Blocking all bots is a bad idea, it’s far better to figure out who wants to do harm and keep them off your site, says Andy Still, CTO Netacea
ITSW Bureau: How important is the need for security against bad bot traffic? What role does Netacea play in this?
Businesses used to face attacks that would target their security measures, find weak points, and steal data from them. Today, the problem has shifted as it is not just their own security that businesses need to worry about but also about the security failings of others.
Data breaches are now so common that the criminals that steal usernames and passwords have a supply and demand problem—there’s so much of this data available that it’s incredibly cheap to buy. The buyers, in turn, need to use automated techniques to sift through the data and discover what passwords are reused and validated, and therefore have value.
This is where bots are used. They work through these huge lists of stolen credentials at speed to break into accounts, also known as a “credential stuffing attack”. There are marketplaces online, on the dark web but increasingly on the clear web, where you can pick up a Spotify, Netflix or even an Uber Eats account for just a few dollars.
Credential stuffing isn’t the only bot attack to look out for. “Sneakerbots” snap up exclusive, limited-edition goods such as sneakers, and automatically sell them at a markup on a third-party site. The bot operator makes an instant profit, the consumer misses out, and the brand can take a reputational hit as its loyal customers correctly assume something isn’t quite right. “Seat spinner” bots do something similar with airline seats, making flights appear to be sold out when in reality they are selling tickets on a third-party site at a markup. The result is the same—bot operators make easy money and consumers are ripped off and frustrated.
ITSW Bureau – What are some of the ways in which bots are taking advantage of the COVID-19 pandemic?
We’ve seen shifting tactics. Obviously airline tickets are not selling, so we’ve seen an uptick in bots used elsewhere, such as those targeting online retail and streaming services. The increase in streaming accounts signups due to lockdown has presented opportunities for bots. Anyone signing up using a smart TV is unlikely going to be tempted to use a strong unique password for their new streaming account—who wants to type a series of numbers and symbols with a remote control? This makes it far simpler for a bot to take over accounts, and as many of these accounts are multi-user, they can even be stolen without users being any the wiser.
There is also the problem that bots take up a great deal of bandwidth. With many services under strain from the sheer number of users—for example, the supermarkets and DIY stores that needed to implement queuing systems. The sheer amount of traffic created by bots, often over half the traffic on a given site, can overwhelm the site causing it to slow down and damage the experience for real consumers.
ITSW Bureau: What are some of the top factors that drive the botnet detection market?
It’s an arms race between the cybercriminals and the good guys—that’s us. We are constantly on the lookout for new techniques that are being used to disguise bot traffic. For example, some bots will test rate-limiting, designed to limit the amount of activity one visitor can perform on a site without being blocked. Once that limit is found, the bots will act just under that limit, so as to be as efficient as possible while avoiding detection.
Bots are increasingly sophisticated and are developed by talented people in organizations. One of the most commonly used bot mitigation techniques, the CAPTCHA, where a human has to perform a task such as selecting the right photos, is increasingly ineffective. This increasing sophistication has led Netacea to develop our Intent Analytics engine. We combine machine learning with data analysis and the vast experience held within our team, to ask a different question not “is this a bot?”, but “what is this visitor’s intent?” That way we can better target those bots by identifying malicious behavior. After all, not all bots are bad—some are used by search engines, others for price comparison sites. Blocking all bots is a bad idea, it’s far better to figure out who wants to do harm and keep them off your site.
Andy is a pioneer of digital performance for online systems. As Chief Technology Officer, he leads the technical direction for Netacea’s products, as well as providing consultancy and thought leadership to clients. Andy has authored several books on computing and web performance, application development, and non-human web traffic.