Apart from cyberattacks on the health care sector and phishing and ransomware campaigns targeting employees working remotely, 2020 also witnessed an increased surge in bot attacks. Bot attacks have also gained popularity due to their success rate compared to other vectors of cyberattacks. To discuss more about bot attacks during 2020 and the best mitigation strategies, we have Nicholas Palmer, Vice President of Global Sales, Group-IB. Since the beginning of his journey with Group-IB, Palmer has progressed through the company from a key account manager to become Head of Group-IB’s Global Business with teams reporting to him spanning Singapore, Malaysia, Vietnam, Spain, South Africa, Italy, UAE, the U.K., and the Netherlands. He is also a regular speaker at industry events such as RSA, INTERPOL World, FS-ISAC summits, CyberCrimeCon, and many others.
In an interview with Augustin Kurian from CISO MAG, Palmer reflects on the bot attacks in 2020 and their success rates. He also talks about API security and the tools that hackers favor for attacks. The latter part of the interview has interesting insights on Group-IB’s fraud hunting platform and “smart” bot protection.
Edited excerpts of the interview follow:
Which were the massive bad bot attacks of 2020 that had your attention? Do you believe those could have been prevented? If yes, how?
In 2020, bad bot attacks were plentiful: threat actors resorted to bots frequently to automate the process of conducting fraud, which offered them greater outreach and, hence, higher capitalization of their crimes. The application range of bot attacks is impressive, with bots generating about 30% of Internet traffic. Cybercriminals often leverage bots to compromise users’ online accounts and steal their payment or personal data. There are also several known cases of bots being used as a means of unfair competition — to generate hundreds of negative comments or paid adsclicking.
In terms of scope, the e-commerce sector was often targeted by bad bots. This was due to the proportion of valuable content available on e-commerce websites, both without authentication, such as pricing and scope, and in users’ accounts; the lack of appropriate protection measures; or their ineffectiveness against bot threats. Group-IB has observed a number of large-scale bot-attacks aimed at getting access to users’ reward points in online stores, their travel miles, or even personal data. Such attacks were characterized by the high intensity of requests, totaling up to 90% of all website traffic at some point. Apart from direct financial losses, bot attacks can create inconvenience for legitimate users who might have problems accessing the website.
Most of these incidents could have been prevented if a proper mechanism for checking all the requests and their source was in place. The thing about AI and machine learning is that it’s used by not only good guys but by bad actors as well. To shield against advanced bot attacks, one should not only analyze the source of requests, the frequency of requests from the same IP address, but also behavioral parameters like whether the request was generated by a browser or some tool like Selenium, to imitate user activity, and if it is the result of the user’s activity in a mobile or web app.
According to your research, three out of 100 user sessions at banking and e-commerce portals worldwide appeared to be fraudulent, with malware attacks, social engineering, and bot activity as the top three threats for users of e-commerce and banking portals. Following the same chronology, among these top three threats, which sees the maximum rate of success?
These three attack vectors compete in effectiveness, and we often see that one attack vector serves as a continuation to another. We have recently seen online fraud with the use of a Trojan utilizing the Android Accessibility Service for the bot-generated money transfers in mobile banking. In addition, sometimes it is difficult to distinguish between these three vectors.
Bots, however, have been gaining popularity lately with the highest success rate. It relies less on the human factor. In addition, tools for bot development are becoming more unified, diversified, and effective, reducing the entry threshold for conducting bot attacks.
While there are automated bots that snatch the best deals and win giveaways, there are also dangerous ones that break into online accounts, steal users’ payment and personal data, and abuse APIs while imitating human behavior. Do you think the cybersecurity industry is giving enough to API security?
We have seen a number of huge portals that have to deal with bad bots because of outdated and irrelevant security solutions. API abuse is something that is on the rise. While more and more financial institutions and services for banks utilize APIs to fill their apps with data, fraudsters are taking advantage of this. As a result, businesses need to analyze requests to their API…To read the full story, subscribe to CISO MAG.
This story first appeared in the February 2021 issue of CISO MAG.
About the Interviewer
Augustin Kurian is the Assistant Editor of CISO MAG. He writes interviews and features.