Weaponized Bots And The Risk To Merchants

By Omri Iluz, PerimeterX

Online bot attacks are growing rapidly. Attempts to defraud apparel web sites were up nearly 70% in 2016, and attacks on food delivery sites jumped 49.8%, according to research by Forter and the Merchant Research Council. Many attacks are automated, and are driven by smarter bots. Several sources estimate that bad bots make up nearly 50% of all traffic to retail web sites.

Could We Be Targeted? You Probably Are Now, But Don’t Know It  

The question “Could we be the next target?” is best answered with: “You are likely under bot attack right now, and don’t know it.” The latest botnet-driven attacks often go undetected — in large part because next-generation bots have improved capability to “act human.”

The ability of newer bots to pose as legitimate users helps them avoid detection by security tools. It also gives hackers a major advantage in carrying out more complex attacks.

Attackers demonstrate detailed knowledge of retailers’ business logic and procedures. The bots can be invisible. Botnets contain vast numbers of bots, but each bot might make just one or two attempts to penetrate a site, thereby often going undetected by traditional tools retailers have in place today.  

Some real-life bot attacks are camouflaged by their ingenious interweaving of multiple attack forms. The most prevalent automated attack methods — the basic chords of bot schemes — are described below.

Types Of Bot Attacks On E-Commerce Sites

1. Account takeover (ATO) is frequently the first step in online frauds. According to Javelin Strategy and Research, ATO losses reached $2.3 billion in 2016, up 61% from 2015. Despite increased security measures by retailers, the success rate of break-in attempts appears to be climbing. In one attack documented recently by security firm PerimeterX, a remarkably high 8% of “educated guesses” were successful. Hackers now equip their bots with curated lists of stolen credentials. Since the same credentials are often valid across numerous sites, attackers easily penetrate multiple retail sites.   
2. Fake user creation often exploits the trust inherent in social login, where Facebook or Google credentials are accepted and allow a user to immediately take actions without additional verifications. This allows bots to automatically create many more accounts, and persuade other social media users to download utilities that are, in fact, bot-carrying malware. Some ad-related frauds rely on hundreds of thousands of fake user accounts as well, according to Ad Age. Advanced bots use the accounts to simulate human ad viewers and defraud advertisers.
3. Gift cards are attractive targets. Advanced bots make it easier to find valid numbers and required verification data, and either exploit the gift card balances or sell them on the black market. Another reason hackers love gift cards: over $100 billion is spent on them annually. 97% of top retailers sell their card online. Gift cards represent an enormous monetary target awaiting cybercriminals, and Javelin estimated that gift card fraud losses were $950 million in 2016.
4. Hoarding, or inventory exhaustion is a DoS (Denial of Service) attack that directly sabotages a retailer’s revenue generation. Bots can put high-demand (hot new sneakers) or limited-supply items (like hotel rooms) into a shopping cart and hold them there, which locks them out of available inventory. This can block legitimate buyers from purchasing and thereby shut off sales, while deceiving the retailer into believing the hoarded item has sold out and should be reordered, when in fact it hasn’t sold any units.
5. New-generation malicious bots are also behind more marketing affiliate fraud, where a business wrongly claims credit and receives payment for web site traffic it did not generate. According to the Association of National Advertisers, ad-related fraud alone reached $7.2 billion in 2016.

Why It’s Hard To Stop Advanced Automated Bot Attacks

Automated attacks give hackers several significant advantages. The latest generation of bots can hijack real users’ sessions, which start with a legitimate human login showing normal human behavior. This causes volumetric and IP reputation measures, upon which most retailers rely on, to fail. These bots are continually updated and programmed with new capabilities.  

Unlike earlier, more easily-blocked bots, the newest bots bring versatility and surprising abilities to the job. After piggybacking on a human user who logs in to a web site using valid credentials, a bot can follow complex instructions to perpetrate frauds while “acting human” the entire time. For example, the bot can move a mouse randomly, hover before clicking on a menu choice, browse and post reviews before it checks the balance on a gift card.

Detect And Stop Advanced Bots Early To Limit The Damage They Cause

Attackers can program advanced bots to replicate human behavior quite skillfully, but a new type of web security defense is emerging: a behavior-based approach that can detect and block bots based on how they interact with specific web pages. In fact, analyst firm 451 Research labeled it Web Behavior Analytics (WBA) and claims it is “the cornerstone of advanced bot defense.”  

A web behavior-based bot-detection and blocking service can check many parameters of behavior of your user, your application and the network in real time. It’s key to remember that nearly every e-Commerce web site with significant traffic volume and loyal users is on a hit list. The attacks are ongoing, but they are not caught by traditional security tools. The longer a bot attack continues before detection, the more damage it can do to a retail business and to loyal customers.

Omri Iluz is the CEO and Co-founder of PerimeterX, a bot security company that uses behavioral analysis and machine learning to prevent automated attacks such as scraping, scalping, account takeover, account abuse, carding, fraud and more. Iluz has more than 15 years of experience in product development, web security, sales and M&A, including roles with Akamai Technologies, Cotendo and Oberon Media.