ShieldSquare is now Radware Bot Manager

ShieldSquare is now Radware Bot Manager

E-commerce Firms Beware! A New Type of Bad Bot Is Targeting Your Login Page this Holiday Season

December 23, 2019 | All Automated Threats Bot Prevention Technologies Radware Research

Cybercriminals are siphoning PIIs of millions of shoppers. Dubbed “AuthBots” because of their persistent attempts at cracking authentication, this botnet group targets e-commerce firms with large-scale credential stuffing & cracking attacks to take over user accounts. Using an army of bots run from fraudulently acquired IP addresses, the AuthBots made nearly 2.3 billion hits on login pages of e-commerce businesses during Q1 – Q3 2019. AuthBots target all e-commerce firms with mandatory login.

Security researchers from Radware first noticed similar bot fingerprints across many e-commerce domains in late 2018 and started tracking the botnets. The following report illustrates the sophistication and rapid evolution of AuthBots and its damaging effect on the e-commerce ecosystem. The analysis is possibly only a fraction of AuthBot’s true impact. The total ongoing impact of AuthBots on the e-commerce ecosystem may be larger since Radware researchers’ analysis is limited to the domains monitored by us.

A Snapshot of AuthBot Operation

Observed First: Late 2018
Volume: Nearly 2.3 billion hits on login pages of e-commerce firms during Q1 – Q3 2019
Operation Infrastructure: 52 million of AuthBot hits originated from 10 prominent data centers/public clouds
Operation method: (1) Credential stuffing attacks using stolen/purchased credentials (2) Credential cracking or brute force attack

Advanced Techniques to Evade Detection

  • Manipulation of geolocation and IP addresses through Proxy Servers
  • Over half of AuthBot hits originated from datacenters/public cloud services
  • Most of IPs used by AuthBots are in the US
  • Distributed over hundreds of randomly assigned IP addresses & residential proxies
  • Human-like keystrokes and mouse movements
  • Use of machine learning and Robotic Process Automation (RPA) to help bots work as a standalone software module
  • Daisy-chained to manage through one centralized server

Figure 1: Origin of AuthBots – Top 10 Public Cloud/Data Centers

Figure 2: Origin of AuthBots – Top Countries

Business Impact

  • From Q1 – Q3 2019, a significant percentage of traffic was AuthBots on targeted e-commerce firms’ login page.
  • Once an AuthBot operation is successful, PII and payment card details of compromised accounts are stolen.

Figure 3: Business Impact of AuthBots – Monthly Presence

Recommendations to Prevent AuthBot Attacks

AuthBots are predominantly fourth-generation bad bots. These bots can connect through thousands of IPs based in different geographies and mimic human behavior. Detecting and mitigating AuthBots requires advanced technology such as one from a dedicated bot management solution provider. However, the following are a couple of measures that e-commerce firms can implement to restrain AuthBot activity until they deploy a dedicated solution.

  1. Block Bad Bot Harboring Public Clouds/Data Centers
  2. A significant percentage of AuthBots come from public cloud/data centers. Organizations can block suspected data centers/public cloud services. However, blocking all the traffic coming from data centers or ISPs without considering the user behavior can cause false positives. For example, a significant number of users from commercial organizations that use secure web gateways (SWGs) to filter user-initiated traffic also come from data centers as these SWGs are hosted on data centers. Blocking data center traffic without considering domain-specific user behavior can cause false positives in such events.

  3. Monitor Failed Login Attempts and Sudden Spikes in Traffic
  4. AuthBots perform credential stuffing and credential cracking attacks on login pages. Since such approaches involve trying different credentials or a different combination of user IDs and passwords, it increases the number of failed login attempts. The presence of AuthBots on your website suddenly increases the traffic. Monitoring failed login attempts, and a sudden spike in traffic can help you take preemptive measures before AuthBots cause any damage.

  5. Build Capabilities to Identify Automated Activity in Seemingly Legitimate User Behaviors
  6. AuthBots simulate mouse movements, perform random clicks, and navigate pages in a human-like manner. Preventing such attacks requires deep behavioral models, device/browser fingerprinting, and closed-loop feedback systems to ensure that you don’t block genuine users.  Purpose-built bot mitigation solutions detect such sophisticated automated activities and help to take preemptive actions. In comparison, traditional security solutions – such as firewalls and WAFs – are limited to tracking spoofed cookies, user agents, and IP reputation.

    Also, building or deploying a dedicated bot management solution will not only allow you to restrict AuthBots on login pages but can also help in eliminating other types of automated attacks that are performed after logins such as web scraping, checkout abuse, and denial of inventory.

Learn more about AuthBots in the E-commerce Industry Automated Threat Landscape report, download now

Note: A version of this article first appeared in Digital Commerce 360.

Tags: , ,

Subscribe to Radware Research and Blog
Thank you for subscribing
Thanks. Sent confirmation email.

Related Content

August 16, 2021
The Impact Of Bots On Airline And Travel Industries
July 9, 2021
Five Benefits of Integrating Bot Management With Your CDN
July 2, 2021
The LinkedIn User Data Leak Shows Why Bot Management Tools Are Essential for Data Security

Step Up and Take Action

Powered by Think201