How Attacks Evolve from Bots to Fraud - Part 1

Bot Basics

A bot is a software program that performs automated, repetitive, pre-defined tasks. Bots typically imitate or replace human user behavior because they operate much faster than human users. Good Bots make the Internet work - From search engine crawlers that bring the world to your fingertips to chatbots that engage and enhance the user experience.

How Do Bots Facilitate Fraud?

Bots can also be used to scale automated attacks which can result in account takeover (ATO) and fraud. Motivated cyber criminals leverage a sophisticated arsenal of bots, automation, and evasion techniques. They also perform ongoing reconnaissance to identify security countermeasures and constantly retool their attacks to evade detection.

Automated Bot Attack Vector Examples...

Credential Stuffing
Automated Account Creation
Content Scraping High Value Data
Credit Application Fraud
Gift Card Cracking
Application DDoS
Aggregator Threats
Fake Account Creation
Inventory Hoarding
Bypass Auth reCAPTCHA
The list goes on...

Business Impact of Bad Bots

Infrastructure Costs - Infrastructure needs to scale to deal with unwanted and/or undetected bot traffic

Competitive Intelligence - Web scrapers collect important data to help competitors adjust their pricing strategies

Wrong Business Decisions - Bot traffic distorts web site analytics which could lead to making wrong business decisions

Sneaker Bots - Bots are buying limited editions of certain products before regular buyers and then sell on black market

Account Take-over - Credential stuffing leveraging stolen accounts purchased on the Darkweb providing access

Fraudulent Transactions - Fraudulent transactions with large financial consequences as a result of account take-over in the finance sector

The Industrialized (organized) Attack Lifecycle

Figure 1. It begins with unwanted automation and ends with account takeover and application fraud

What are Credential Spills?

Credential Spill - A cyber incident in which a combination of username and/or email and password pairs becomes compromised.

Date of Announcement - The first time a credential spill becomes public knowledge. This announcement could occur in one of two ways:

A breached organization alerts its users and/or the general public
A security researcher or reporter discovers a credential spill and breaks the news

Date of Discovery - When an organization first learned of its credential spill. Organizations are not always willing to share this information.

Stolen Credentials - Criminal Usage by Stage

Stage 1: Slow and Quiet

Sophisticated threat actors operating in stealth mode - 150 to - 30 days before the public announcement
Each credential used (on average) 20 times per day

Figure 2. Slow and quiet stage. Attackers use credentials in stealth mode from 150 to 30 days before the public announcement

Stage 2: Ramp Up

Creds become available on Darknet around ~30 days before public announcement
Use of creds ramp up to 70 times per day

Figure 3. The ramp-up stage. Attackers ramp up use of compromised credentials 30 days before the public announcement.

Stage 3: The Blitz

Credentials become public knowledge
Script Kiddies + N00bs
The first week is absolute chaos - each account attacked > 130 times per day

Figure 4. The blitz stage. Script kiddies and other amateurs race to use credentials after the public announcement.

Stage 4: Drop-Off / New Equilibrium

Creds *should* be worthless at this point...
Consumer reuse and lack of change allows for attacker "repackaging" and long tail value

Figure 5. The drop-off stage. Credentials no longer have premium value

Network Traffic Automation

The simplest level of user simulation contains tools that make no attempt to emulate human behavior or higher level browser activity. They simply craft HTTP requests along specified parameters and pass them along to the target. These are the simplest, cheapest, and fastest tools. Sentry MBA is perhaps the standard tool of this type.

Figure 6. Sentry MBA, a standard user simulation tool

Browser and Native App Automation

Most of the websites that we interact with every day—online banking, ecommerce, and travel sites—consist of large web applications built on hundreds of thousands of lines of JavaScript. These webpages are not simple documents, so simulating convincing transactions at the network level is extremely complex. At this point, it makes more sense for an attacker to automate activity at the browser level.

Until 2017, PhantomJS was the most popular automated browser in the market. When Google released Chrome 59 that year, however, it pushed forward the state of browser automation by exposing a programmatically controllable “headless” mode (that is, absent a graphical user interface) for the world's most popular browser, Chrome. This gave attackers the ability to quickly debug and troubleshoot their programs using the normal Chrome interface while scaling their attacks. Furthermore, just weeks after this announcement, Google developers released Puppeteer, a cross-platform Node.js library that offers intuitive APIs to drive Chrome-like and Firefox browsers. Puppeteer has since become the go-to solution for browser automation, as you can see from its growing popularity in web searches.

Figure 7. Google trends graph showing interest in PhantomJS versus Puppeteer between 2010 and 2016. (Source: Google Trends)

Simulating Human Behavior

The next level of sophistication above simulating a browser is simulating human behavior. It's easy to detect rapid, abrupt mouse movements and repeated clicks at the same page coordinates (such as a Submit button), but it is much harder to detect behavior that includes natural motion and bounded randomness. While Puppeteer and the Chrome DevTools Protocol can generate trusted browser events, such as clicks or mouse movements, they have no embedded functionality to simulate human behavior. Even if perfect human behavior was as simple as including a plug-in, Puppeteer is still a developer-oriented tool that requires coding skill. Enter Browser Automation Studio, or BAS. BAS is a free, Windows-only automation environment that allows users to drag and drop their way to a fully automated browser, no coding needed.

Figure 8. Browser Automation Studio User Interface

Scaling Up Real Human Behavior

As attackers grow in capability, they succeed in creating automated attacks that look more like human behavior. In some contexts, it actually makes more sense to just use actual humans. "Microwork" is a booming industry in which anyone can farm out small tasks in return for pennies. These services describe their jobs as ideal for labeling data destined for machine learning systems and, in theory, that would be a perfect use. In reality, the tasks the human workers perform are helping bypass antibot defenses on social networks, retailers, and any site with a login or sign-up form.

Figure 9. Data labeling “microwork” using humans to help bypass antibot defenses

In Conclusion

Depending on the attacker sophistication level and motivation there are a variety of tools ranging from basic automation to leveraging real humans to attempt to bypass bot defenses and perform account takeover actions. No matter the skill level, most attackers (at least, most cybercriminals) will start off with the cheapest, that is, least sophisticated, attacks in order to maximize rate of return. Able attackers will only increase sophistication (and thereby cost) if their target has implemented countermeasures that detect their original attack, and if the rewards still outweigh that increased cost.