By Roy Urrico
Finopotamus aims to highlight white papers, surveys, analyses, new items and reports that provide a glimpse as to what could, or potentially, impact credit unions and other organizations in the financial services industry.
Bots — autonomous programs on the internet or another network that interact with systems or users — are damaging businesses, both directly and indirectly, whether they are scraping content, buying up goods before anyone else, or using stolen passwords to take over accounts. As a result, many businesses are investing in bot management software to control the bot traffic accessing their site. However, new research from cybersecurity company Netacea found that two-thirds of businesses are at higher risk of malicious attacks due to some common bot misconceptions.
For the 2022 report, The Bot Management Review: Separating Bot Fact from Fiction, the Manchester, United Kingdom-based Netacea surveyed 440 businesses across financial services, e-commerce, travel, entertainment, and telecoms sectors in the U.S. and the U.K. to see if they could tell bot fact from bot fiction.
Matthew Gracey-McMinn, head of threat research at Netacea, explained, “Your traditional cybersecurity attack is really trying to exploit code vulnerabilities to make things behave in ways they are not supposed to. Your business logic attack is slightly different, (fraudsters) want the website or the web app, or whatever it is, to behave in its legitimate function, but for malicious purposes.” He pointed out attackers are using these bots to facilitate these attacks. “And increasingly attackers are getting more sophisticated.”
Business Logic Attacks
This business logic attack is really an attempt to exploit vulnerabilities within the business logic, explained Gracey-McMinn. “Businesses are exploiting automation to allow themselves to move quickly and reduce costs and to respond to customers in many different ways and respond to changing situations. Attackers have used the power of automation to launch attacks en masse — a massive upscaling in the number of these sorts of attacks.”
While most organizations were aware that bots are an issue, the aforementioned study unveiled how many are confused about where attacks originate and what technologies and techniques were effective against bots.
In reality, according to the research, bots cost businesses an average of 3.6% of their online revenue, but the problems run deeper. The report revealed, “If businesses cannot tell the difference between real customers and bots, this can make marketing analytics data useless. Businesses have burned through marketing budgets and made poor decisions based on bad marketing data. Despite a lower profile, this is just as big a problem as ad fraud.”
Bot Myth, Near-Myth, Or Fact?
Netacea found many businesses falling victim to common bot myths and relying on solutions that are inadequate for sophisticated bot detection, leaving them vulnerable to bot attacks, data breaches and more. Netacea asked businesses to decide whether a number of statements were myth, near-myth, or fact. Here is a brief look at some of the findings:
· Web application firewalls (WAF) stop sophisticated bots – 73% of businesses surveyed believed this to be true, including 92% of telecommunication providers and 77% of e-commerce businesses.
This is a myth. The more sophisticated bot attacks exploit websites by taking advantage of business logic. For this, bots do not need to bypass security holes, rendering WAF-based solutions ineffective against sophisticated bots.
Examples of business logic attacks that bypass WAFs include: Credential stuffing attacks in which bots automatically inject thousands of stolen or leaked credentials into a website login page until they find a match; inventory hoarding, where bots hold an item (or multiple items) in their basket while listing it for resale; and using scalper bots to purchase new, limited edition or discounted stock at a much quicker speed.
· Bot attacks only come from Russia and China.
While it is true that many bot attacks come from Russia and China, it is also true that many originate from the U.K., the U.S. and all around the world. “It's hard to say where these bot attacks come from,” Gracey-McMinn noted. “We see them coming from lots of different networks.”
Netacea’s research also found that just over a third of businesses have detected threats from Russia and China. Meanwhile, around half, detected threats from the U.S. (51%) and the U.K. (46%), and many more (75%) detected threats from Europe.
· ReCAPTCHA, allows websites to distinguish between human and automated traffic to their website — 72% of businesses surveyed believed this to be true.
This is a near-myth. While reCAPTCHA, bot management software from Google, does differentiate between some human and bot traffic, advancements in artificial intelligence have allowed the more sophisticated bots to circumvent this technology and easily gain access to a website. Additionally, the increased use of CAPTCHA farms means that bot mitigation software such as reCAPTCHA is unable to guarantee detection of some of the simpler forms of automated traffic.
· All bot users are criminals — Just over half of the businesses surveyed (55%) consider bot users criminals.
This is a near-myth. Although at the time of the report’s writing U.K. and the U.S. policymakers had discussed possible laws against scalper bots, currently it is legal to obtain or purchase items using bots, the report disclosed. Additionally, while many scalper bots allow users to resell products and make a profit – some are consumers trying to counter scalper bots with their own bots to purchase desired items. Either way, there are no laws against this practice.
Bot usage, however, used for credential stuffing and card cracking is a form of online fraud.
· The majority of credential stuffing attacks use bots or automated technology — 64% of the businesses surveyed believed this to be true.
This is a fact. With more than 15 billion credentials available for sale on the dark web, and more data breaches occurring daily, it is impossible to check their validity manually. For this reason, most attackers will use automated technology to sift through the millions of credentials and verify accounts for use or resale. Cybercriminals will purchase these credentials and continually input them into the login forms of various websites until they get a match. Once verified, the cybercriminal has access to all account assets – such as any premium subscriptions, stored credit card details or accrued loyalty points.
· Distributed denial of service (DDoS) protection will stop all bots —77% of businesses surveyed believed DDoS protection could stop all bots.
This is a myth. While bot traffic is also automated technology, it is different from technology used in a DDoS attack. Bot traffic usually has different intentions for accessing a website than DDoS traffic; while bots are capable of overwhelming a website, they often require the website to be working optimally to carry out their attack. Most forms of DDoS management use “rate limiting” protection. However, according to Netacea, most sophisticated bots evade detection by limiting how frequently they repeat actions.
Looking specifically at financial services, the study found these as the top myths believed about bots:
· Web application firewall (WAFs) will stop sophisticated bots (believed by 68%).
· Distributed denial-of-service (DDoS) protection will stop all bot attacks (believed by 68%).
· Bot attacks only come from Russia and China (believed by 62%).
· All bots come from purchases on the dark web (believed by 62%).
· All bot users are criminals (believed by 62%).
Netacea Protecting the Castle Walls
Gracey-McMinn said Netacea specifically works with business logic attacks. “We provide a degree of protection, basically examining all of the web traffic to try and determine which are legitimate users or people who have a malicious intent.”
The researcher likened Netacea’s role to fortress sentinels. “Our job is to have defensive teams who watch the walls of cyber-castles, we protect our customers within those walls. We have our guards, data analysts, scientists and data engineers who are patrolling those walls, making sure that no bad people, no bad stuff get in.”
At the same time, the researcher said his team is out in the wilderness, well outside the castle, serving as heralds of forthcoming (business logic) attacks.