We are increasingly seeing instances of fraudsters and hackers deploying botnets — distributed networks of bots — to carry out account takeover (ATO) and scraping attacks. Attackers programmatically target user accounts to gain account access, make unauthorized transactions, transfer rewards and funds in online wallets, prepaid gift cards, loyalty points, and other types of digital wallets in which money or credits are stored. While scraping attacks can lead to breaches of business and personal data, account takeover attacks severely impact customer loyalty and trust, since they are most often used to carry out activities that cause financial losses to users of targeted websites and apps.
Criminals usually carry out ATO and other forms of fraud through ‘credential cracking’ — in which they try to identify valid credentials by trying different values for usernames and passwords, looking for instances of username/ password reuse, and ‘credential stuffing’ — carrying out large numbers of login attempts to verify stolen or purchased login credentials. These activities are made easier for criminals due to the fact that many people practice poor security hygiene by using the same login credentials across multiple sites and applications.
Fraudsters now have it easier than ever when it comes to carrying out their activities. Exploit kits sold on shady websites and hacker forums contain a combination of attack tools capable of rotating through multiple proxy IPs and User Agents, along with the ability to perform programmatic or sequential requests to evade detection and perform large-scale ATO and scraping attacks. Using advanced exploit kits, attackers are able to target websites by using bots launched from several thousand IP addresses that are used only once per attack — a technique known as ‘low and slow’ — to evade basic rate-limiting security systems. In one sophisticated distributed scraping attack on an e-commerce site that we analyzed in detail, attackers scraped product information and pricing details of 651,999 products from 11,795 categories by using a combination of exploit tools and fake user accounts.
The graph above shows two plots of bot hits versus IP addresses used in attacks on an e-commerce site. The number of individual bots is plotted on the horizontal axis, and the corresponding number of IP addresses used by each bot are plotted on the vertical axis. The first plot shows basic bots that are easy to detect. In this attack instance they used well under 50 different IP addresses, with most of them using fewer than 25 IP addresses. The second plot, in contrast, shows how sophisticated bots use thousands of IP addresses in one attack instance — operating low and slow — to stay under the rules of WAFs, IP-blacklists, and rate-limiting security systems.
Had the bots measured in the graph been able to actually carry out their attacks on the e-commerce site rather than having been blocked by ShieldSquare, they could potentially have taken over many user accounts to steal prepaid gift card and loyalty points, to be sold later for cash. A large number of victims would have found that not only had their gift cards been stolen, but possibly also their personal data which could have been abused in various ways by the fraudsters.
It is crucial for e-commerce and other businesses that issue gift cards, discount coupons, store credits, and online vouchers to be able to detect and block organized fraudsters who use commonly-available exploit kits to steal funds from unsuspecting customers. Basic website security systems such as WAFs and rule-based limiting measures are incapable of detecting or blocking sophisticated bots that are able to mimic the behavior of a human user.
An effective approach to counter low and slow bot attacks would be to deploy sophisticated non-human traffic detection solutions that can leverage advanced machine learning-based technologies to detect malicious automated activities in seemingly-legitimate HTTP requests that often fly under the radar and go undetected by basic security systems extant today.