As per the latest data, nearly 40% of the web traffic is bot traffic and out of this bot traffic, 60% are bad bots. Malicious bots are widely leveraged for malicious purposes such as credential stuffing, DDoS attacks, data theft, price scraping, and unauthorized crawling, among others, costing businesses heftily.
With continuously increasing sophistication and lethality, bots are an important addition to the online fraud/ cybercrime arsenal. And prevention of bot attacks is a must to strengthen web application security. A deeper understanding of bot attacks and their prevention will be provided in this article.
What are Bots?
Bots are automated scripts that are programmed to run specific automated tasks, usually simple ones, on the internet with minimal human intervention/ supervision. Higher speed, agility, accuracy, and performance in completing repetitive, routine tasks, in comparison to human executives have made bots sought-after by businesses for various legitimate purposes. Owing to these very benefits, they are cybercriminals and other bad actors for a wide array of malicious activities.
How Are Web Applications Attacked by Bots?
Web applications are attacked by different kinds of bots in different ways.
Original content is scraped from reputable websites and published elsewhere without permission to hurt SEO rankings.
Price data is scraped and used for illegitimate, competitive price monitoring, and tracking other pricing-related intelligence.
Email addresses and other contact information, that are in plain text, are scraped from legitimate websites. The scraped contact information can be used to form bulk mailing lists for spamming, orchestrate data breaches, robocalls, and social engineering, among others.
Using automation, the scraped email addresses can be paired with common passwords for credential stuffing or their login credentials can be hacked using brute-force password cracking tools for credential cracking. The attacker has, thus, successfully gained unauthorized access to accounts or performed an account takeover.
An internet application crafted by cyber-attackers to spread spam to targets across the internet.
- Using bulk mailing lists that are scraped from the internet or bought on the Dark Web, spam mails could be sent. Spam emails are used for spreading malware, stealing confidential data, and phishing. A technique called email spoofing is often used to make the email seem legitimate.
- Comment sections (websites, social media, and blogs) can be spammed with ads for contraband products, adult content, and too-good-to-be-true offers to lure legitimate users into divulging personal information, clicking a malicious link, or paying money.
- Malware links or other spam content could be inserted in forms, comment section, feedback, etc.
Apart from directly affecting the end-users and organizations, spambots are also used to deplete server bandwidth and increase ISP costs.
Scalper/ Ticketing Bots
Tickets to popular events or other popular, high-value, limited-supply commodities/ services are stockpiled by the attacker using scalpers/ ticketing bots to resell at a premium (illegally in many countries). Loss of revenue, reputational damage to the business, and exploitation of legitimate users are caused by scalping threats.
The collection of numerous malware-infected (Trojan viruses) computers and networked devices like IoT devices, smart devices, etc., often globally dispersed, and controlled by attackers/ malicious actors is known as a botnet or a zombie network. Botnets can include thousands of compromised devices.
Botnets are leveraged by attackers to overwhelm the website with fake requests, deplete its resources, and cause downtime/ make it unavailable to legitimate users through DDoS attacks. Often used as a smokescreen for other illegal/ malicious purposes, DDoS attacks are known to cost (financial and reputational) USD 120,000 to small businesses and USD 2+ million to a large company.
How Can Bot Attacks on Web Applications Be Prevented?
There is no one-size-fits-all bot prevention solution considering the multitude of bots and ways in which they attack websites. Here are some recommendations to improve web application security.
An intelligent, comprehensive, and managed WAF is indispensable for effective protection against bot attacks including DDoS attacks. Rate limiting, behavioral analysis based on global, historical data, the intelligence to detect bad bots pretending to be genuine bots, blocking traffic originating from a single IP address and false-positive management are necessary traits to look for in a WAF.
Identification and categorization of bot traffic using a combination of analytics tools and human expertise is necessary. Once identified and categorized, sophisticated rules for bot management must be defined and continuously tuned with surgical accuracy by security experts to ensure effective defense against bots.
A challenge-based approach is effective to check if the user is a human or a bot. By adding CAPTCHA to log in, comments, and forms, malicious bots can be prevented from accessing the website resources/ sensitive information. Wherever possible, use application-specific Workflow rules to distinguish between a bot and a real user. A workflow rule looks at attributes of a full transaction, for example, in an e-commerce application (the flow would be something like- selecting the items for purchase and putting them in the checkout cart, then checking out, followed by payments). Put rate control rules looking at this entire workflow as one unit on top of the individual threshold limits to trigger an alert on each page/transaction.
Using an intuitive, automated web scanning tool, malware, spam, and vulnerabilities in the website that increase the risk of bot attacks can be proactively identified.
Conclusion
Given that bots are potent tools in the cybercrime arsenal and are used to attack web applications for a variety of purposes, there is no one best solution to prevent it. A comprehensive web application security solution like AppTrana that combines the power of technology with the expertise of certified security professionals is necessary for heightened protection.
For more cybersecurity features and news, follow Indusface on Twitter and Facebook.
Originally published at https://www.indusface.com on June 27, 2020.
