The next new threat: Adversaries operating at scale with automation

May 15, 2021
Security professionals need to become more proactive in detecting bots and malicious automation

The upsurge in bot attacks is at an all-time high. new techniques and tools enable cybercriminals to reach new levels of efficiency and effectiveness with their automated attacks - inflicting significant damage on businesses and individuals in their path. Unfortunately, many organizations are not sufficiently prepared for the new sophisticated attacks being launched upon their websites, mobile apps, and APIs.

Automated attacks are becoming more challenging to detect for three primary reasons. Adversaries:

  1. Leverage legitimate tools that developers use to test automation in order to fly underneath the radar of existing security defenses, including WAFs and bot mitigation systems.
  2. Employ advanced techniques to launch large-scale denial of service (DoS) attacks to specifically target the application layer.
  3. Constantly find new channels to commit fraud for profit, including social media and vaccine lines.
It’s not that these tactics are necessarily novel - they just don’t fall perfectly into a security vendor category, and it takes a lot of time and effort to fight these automated threats off all at once.

Weaponization of DevTools

 Recent advancements in automation tools have made it easy to conduct attacks at scale, at little cost, without expert knowledge. Automated open-source testing frameworks, such as Puppeteer, Selenium, and Playwright, have become easier to use over the past few years, enabling development teams to ensure that their sites are working properly in an automated fashion.

In the wrong hands, automated testing frameworks can serve as impactful threats to online businesses. Combined with stealth plugins, fraudsters can use these free tools to mimic real human behavior, making it easier for bot operators to take takeover accounts, scrape content, launch application Distributed Denial of Service (DDoS) attacks, and commit fraud. Puppeteer Extra Stealth Plugin, for example, is now being downloaded more than 250,000 times a month. Traditional detection methods and solutions miss these evasion techniques. Security teams need a new approach to stop cybercriminals from conducting malicious automation at scale.

Large-Scale Layer 7 DDoS

DDoS for ransom was at an all-time high last year, not including the outlier of the largest DDoS attack ever seen. Cisco predicts that the total number of DDoS attacks will double from 7.9 million in 2018 to over 15 million by 2023. This year, enterprises will notice that DDoS attacks will evolve from the network layer to the application layer more quickly. With the increasing importance of online services spurred on by the pandemic, it only makes sense that attackers will adapt their ransom strategies and start hitting the most valuable parts of businesses: their online availability.

Attackers are moving from traditional DDoS strategies based on flooding the connection - which is no longer as easily accomplished given the rise of virtual data centers to detect and stop this - in an attempt to flood the actual servers running the systems. There is a trend that Layer 7 DDoS attacks are also increasing in intensity. A recent example is a hit on a Chinese gambling website. Even though the application DDoS attack only lasted 10 minutes, the requests per second reached 689,000 when the attack was at its most vital point, bringing the site to a halt.

These automated application DDoS attacks are harder to detect and defend against, as attackers, for example, utilize computationally expensive and human actions such as login attempts or search queries that will slow service delivery to a crawl. IT decision-makers need to quickly adapt as attackers shift to new techniques in order to identify and defend against malicious automation.

Fraudsters Everywhere: From Fake Accounts to Fake Followers, and Gift Card Fraud to Loyalty Point Fraud

Once fraudsters identify an opportunity to make money quickly and easily, they double down, whether they are creating fake Instagram accounts or redeeming gift cards. Automation enables this type of fraud to persist and evolve.

One example is the creation of fake accounts. HBO Max recently premiered a documentary called “Fake Famous,” which looks at the industry of creating Instagram influencers. The producers utilized bots to add fake followers to three test subjects, showing the ease with which bots-for-hire can manufacture fame - and eventually free gifts - for just about anyone.

Another example of bots exploiting a new industry is scalpers hoping to snap up the COVID-19 vaccine. As city and town health departments, local practices, and chains push out vaccine doses, fears have risen about individuals using bots to jump places in line and consequently secure vaccinations before those in greater need. If people have to sign up for their vaccine on a website, then bots may “monopolize the spots available” as they’ve already done in various municipalities.

Throughout the past year, many organizations have created loyalty programs to reward customers for frequenting their business. These programs have been very successful at retaining customers, but they are also ripe with opportunities for fraud. Consider loyalty programs where you can redeem points online for gift cards. Fraudsters can steal loyalty points by leveraging malicious automation tools to take over accounts with stolen credentials and then quickly transfer the points to gift cards. Similarly, gift card hacking, whereby fraudsters leverage automation to decipher valid gift card codes, is to purchase either loyalty points or goods before anyone’s the wiser. This type of fraud is very difficult to track, is highly profitable, and will continue to be exploited.

The Perfect Storm for Bad Actors

While DevTools are making it cheaper and easier for cybercriminals to scale their operations, traditional detection methods are becoming more expensive and cumbersome to maintain to accurately detect automated attacks. As a result, attackers are outpacing many organizations to leverage automation, DevTools, and sophisticated techniques used to attack them. Security professionals need to become more proactive in detecting bots and malicious automation to stay ahead of these evolving threats to APIs and applications.

About the author: Sam Crowther is CEO and founder of Kasada, an innovative web traffic integrity company that accurately detects and defends against bot attacks across web, mobile and API channels. He is passionate about creating simple technical solutions to complex problems and is motivated by challenging preconceived ideas and beliefs in order to have a positive impact on the world. 

Courtesy of BigStock -- Copyright: olechowski
Courtesy of Getty Images -- Credit: alexsl