SBN

How Bots Are Evolving in 2022—Top Threats

Bots are evolving and becoming more sophisticated every day.

We continue to witness the rapid evolution of advanced bots, particularly over the last few years as internet use for commerce and connection has skyrocketed. But what tools are allowing bot developers and fraudsters to continue adapting to bypass new security measures? This post will cover how bots and online threats are evolving, including:

What makes bots and automated threats more sophisticated?

Who is at risk?

Conclusion

What makes bots and automated threats more sophisticated?

Distributed Attack

Distributed Attacks

Proxies give bots easy access to millions of IP addresses to abuse. As soon as one IP address is blocked, bots can shift to another one. Attacks from 100 distinct IP addresses are less likely to be caught in filters than 100 attacks from one IP address. Proxies can be expensive, but some cybercriminals are willing to pay a lot to get the outcome they want, whether they are after your customers’ data or something else.

In May 2022, we witnessed a credential stuffing attack on one of our customers that relied heavily on distributed attacks. Over four days, the attacker made nearly 108 million malicious login attempts and used 91,340,141 IP addresses located all around the world. Each IP address only made 1.18 malicious login attempts on average, and the IP addresses were mostly clean.

None of the IPs had been used for malicious activity against any of our customers in the week before the attack. And because the attacker used distributed IP addresses, the attack wouldn’t have been stopped with conventional protection like Web Application Firewalls (WAFs) and rate limiting.

Quality IP

High-Quality IPs

More and more, bot developers are spending their money on high-quality residential proxies. Because residential IP addresses have better reputations, they’re much less likely to be blocked than data center proxies. Residential proxies help keep bots anonymous and enable them to keep attacking.

Per our 2022 Bot Proxy Landscape, over the course of one week, bots leveraged approximately 5.7 million data center proxies and 6.2 million residential proxies. Residential proxies are higher quality but more expensive because they are the same kind of IP address used by humans, and are therefore blocked less frequently than data center proxies. Bots have a huge pool of high-quality IP addresses to choose from so they can keep attacking as long as they want.

Forged Fingerprint

Forged Fingerprints

Every user on the internet has a distinct fingerprint comprising various details about the way they’re accessing the internet. Fingerprints include:

  • HTTP fingerprints, based on HTTP headers (server side).
  • TLS fingerprints, based on metadata extracted during the TLS handshake (server side).
  • Browser fingerprints, based on information about the browser, device, and operating system (OS) collected using JS (client side, in the browser).
  • Mobile fingerprints, based on information about the device and OS collected using an SDK (client side, in a mobile application).

Unlike real-life fingerprints, bots can forge their fingerprints to hide their true identities and appear more like human users. Puppeteer Extra Stealth, for instance, automatically  forges its fingerprint, as well as forging CAPTCHAs using CAPTCHA farms. If the fingerprints aren’t suspicious—such as those tied to headless browsers and automated frameworks—bots are likely to fly under the radar.

Human Behavior Click

Better Human-Like Behavior

Along with fingerprints, behavioral signals are incredibly important when determining whether a user is a human or a bot. Behavior tends to include things like mouse movements, touch events, typing speed, and the way the user is browsing the site. Behavioral signals are usually fed into machine learning models to detect whether a user’s behavior matches human behavior well enough.

Mimicking Human Behavior

Bot developers now have access to an array of methods for mimicking human behavior, like forcing non-linear mouse movements. Several open-source libraries have been developed to assist more bots in evading detection based on behavioral signals. Because bot management solutions compare unknown user behavior with known human behavior, a bot’s ability to appear as human as possible is key.

Bots Using Machine Learning

Machine learning helps bots avoid detection and mimic human behavior. For instance, Google’s image reCAPTCHAs were used to train Google’s image and audio recognition ML models. Then, malicious bot developers were able to use the same models to help their bots solve Google’s reCAPTCHA challenges.

In bot development, machine learning is used for two main reasons:

  • Generating realistic human behavior, mostly through mouse movements. Attackers can use generative adversarial network approaches to generate a stream of mouse movements that resemble human behavior.
  • Solving CAPTCHA challenges with audio/image recognition. Bot developers can use an open source library, train their own neural network, or leverage external APIs (e.g. from Google Cloud) to access ML models.

Site-Specific Bots

Most bots are general-use tools that can be used on multiple platforms and sites. But as bot protection has become more effective, developers have found a new way to avoid easy detection: site-specific bots, hand-crafted for use on one website, mobile app, or API. 

Site-specific bots can be better programmed to ensure their behavior and fingerprints match more closely with the human customers that normally use the site, app, or API.

Some bots are attack-specific (rather than site-specific), crafted for a certain attack type, such as scalping or scraping. These bots are fully invested in making their attacks pay off, either for the bot developer, the customer using the bot as a service (BaaS), or both.

