Bots, Botkits, and Botnets – Know Your Enemy

Cyber criminals today have a growing arsenal of tools and methodologies to attack and infiltrate the information systems and data of their victims.  Malicious bots are among their most powerful and dangerous weapons. Bots make it possible for fraudsters to automatically attack en masse and at lightning speed. Likewise, bots and botnets are also instrumental to the success of slow and stealthy assaults run by advanced persistent threat actors (APTs).

However, if malicious bots are detected and effectively mitigated, most attackers will quickly fail and withdraw because it’s simply too difficult to manually execute a successful strike. Without the use of automated bots, cyber attacks simply require too much effort to remain profitable. Organizations that understand this dynamic and work to mitigate bad bots will have a much greater chance of protecting their data and their customers' privacy. 

Bots are Everywhere – Good and Bad 

Bots are extensively used on the internet, accounting for around half to two-thirds of all internet traffic. Good bots are used by services like search engines and news aggregators. Unfortunately, malicious bots are also common. Bad bots are so pervasive that virtually every online property is now attacked each month.

As a test to determine the prevalence of bad bots, Honeynet, an international non-profit security research organization, set up a barebones website. It had no domain name and no useful services. Within 24 hours this brand-new, unnamed and virtually invisible web server was attacked more than a quarter of a million times.

Malicious Bots – Easy to Build, Buy, or Rent

Bots are not just powerful tools—they are easy for bad actors to obtain and use.  They can be purchased, rented, developed from kits, or for more sophisticated attackers, programmed from scratch.

Botkits are also readily available and inexpensive, sometimes even free. Using these bot development kits, attackers with limited skills can quickly develop their own bots, and adapt them to perform specific, nefarious tasks. 

Bad actors don’t even need to possess or acquire a bot to use it. There are dozens of services available that will do virtually all of a hacker’s dirty work. Fraudsters specify what they want, pay a fee, and the service does the rest. These destructive services have been evolving for a long time. In 2012, Computer World’s article Software that Lies, uncovered many websites that openly advertised a number of nefarious services—some were intended just for pranks, but others were quite dangerous. The advertised prices are surprisingly low.

Example bot services from 2012:

• Bots to commit ad fraud for as little as $2 USD. 
• Bots that will generate fake reviews for $5 USD. 
• Services that will create 5,000 fraudulent Twitter followers for less than $50 USD. 
• Software that spoofs the sender’s address for outgoing email – price not disclosed.

Over the past decade, this ecosystem has evolved further, with increasing specialization: some teams only build malware tools, others only operate botnets and rent them out, and so on.

Today, many bots-as-a-service offer highly sophisticated features, including:

• Comprehensive reports detailing tasks completed and corresponding results.
• Scheduling services so tasks can be launched at predetermined times.
• Ability to automatically make purchases using stolen payment cards or PayPal.
• Orchestrating secure deliveries of fraudulent purchases.
• Numerous invisibility features, shielding the attacker’s identity.
• Randomized timing, keystrokes, nonlinear mouse movements, and other actions that better simulate human behavior. 
• Automatic rotation through thousands of different source IP addresses and devices to make detection and mitigation more difficult.
• Everything needed for fraudsters, even those with no technical skills.

Cybercriminals can also use Bots-As-a-Service to create new, unique, and powerful custom bots of their own. This opens the cyber door for new criminals with virtually no technical skills at all, equipping them with powerful ways to attack corporations and user privacy. With a little bit of money, nearly anyone can become a cybercriminal.

As cybercriminals have invested in improving their abilities, so have defenders. hCaptcha Enterprise detects and deters these kinds of attacks seamlessly, thanks to a sophisticated self-supervised learning approach combined with the industry's most advanced challenge platform.

Botnets – Powerful Armies of Malicious Bots

The ultimate strength of bots lies in botnets, which are large groups of malware-infected devices that attack in concert under the direction of the botnet owner, or bot herder. Botnets can consist of thousands or even millions of devices. They often grow automatically by sending malicious emails, which infect more machines when opened.  For example, the Zeus and Mariposa botnets each infected over 10 million computers.

