Get best of the week

How do E-commerce sites resist the AuthBots botnets?

Cybercriminals pump out the personal data of millions of online shoppers. A new type of botnet threatening ecommerce companies was called “AuthBots” for its relentless attempts to crack authentication mechanisms. AuthBots are used to carry out large-scale attacks by hacking sites or credential stuffing and capturing user accounts.

Using an army of bots launched from illegally assigned IP addresses, AuthBots made nearly 2.3 billion attacks on ecommerce business authorization pages in the first three quarters of 2019 alone.

image

Radware cybersecurity researchers first noticed similar bot traces on many ecommerce sites at the end of 2018 and started tracking botnets.

The following report illustrates the rapid evolution of the mechanisms and evolution of AuthBot botnets, as well as their destructive impact on the entire e-commerce ecosystem.

This analysis may take into account only a small fraction of the real damage from AuthBot botnets. The total permanent negative impact on the ecosystem of online retail may be greater, since the analysis of Radware researchers is limited to information on the sites they control.

AuthBot Botnet Overview


First discovered: end of 2018

Scale: About 2.3 billion attacks on authorization pages of ecommerce firms' websites for the period from the first to third quarters of 2019.

Infrastructure: 52 million AuthBot botnet attacks came from 10 popular data centers / public clouds.

Methods: (1) Credential stuffing attack using credential stuffing attack stolen / bought on other resources (2) Credential cracking credential or (3) brute force attack password selection.

Advanced Bot Detection Bypass Techniques


  • Geolocation and IP address fraud through proxies
  • More than half of AuthBot botnet attacks come from data centers / public cloud services
  • IP-
  • IP- -
  • (RPA),
  • (daisy-chain)

image
.1 AuthBot-:


  • 2019 AuthBot ecommerce-.
  • AuthBot

image
Fig. 2 Monthly business damage from AuthBot botnets

AuthBot Botnet Attack Prevention Guidelines


AuthBot botnets belong mainly to the fourth generation of "bad" bots. These bots can connect from thousands of IP addresses from various geolocations and simulate the behavior of a real user. To identify and reflect AuthBots, advanced technologies are needed, for example, the use of a specialized service from bot management solution providers.

However, ecommerce companies can take a number of preventive measures to curb the spread of botnets on their sites even before the implementation of a full-fledged specialized solution.

1. Blocking traffic from public clouds / data centers that harbor “bad” bots

A significant percentage of AuthBot bots are launched from public clouds / data centers. Organizations may block suspicious data centers / public cloud services. However, blocking all traffic coming from data centers or service providers, without taking into account user behavior, can lead to false positives.

For example, a significant number of users from commercial organizations on whose networks Internet security gateways (SWGs) are installed to filter user traffic will be qualified as traffic from the melon processing centers, where the security gateways are located.

2. Monitoring failed authorization attempts and sudden traffic surges

AuthBot botnets attack authorization pages by using credential stuffing attack or credential cracking attack. Both options involve enumerating many different data or combinations of user names and passwords, which increases the number of failed authorization attempts. The presence of AuthBots on the site also dramatically increases traffic to the site.

Monitoring failed authorizations and unexpected spikes in traffic will help you take timely action and prevent damage from botnets.

3. Means of determining the automated actions of bots disguised as the behavior of real legitimate users.

AuthBot botnets simulate mouse movements, produce random keystrokes and page navigation, similar to the behavior of live users. To prevent such attacks, advanced security tools are required, including deep behavioral analysis models, device / browser fingerprints, and reporting systems to prevent real users from being blocked.

Specialized solutions for protecting against bots can detect such sophisticated automated attacks and help to take proactive measures. In comparison, traditional cyber security tools - such as firewalls and web security solutions (firewalls, web application firewall, WAF) - are limited to tracking fake cookies, user agents and IP address reputation.

In addition, the installation or implementation of a specialized solution for bot management not only allows you to reliably protect the authorization pages from AuthBot botnets, but also helps to eliminate other types of automated attacks made after authorization. These types of attacks include parsing to collect data for subsequent analysis (web scraping), as well as abuse and disruption of online store services (checkout abuse and denial of inventory).

image

More articles:


All Articles