Barracuda, a provider of cloud-enabled security solutions, released its monthly Threat Spotlight: When bad bots attack.
Holiday shopping season makes e-commerce sites an attractive target for cybercriminals. A report shows that more than 40% of Hong Kong respondents will do Christmas shopping online this year amid the pandemic, as compared to only 25% in 2019. Cybercriminals use bots to run distributed denial of service (DDoS) attacks, make fraudulent purchases, and scan for vulnerabilities they can exploit. According to HKCERT, botnet events were the second most common security incident in Hong Kong from 2019 to June 2020.
In mid-November, Barracuda researchers ran Barracuda Advanced Bot Protection in front of a test web application, and the number of bots they detected in just a few days was staggering, with millions of attacks coming in from thousands of distinct IP addresses.
When viewed by time of day, the researchers saw that bots don’t just wait until the middle of the night to attack. In fact, bot activity peaks mid-morning and doesn’t fall off until closer to 5 p.m., which may indicate the cybercriminals (aka “bot herders”) follow a regular working day.
Here’s a closer look at the trends Barracuda researchers found about the ways cybercriminals are spoofing good User-Agents and the new patterns for these types of attacks.
Bad Bot Personas — Bad bot personas are bots that have been identified as malicious based on their pattern of behavior. Bad bots are grouped by User-Agent, but some User-Agents are good. For example, GoogleBot, which crawls sites and adds them to search rankings, is good and should not be blocked. Google has many different User-Agents, details please refer to the Appendix.
The problem is bots will spoof these known good User-Agents, so you have to look deeper to tell them apart. To identify a bot as being bad when the User-Agent claims to be a good search engine, Barracuda researchers use methods including:
- Injecting honeytraps like hidden URLs and JS challenges. Bots follow links and respond to JS challenges quite differently than humans.
- Using rDNS (reverse DNS lookup) to verify a bot comes from the claimed source.
- Checking to see if the client is trying to access URLs used by common app fingerprinting attacks.
- If these methods do not catch it, researchers do further analysis with machine learning.
When viewed by top bad bot personas, the data gathered by Barracuda researchers shows an increase in the following bad bot personas: HeadlessChrome, verbasoftware, and MJ12bot, ahead of newer browsers like Microsoft Edge.
The Non-Standard User Agent/malicious user covers the following categories:
- Bots pretending to be a specific browser but using a non-standard string;
- Bots pretending to be a specific software but using a non-standard string;
- Bots pretending to be a specific browser but caught because of unusual browsing patterns or other bot checks;
- Bots pretending to be a “good” bot but caught using rDNS lookups.
When analyzing which ISP (Internet System Provider) or ASN (Autonomous System Number) is the source of bad bot activity, researchers found Indian mobile provider subnet ranges in the mix, as well as some of the big public cloud providers. This shows that the source of bots may be international, although this would depend on the bot and the site it is targeting.
How to protect against bot attacks
With holiday shopping season now in full swing, e-commerce teams should take the following steps to safeguard their applications against bad bots:
- Install a web application firewall or WAF-as-a-Service solution and make sure it is properly configured;
- Make sure these application security solutions include anti-bot protection so they can effectively detect advanced automated attacks;
- Turn on credential stuffing protection to prevent account takeover.
The report is available here.