Botnets provide the collective processing power to pull off large-scale attacks, and because botnet traffic comes from numerous locations and IP addresses, it’s often difficult for organizations to identify and mitigate the attack. 

Bot herders often rent control to a wide variety of bad actors who may alter the bot’s malicious payload. For one attack, the botnet might be configured to break into existing user accounts, only to be reconfigured for other purposes during subsequent attacks.

As an example, the Dridex botnet is one of the most notorious. It is primarily used in account takeover scenarios to steal banking credentials via credential stuffing attacks—thereby granting hackers access to bank accounts. However, in addition to stealing bank account credentials, the collection of Dridex bots can also steal personally identifiable information (PII), payment card data, and other private information.  Like many bots, Dridex self-propagates via email attachments. 

Malicious Bots Compromise Privacy and Cause Financial Damage

Bad bots are a key component in many, if not most data breaches affecting privacy.  Damages can be significant and include: financial loss; injury to the company’s reputation and brand; operational downtime; legal entanglements and fines; and loss of private data including PII and intellectual property (PI). 

According to IBM, the 2021 Cost of a Data Breach averaged $4.24 million dollars (USD).  That’s up from $3.86 million in 2020.

These damages are often caused by the following types of bots:

• Vulnerability scanning bots
• Account Take Over bots / Credential stuffing bots
• Fake Account Creation bots
• Card Testing bots
• Gift / Payment Card Cracking bots
• Spambots
• Scalping / Denial of Inventory bots
• Denial of Service bots
• Ad-Fraud / Click-Fraud bots
• Fake Review Generating bots
• Web-Scraping bots

Defending Your Privacy from Malicious Bots and Botnets

There’s no single solution that will fully protect you from all malicious bots. But there are a number of things that you can do to dramatically reduce your chances of having a breach occur. 

Here are some tips for what to look for in a sound bot management and mitigation strategy:

• Identify known “good” bots: Useful bots are built by reputable companies, and will access the application’s robots.txt file and follow the rules specified there (e.g.; how often the site should be accessed). hCaptcha Enterprise automatically identifies and verifies hundreds of common good bots, simplifying this task dramatically.
• Use Machine Learning to Keep Up with New Threats: New bots are rapidly and constantly emerging and they can’t be detected by signatures or other legacy technologies.  Modern machine learning-powered solutions are the only way to automatically detect and adapt to new threats in real time. Convenient API-driven feedback loops allow you to automate this process with tools like hCaptcha.
• Distinguish between real humans and bots: Since most attacks are performed by bots, this is one of the most effective practices. Many of today’s sophisticated bots are adept at emulating human beings, and hCaptcha specializes in high confidence humanity verification that separates out real users from clickfarms and automation.
• Throttle suspicious traffic: If you suspect malicious activity, you can rate limit the traffic until you are fully able to determine its intent.  This practice can keep valid traffic flowing while you investigate further. This is done automatically by hCaptcha when deployed against your endpoints.
• Don’t violate user privacy in your attempt to mitigate bots: In your efforts to safeguard privacy, make sure your bot management solution(s) don’t have the unintended consequence of violating your user’s privacy by relying on, transmitting, storing, or otherwise compromising any of their personally identifying information. Legacy options like reCAPTCHA fail this requirement.

Adhering to the suggestions above will significantly reduce the risk of a successful bot attack. By implementing a robust bot mitigation solution like hCaptcha Enterprise, your organization will stay ahead of current and evolving threats.

Summary  

With malicious bots responsible for up to two thirds of all internet traffic, it is vital for online property owners to understand how bots work, and the steps they can take to protect themselves.  

The rampant availability of inexpensive and powerful bots are emboldening new bad actors to enter the realm of cybercrime. All indicators point to an uptick in the number of bad bots trafficking the internet along with increased levels of sophistication.

Fortunately, organizations that protect themselves through the implementation of sound bot mitigation policies, practices, and quality tools can avoid much of the cost, risk, and stress of being unprotected on the open internet.

‍