Bad bots rising, protecting your organisation from a growing threat

Not all bots are bad – there are good bots, like those used by search engines and price comparison services. But bad bots are increasingly an issue, whether they’re buying games consoles or concert tickets (I’m still cross that I missed out on AC/DC tickets), or automating attacks on corporate networks and application programming interfaces (APIs).

Bots used to be an expensive investment for criminals, but now you can hire bots – and the infrastructure they need – as a complete service. Criminals are using them in all sorts of ways and classic bot attacks are still going after any sort of limited commodity.

For example, in the early stages of the COVID-19 pandemic, some online shopping services in India found delivery slots being grabbed by bots and offered for resale to desperate people. AMD graphics cards and Sony PlayStation 5s have also fallen victim to scalping bots. AMD even recommended resellers switch to manual processing of early purchases to validate that orders were genuinely from individual customers. And have I mentioned those AC/DC tickets?

However, the modern bot is far more complex and sophisticated than a simple scraper or automated online purchase tool. They are being used to probe corporate infrastructures all day and all night. They seek out credential weaknesses to take over user accounts. And they increasingly target APIs, either to take over accounts or as a way to bypass traditional security set-ups.

Today’s bot providers have evolved too – they are highly professional and well organised. They even keep standard office hours, and don’t operate just in the middle of the night.

Providers sell bots via online marketplaces and some offer money-back guarantees. Some bot sellers have 24/7 helplines if you can’t get your bot to do what you want it to do. They mimic many of the processes of professional software providers, such as automating the testing of their products.

But getting hold of a bot is only half the battle. Criminals need infrastructure to run them. The last generation of bots would run from a compromised data centre or server. This made them relatively easy to identify, and block, via an IP address.

Modern bots are often linked to apparently legitimate online identities, credentials, and email accounts to bypass basic protections and the latest version of reCAPTCHA. They are linked to compromised residential internet accounts and their traffic comes from thousands of different and apparently legitimate IP addresses, making defence far tougher.

All this means that bots do a remarkably good job of hiding in standard browser traffic. This makes defending against them difficult, especially if you don’t want to irritate customers or users with onerous identity procedures or risk blocking legitimate traffic.

Defending your infrastructure against bot attack needs to be considered as a crucial part of your holistic defences. Although many security suites claim to offer bot protection as standard, you should probe a little into what you are getting.

Barracuda’s Web Application Firewall includes Advanced Bot Protection (ABP), which combines built-in bot identifiers along with cloud-based AI and machine learning systems to spot bot attacks. It uses data from a massive honeypot network to spot known bots and also allows you to allow approved bots by IP or URL. It provides a clear dashboard to keep track of bot activity, where it is coming from, and which applications are being targeted.

It is fully configurable to provide the best defence without blocking legitimate customers or traffic. It even allows you to take proactive action against bots. Blocking a bot allows it to attack you again via another IP address or identity. Instead, you can opt to send bots to a ‘tarpit’ where their actions are slowed right down and their resources are wasted with zero impact on your systems.