SPREADING LIKE GERMS: BAD BOT TACTICS REVEALED (COVID-19 SERIES)

Share This Post

In the second installment of our COVID-19 blog series, A Pandemic World: IT as a Critical Business Risk, we discussed the shortcomings of action-reaction security. If “frightening” could be used to describe the consequences brought about by the unreliability of traditional security, then “terrifying” would be the best word to describe the rise of new attack methods using automated tools.

The internet today is flooded with all kinds of free hacking toolkits. These kits are so numerous and wide-ranging that almost anyone can download, sometimes for free, and begin to attack online assets. This ready-made arsenal of tools, in essence eliminates the barriers between ordinary people and hackers and creates a DIY infrastructure for bad actors. Malicious internet users no longer need to analyze code, write scripts or perform complex computations. They can easily get what they want as long as they select the correct tool and follow the instructions, which are usually available on YouTube or online help forums.

During the COVID-19 pandemic, BotRx has been tracking the actions of fraudsters and their bots to reveal methods of attacks. Through honeypots and customer traffic we have uncovered a variety of use cases citing the growth of automated tools’ complexity and availability, which are outlined below.

Auto Vulnerability Scanning & Intrusion

Auto scanning tools allow ordinary people to easily find vulnerabilities in a website with just a few mouse clicks. IT professionals legitimately use scanners to identify any recent patches or vulnerabilities in their network, but what is often used for good can also be used for bad.

Hackers repurpose scanners to perform attacks and identify vulnerable targets and use them as intrusion entry points to eventually dig out administrator usernames and passwords. Seeking out these vulnerabilities also enable fraudsters to steal and tamper with sensitive information such as databases in order to gain access. Some scanner toolkits even offer the corresponding attack codes if you prefer to customize the tool for a specific market vertical.

With a $2 trillion economic relief package in play in the US, attackers have their sights set on financial firms. Attackers are manipulating databases at these firms to make themselves appear as legitimate users and implement illegal activities such as fund transfers and payments to illegitimate businesses.

Keeping server components up to date is no easy feat. Security professionals continue to attempt to close the security loopholes as attackers scan huge lists of potential targets to find new victims to compromise. The cost and ease for attackers continues to decrease while IT defenders use more and more tools–driving up the cost and complexity of their network.

Figure 1: Auto Scan & Intrusion

Account Takeover via Credential Stuffing Attack

Credential stuffing or password guessing refers to the repeated attempts by attackers using automated bots to log into secure user accounts or restricted access areas of a website. These attackers typically test usernames and passwords that have been leaked through a breach and are subsequently sold illegally on the dark web to bad actors. The stolen usernames and password combinations are then tested on thousands of websites until a successful login is achieved. Since most people tend to use the same username and password on different websites accounts, attackers sometimes scan millions of websites login pages in an attempt to validate login credentials that work.

Credential Stuffing Test Procedure

Figure 2: Credential Stuffing Test Procedure

Recent evidence shows that a single pair of credentials are being tested on thousands of websites in a round robin type approach. This is a more complex automation procedure, but it significantly reduces the chance of an attacker being blocked. Since only one login pair combination is tested on each site the login attempt limits will not be exceeded.

During the pandemic, employees and students are setting up new accounts for remote work and learning, but reusing their credentials. Once the credentials are leaked, they are validated then sold by the hundreds or thousands on the dark web to specialty criminals that target specific types of websites and the assets that they hold. For example, attackers may log into a user’s online banking systems in a follow-on attack. Normally called account takeover, it assumes someone’s identity to conduct illegal activities like money transfers or setting up additional accounts or credit cards. All of these types of online fraud can be done from a considerable distance without ever setting foot in a bank branch and cause significant economic loss across the globe. Bank robbers no longer need a gun and mask to steal millions of dollars. Hard assets like credit card numbers, gift cards and bitcoin are easier and safer to steal from the comfort of home or even a local coffee shop with free internet.

As COVID-19 continues to shape our online world, BotRx will be closely tracking bot activity and reporting on new discoveries. Want to learn more about how bots attack?

Watch our video on credential stuffing.

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore