Come holiday season and online shopping spree begins with full force, making the eCommerce websites an attractive target for cybercriminals to launch attacks. This November, Barracuda Networks, a trusted partner and a leading provider of cloud-enabled security solutions, detected millions of bad bots attacks that were been used by the attackers to run distributed denial of service (DDoS) attacks, make fraudulent purchases, and scan for vulnerabilities they can exploit.
Barracuda researchers in the middle of the month, ran the Barracuda Advanced Bot Protection in front of a test web application, and detected a staggering number of bad bots in just a few days with millions of attacks coming in from thousands of distinct IP addresses. When viewed by the time of day, the researchers found that the bots don’t just wait until the middle of the night to attack. In fact, the bot activity peaks late morning and goes on until 5 p.m., which indicates that the cybercriminals aka “bot herders” follow a regular working day.
Bad bot personas are bots that have been identified as malicious based on their pattern of behavior. They are grouped by User-Agent, some of which are good. For example, GoogleBot, which crawls sites and adds them to search rankings, is good and should not be blocked. Cybercriminals have been using different ways to spoof good User-Agents to conduct the attacks. The bad bots spoof these known good User-Agents, which would need deeper scrutiny to tell them apart.
To identify a bot as being bad when the User-Agent claims to be a good search engine, Barracuda researchers use different methods; Injecting honeytraps like hidden URLs and JS challenges; Using rDNS (reverse DNS lookup) to verify bots coming from a claimed source; Inspecting whether the client is trying to access URLs used by common app fingerprinting attacks; and analysing further with ML, in case the methods don’t work out. HeadlessChrome, yerbasoftware, and M12bot are some of the bad bot personas that showed an increase in numbers.
Speaking on the threat, Murali Urs, Country Manager-India, Barracuda Networks, commented, “While analysing which Internet System Provider or Autonomous System Number has been the source of this bad bot activity, our researchers identified Indian mobile provider Airtel’s subnet ranges in the mix, as well as some of the big public cloud providers like Google Cloud, Amazon. This shows that even though the source of bots is international, it would depend on the bot and the site it is targeting.”
With the holiday shopping season expected to continue in full swing till the New Year, eCommerce teams should start taking necessary steps to safeguard their applications against bad bots. They must install a well-configured web application firewall as a service solution and make sure that the application security solutions include anti-bot protection to effectively detect advanced automated attacks. eCommerce websites should further turn on credential stuffing protection to prevent account takeover.