JavaScript

These days, it’s easy for attackers to create bots that can execute JavaScript (JS). Open-source libraries like Puppeteer, Playwright, and Selenium are used to instrument headless browsers, and bots as a service spawn browsers in the cloud on behalf of their customers—all of which can execute JS. JavaScript can assist bots in performing malicious actions, and help them avoid detection by appearing as human as possible.

CAPTCHA Solving

From our customer data, we know half of all passed traditional CAPTCHAs are solved by bots. Both advances in machine learning and the leveraging of humans through CAPTCHA farms have enabled bots to bypass traditional CAPTCHAs with relative ease. Therefore, companies that use a CAPTCHA as a single line of defense against bots are finding the strategy ineffective.

That’s why DataDome’s bot protection engine uses CAPTCHA as one signal among billions (one trillion per day, more specifically) to determine if a request comes from a human or a bot. Our CAPTCHA is the first fully privacy-compliant, secure, and user-friendly CAPTCHA on the market. DataDome’s CAPTCHA is completely integrated into our bot detection engine, offering superior protection thanks to the aggregate detection signals from all protected customer mobile apps, websites, and APIs.

DataDome is the first vendor to ensure that 99.99% of real users will not see a CAPTCHA. And if a real user sees the CAPTCHA, they will find a very simple challenge that is highly accessible for people with visual impairments, with audio challenges available in 13 languages.

Bots as a Service, BaaS

Availability of Bots as a Service

Up until fairly recently, someone who wanted to attack a website had to know how to code bots, forge fingerprints, and rotate proxies consistently. Now, bot as a service (BaaS) providers do all the hard coding work  and let users pay to run bots at scale. People with no knowledge of bot programming can use bots for all kinds of attacks—usually scraping or scalping (e.g.sneaker bots).

For the most part, a BaaS is a REST API. Users provide the URL they want to scrape, and they only have to pay when the request is completed successfully. If the request is blocked, the user doesn’t have to pay anything. Users don’t have to worry about proxy bandwidth either, which can be expensive.

BaaS Schema

Threats are more frequent and intense now that attackers can access BaaS to simplify scraping and other malicious activities without spending time or money on unsuccessful attempts. To circumvent the attacks, businesses must ensure threats are blocked from the very first request. You should also be able to examine your threats in detail to better understand where they’re coming from and how to best defend your business and your customers.

Who is at risk?

The targets of bot attacks have not changed much over the last few years. Any website that sells products or services—and processes payments from customers—will find themselves targeted by a host of bots for nefarious purposes. Some bots aim to take over accounts entirely, some attempt to gather customer payment details, and even more will scrape listings and proprietary price information to destroy your competitive advantage.

E-Commerce

E-commerce websites, mobile apps, and APIs have always been targeted by bots—particularly scrapers and scalpers. Bot problems are even worse on sites with limited-edition products like sneakers, GPUs, and certain game consoles. Scraping and scalping attacks can consume significant bandwidth, pull your IT team away from other important issues, and make it much harder for your human customers to shop for the merchandise they want.

Now more than ever, e-commerce sites need to have robust and efficient bot management solutions in place, so customers can purchase without worrying about site crashes or items selling out in seconds.

Streaming & Subscription

As streaming has become more ubiquitous in recent years, we have seen a rise in bot attacks on streaming and subscription sites, apps, and APIs. Because these services are not typically offered for free and usually require a monthly subscription, some people are willing to pay (less than the normal price) to get access through a stolen account. There has even been a rise in ads on social media (such as Instagram, TikTok, and Facebook) promoting services that offer stolen account credentials.

Because streaming accounts are in such high demand, we have seen an increase in account takeovers (ATOs), usually through credential stuffing attacks. Streaming and subscription services should take special care to choose a bot management solution that will secure their customers’ accounts while also protecting against all other kinds of bot attacks.

Conclusion

Bots become more sophisticated every day due to the persistence of the cybercriminals who develop and operate them.Bot management solutions must be equally devoted and persistent in order to continuously detect new types of bot attacks before they can cause damage to protected businesses. 

Distributed attacks and high-quality IP addresses prevent WAFs and rate limiting from being effective. Forged fingerprints and human-like behavior—through machine learning, CAPTCHA farms, and more—have made it essential to gather and analyze more signals for suspicious discrepancies. The rise of BaaS has enabled anyone to deploy bots at scale against any platform and endpoint, further increasing the number of bot attacks overall.

Threats will not devolve. DataDome offers the fastest, most secure, and most user-friendly bot protection on the market, with an extremely low false positive rate (0.01%), and an unrivaled CAPTCHA. If you’d like to see how it works and ask an expert how DataDome stays ahead of evolving bot threats, book your demo today.

*** This is a Security Bloggers Network syndicated blog from Blog – DataDome authored by DataDome. Read the original post at: https://datadome.co/threat-research/how-bots-are-evolving-in-2022-top-threats/