June 1, 2022
Cyber criminals today have a growing arsenal of tools and methodologies to attack and infiltrate the information systems and data of their victims. Malicious bots are among their most powerful and dangerous weapons. Bots make it possible for fraudsters to automatically attack en masse and at lightning speed. Likewise, bots and botnets are also instrumental to the success of slow and stealthy assaults run by advanced persistent threat actors (APTs).
However, if malicious bots are detected and effectively mitigated, most attackers will quickly fail and withdraw because it’s simply too difficult to manually execute a successful strike. Without the use of automated bots, cyber attacks simply require too much effort to remain profitable. Organizations that understand this dynamic and work to mitigate bad bots will have a much greater chance of protecting their data and their customers' privacy.
Bots are extensively used on the internet, accounting for around half to two-thirds of all internet traffic. Good bots are used by services like search engines and news aggregators. Unfortunately, malicious bots are also common. Bad bots are so pervasive that virtually every online property is now attacked each month.
As a test to determine the prevalence of bad bots, Honeynet, an international non-profit security research organization, set up a barebones website. It had no domain name and no useful services. Within 24 hours this brand-new, unnamed and virtually invisible web server was attacked more than a quarter of a million times.
Bots are not just powerful tools—they are easy for bad actors to obtain and use. They can be purchased, rented, developed from kits, or for more sophisticated attackers, programmed from scratch.
Botkits are also readily available and inexpensive, sometimes even free. Using these bot development kits, attackers with limited skills can quickly develop their own bots, and adapt them to perform specific, nefarious tasks.
Bad actors don’t even need to possess or acquire a bot to use it. There are dozens of services available that will do virtually all of a hacker’s dirty work. Fraudsters specify what they want, pay a fee, and the service does the rest. These destructive services have been evolving for a long time. In 2012, Computer World’s article Software that Lies, uncovered many websites that openly advertised a number of nefarious services—some were intended just for pranks, but others were quite dangerous. The advertised prices are surprisingly low.
Example bot services from 2012:
Over the past decade, this ecosystem has evolved further, with increasing specialization: some teams only build malware tools, others only operate botnets and rent them out, and so on.
Today, many bots-as-a-service offer highly sophisticated features, including:
Cybercriminals can also use Bots-As-a-Service to create new, unique, and powerful custom bots of their own. This opens the cyber door for new criminals with virtually no technical skills at all, equipping them with powerful ways to attack corporations and user privacy. With a little bit of money, nearly anyone can become a cybercriminal.
As cybercriminals have invested in improving their abilities, so have defenders. hCaptcha Enterprise detects and deters these kinds of attacks seamlessly, thanks to a sophisticated self-supervised learning approach combined with the industry's most advanced challenge platform.
The ultimate strength of bots lies in botnets, which are large groups of malware-infected devices that attack in concert under the direction of the botnet owner, or bot herder. Botnets can consist of thousands or even millions of devices. They often grow automatically by sending malicious emails, which infect more machines when opened. For example, the Zeus and Mariposa botnets each infected over 10 million computers.
Botnets provide the collective processing power to pull off large-scale attacks, and because botnet traffic comes from numerous locations and IP addresses, it’s often difficult for organizations to identify and mitigate the attack.
Bot herders often rent control to a wide variety of bad actors who may alter the bot’s malicious payload. For one attack, the botnet might be configured to break into existing user accounts, only to be reconfigured for other purposes during subsequent attacks.
As an example, the Dridex botnet is one of the most notorious. It is primarily used in account takeover scenarios to steal banking credentials via credential stuffing attacks—thereby granting hackers access to bank accounts. However, in addition to stealing bank account credentials, the collection of Dridex bots can also steal personally identifiable information (PII), payment card data, and other private information. Like many bots, Dridex self-propagates via email attachments.
Bad bots are a key component in many, if not most data breaches affecting privacy. Damages can be significant and include: financial loss; injury to the company’s reputation and brand; operational downtime; legal entanglements and fines; and loss of private data including PII and intellectual property (PI).
According to IBM, the 2021 Cost of a Data Breach averaged $4.24 million dollars (USD). That’s up from $3.86 million in 2020.
These damages are often caused by the following types of bots:
There’s no single solution that will fully protect you from all malicious bots. But there are a number of things that you can do to dramatically reduce your chances of having a breach occur.
Here are some tips for what to look for in a sound bot management and mitigation strategy:
Adhering to the suggestions above will significantly reduce the risk of a successful bot attack. By implementing a robust bot mitigation solution like hCaptcha Enterprise, your organization will stay ahead of current and evolving threats.
With malicious bots responsible for up to two thirds of all internet traffic, it is vital for online property owners to understand how bots work, and the steps they can take to protect themselves.
The rampant availability of inexpensive and powerful bots are emboldening new bad actors to enter the realm of cybercrime. All indicators point to an uptick in the number of bad bots trafficking the internet along with increased levels of sophistication.
Fortunately, organizations that protect themselves through the implementation of sound bot mitigation policies, practices, and quality tools can avoid much of the cost, risk, and stress of being unprotected on the open internet.