Third Gen: Single Interaction Mimic human behavior such as moving the mouse, scrolling and clicking links to navigate websites Exhibit sophisticated behaviors that may overcome certain challenges but cannot fool interaction-based detection, such as CAPTCHA or invisible challenges
Fourth Gen: Distributed, Mutating Bots Rotate through large numbers of user agents and device IDs — generating just a few hits from each to avoid detection Make random mouse movements (not just in a straight line like third-generation bots) and exhibit other humanlike browsing characteristics Record real user interactions, such as taps and swipes on hijacked or malware laden mobile apps, to be able to replicate the movements and blend in with human traffic and circumvent security measures
The Increasing Sophistication of Bad Bots In 2018, the third and fourth generations of bad bots accounted for 22.1% and 16.6% of internet traffic, respectively. In 2019, the number reached 27.2% and 18.3%, respectively.
Classification of Bad Bots Cybercriminals leveraged humanlike and distributed humanlike bad bots. On the login page of the credit union’s platform, 63.9% of bad bots can mimic human behavior. Bad Bots Behavior The behavior of bad Bots is continuously changing. Cybercriminals now leverage cutting-edge technologies to advance the sophistication of the attack capabilities of bad bots. In 2019, cyberattackers favored fourth generation bad bots that mimic human behavior when executing automated attacks. For example, 37.9% of bad bots used to execute account takeover attacks are classified as fourth generation. Applications Most Exploited by Bad Bots Cybercriminals use a combination of tools to exploit vulnerabilities in the infrastructure of businesses with an online presence. businesses. Attackers deploy exploit kits that consist of a combination of tools such as proxy IPs, multiple user agents (UAs) and programmatic/sequential requests to disguise the identity of bots, evade detection, and perform sophisticated automated attacks. Bots masquerade as genuine traffic by using popular browsers and devices in combination with their exploit kits to target different channels of communication such as web APIs. Web applications are the most exploited attack surface across industries. In 2019, 35% of the total traffic were bad bots on web applications, an increase of 10% from 2018. Automated attacks on mobile devices have also increased exponentially in recent years. The widespread adoption of mobile devices and the personal data that these devices store are two of the critical reasons behind the rise in attacks. The widespread adoption of internet of things (IoT) devices, emerging serverless architectures hosted in public clouds and the growing dependency on machine-to-machine communication are the reasons for changes in the modern application architecture. APIs have emerged as the bridge to facilitate interaction between different application architectures. APIs assist in quicker integration and faster deployment of new services. Despite their rapid and widespread implementation, APIs remain poorly protected and are a vulnerable surface for automated threats. Personally identifiable information (PII), payment card details and business-critical services are at risk due to bot attacks on APIs. Attacks on APIs have ramped up in the last few years. In 2019, 16.6% of the traffic on APIs were bad bots, rising from 14.3% in 2018. So what should organisations do ; recommendations: Assess the Real Impact of Bad Bots on Your Organizations: Bot management is complex and requires a dedicated technology with experts behind it who have a deep knowledge of good and bad bot behaviors Build Capabilities to Identify Automated Activity in Seemingly Legitimate User Behaviors : Purpose-built bot mitigation solutions can detect sophisticated automated activities and help you to take preemptive actions. Traditional solutions are limited to tracking spoofed cookies, UAs and IP Reputation Enforce Authentication via MFA and Challenge-Response Methods Block Origins of Bad Bot Traffic: Public cloud services can safe harbor bad bots. Organizations can block suspected public cloud services and internet service providers (ISPs). However, blocking all the traffic coming from data centers or ISPs without considering the user behavior can cause false positives Adopt Strict Authentication Mechanism on APIs: APIs are the key channels that enable seamless intercommunication between websites, applications and smart devices. They have become crucial in facilitating the flow of data from where it is stored to where it is needed Monitor Anomalous User Behavior and Key Performance Indicators (KPIs) : Bad bots that visit your website to perform scraping, account takeover or any type of automated activity will result in sharp spikes in traffic. Monitoring failed login attempts and spikes in traffic can help webmasters and security teams take preemptive mitigative measures.