What is a Sophisticated Bot Attack?
Earlier this year we stated that bot attacks can be run by anyone, from skilled individuals to organised gangs. Bots can hit websites for a number of reasons. Common attacks include credential cracking to account takeover, to scalping. These bots have the power and capability to conduct multiple attacks repeatedly.
Those actions have long seen standard for bots though, so what is new in the world of bot attacks? What is making these attacks more sophisticated? How can we know what has changed to improve defenses and our capability to spot and stop them?
The origins of simple bot attacks
The use of bots goes back some 30 years, to when bots had both legitimate and malicious uses. Back in the 1990’s they could be used as web crawlers to find, index and categorize web pages. Others had the ability to spread around networks like worms.
Take the PrettyPark email worm as an example. This arrived in an email containing the attachment “Pretty Park.exe” that when downloaded, joined an internet relay chat channel and could collect information from the system and network it resides on. This included the computer name, product name, product identifier, product key, registered owner and organization, version number and user’s email address. Recognized for being the first botnet worm, PrettyPark led the way to other similar future variants.
This led to the formation of botnets, collections of bots which have mostly been used to conduct DDoS attacks, while an individual bot is often involved in the attack methods mentioned above.
One example from 2022 is the credential stuffing attack on PayPal. Close to 35,000 users were impacted, where “unauthorized third parties” had access to account holders’ full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.
Also, the use of bot attacks in scalping – buying in-demand items like concert tickets faster than humans can – are increasing constantly. This led the New York State Attorney General Eric T. Schneiderman to issue a report, pointing out that “ticket bots amass hundreds or thousands of tickets in an instant.” Businesses can be impacted in multiple ways: from lost funds, to diminished goodwill from customers as tickets are resold at inflated prices.
Andrew Ash, CISO at Netacea, calls simple bot attacks those that “started with one person on one computer running one thing to do one thing against one customer. It’s very siloed and linear; what we are seeing more and more is the adoption of different ways of distributing an attack.”
Evolution of sophisticated bots
This heritage of more simple bot attacks may seem quaint in comparison to the sophistication of how bots operate and attack now and in the future. Ash says bots will find new ways to conduct an attack – today at Netacea, we often encounter the “rotation of thousands of IP addresses a minute, if not millions of IP addresses over the entire range of an attack.”
Also to ensure wider distribution of attacks, Ash notes that attacks are distributed though networks that have been procured or stolen, or using residential proxies – or even a mix of the two – whichever can be purchased and used the most effectively.
Ash says the most notable element of a sophisticated bot attack is any way the attackers can make the impact both quicker and cheaper, and particularly where there is a higher value target. “The sophistication of the attack is predicated on the value of the goods that are trying to be stolen or the size of the prize,” he says.
“Return on investment is everything to attackers. So, the more valuable the attack can be, the more sophisticated the attack becomes.”
Also, research has determined that the future of bot attacks lies with them being much smarter. Attacks will be context-aware interactions, which attempt to take over accounts and use human elements to conduct their activities.
How AI has driven bots to become more sophisticated
The increased sophistication of bots will likely include the use of AI in the future, and specifically generative AI (GenAI) to improve the language used in phishing messages and target specific victims.
Could there be a different form of sophistication, or even multiple different forms being used? Andy Still, CTO and co-founder of Netacea, said his definition of what makes a bot attack ‘sophisticated’ falls into three categories: the attack must be targeted, it must be tailored, and it must be complex.
Targeted means that the attacker has identified a specific company who has specific data or an item of value that they want to get access to, “and they are therefore going to launch an attack that is just to achieve that one agreed outcome,” he said.
He said that by being more tailored, they are using tools, software or an approach that they have probably used before, and will adjust the attack to address the specific defenses that are put in place by the company that they are trying to attack.
“They’re evolving to meet the particular requirements,” Still said. “Complex means that they are applying one or more set of sophisticated bypass techniques in order to bypass the defenses in place. For example, they may use CAPTCHA bypass software.”
Incidents involving CAPTCHA bypass have been demonstrated, such as in one operation where someone was able to complete a CAPTCHA using AI, and at the same price as it would cost to use a human in a CAPTCHA farm.
In fact, one analysis said the competitive landscape of CAPTCHA bypass tools “is now dominated by AI-driven technologies”, as “AI-driven solutions can swiftly navigate through once insurmountable obstacles” and AI models can “decipher even the most complex challenges with remarkable accuracy.”
Andrew Ash says the next stage for AI-powered CAPTCHA bypass is where an AI can use a CAPTCHA farm and request its services as in the research example above. “AI turns out [to be] better at solving CAPTCHA than humans, which I’m sure is the wrong way around,” Ash says.
The next step is building security solutions where defenses are powered by AI to better defend against sophisticated attacks at scale.
Types of sophisticated bot attack
However sophisticated bot attacks get around defenses and cause damage, the sophisticated nature of attacks and the types of attack and reasons remain similar. There was an increase in bot attacks by 123% in the second half of 2022, marking a 108% YoY increase from 2021.
Matthew Gracey-McMinn, head of threat research at Netacea said some attackers may have a specific tool that they just throw against every website they see. “They may be happy to accept that on some sites it will work and some it won’t, while a more sophisticated attacker is more likely to customize their tools specifically to try and attack a target site,” he says.
This process is detailed in the BLADE Framework, a knowledge base on automated attacks pioneered by Gracey-McMinn’s team. It begins with reconnaissance, trying tools, testing defenses and a “whole attack lifestyle cycle” to build a tool designed specifically to bypass the defenses that that site is implementing to protect itself.
This leads to groups being more professional, where loose affiliations of attackers share information and code about how to get around defenses. Many offer their services to other attackers in a broader ecosystem.
These more professional groups are supported by increasing developments in AI, which speeds up all the individual parts of the ecosystem, but also provides a type of ‘expert’ to the bot users – who may themselves not be particularly sophisticated.
Gracey-McMinn said that with the use of AI and all the various other parts of the ecosystem, “an attacker has the ability to piece together a very sophisticated attack and launch it to devastating effect.”
With the evolution of new technologies, there is always the potential for advancement and increased sophistication. The standard for how bot attacks operate and what they are after is established, so sophistication lies in the use of AI to send and operate attacks and removing human interaction – possibly altogether someday in the future.
The need for sophisticated defenses
In the past, defenses have been limited to a static blocklist of suspected “bad” IP addresses. Once attackers began rotating IPs, defensive software switched to investigating the requester’s client for telltale signs of non-human interaction (device fingerprints, mouse movements, use of JavaScript etc.).
Today’s attackers have outgrown these defenses by emulating signals they know defenses are looking for, often in pre-built packages for anyone to easily use.
For this reason, Netacea Bot Protection looks past basic behaviors – instead distinguishing the intent of every web visit against every other visit to mark out malicious actors. This is only possible thanks to years of finely tuned machine learning models and defensive AI.
