these compromised computers through communication channels, using protocols such as Internet Relay Chat (IRC) and Hypertext Transfer Protocol (HTTP).
Well documented cases of botnets are showing phenomenally high numbers of accounts targeted, from Linkedin to eBay to Uber to Marriott (who had 500m accounts affected), the attacks are incredibly serious and have gigantic implications for organisations.
Bots are big business
It is now possible to buy account takeover functionality, carding, captcha beating software, web scraping, scalping and cart abandonment ‘as a service’ - as mentioned, web scraping and scalping are two of the more notorious functions that bots utilise:
- Web scraping is an important function of the internet. Price comparison and search engines rely on this form of communication to do business, however if compromised, a web scraper or crawler can suck up significant amounts of bandwidth resulting in unusually high charges for businesses, simply because someone just wants to copy their data and repurpose it for their own benefit.
- Scalping comes in several forms. First is using a method of arbitrage of small price gaps created by the bid-ask prices. The second is fraudulent forms of market manipulation. The third is using the speed of bots vs humans to buy scarce resources – these things are fast!
Businesses need protection against this new, fourth-generation of advanced bots, which is where WAF (web application firewall) comes in. WAFs are paramount for detecting bots, as they intercept and analyse each HTTP request before they reach the web application.
Bots can be used for a multitude of things, good and bad. With research showing that only 12% of web applications (including websites) are protected against bots and botnets, the web is a feeding ground for threat actors using this method. There is no question that protection is required against bots and up to the minute protection is essential for organisations. A Web Application Firewall (WAF) is the most sensible form of defence, whether in hardware, software or ‘as a service’ formats but make sure that your WAF provider is staying up to date with the current threats to offer you the most advanced bot protection available.