Botnet Detection: How Can Emerging Businesses Find Good Customers?
Posted February 29, 2016
If you asked the CEO of a small business what his primary concerns were, how often would botnet detection top the list? Yet organized fraud attacks continue to increase in severity and persistence, and emerging businesses must beware. A year or two ago, emerging businesses may have been thinking about how to detect isolated fraudsters from their database of great customers. 2016 could be the year when in fact we ask: how do we detect the goodies from the sea of baddies?
It’s a pretty dire thought, but as organized fraud attacks become larger and more relentless, they have the power to fell a new business in one swipe of their Trojan sword. Businesses must ask themselves: could we survive a security breach? What damage could our data do in the hands of a cybercriminal? Data is precious, customer trust even more so. Business success may boil down to effectiveness of fraud defenses.
The botnet army
One particularly worrying trend for new businesses is the relentless evolution of bot attacks. Bots and their networked counterparts, botnets, are the malicious army of the cybercrime world. They’re typically a series of computers infected with malware that are controlled by hackers to run huge, networked automated tasks. ThreatMetrix has seen a worrying rise in botnet attacks over the last year – we detected 230 million attacks in Q4 alone.
Botnets are used to:
- Test stolen identities (to open new accounts or take over existing ones)
- Conduct a distributed denial of service (DDoS) attack
- To launch spam
- To steal sensitive credentials
It’s these types of attacks that should put new businesses on high alert. They spend much of their first year investing in acquisition; building up a loyal database of great customers. An automated attack could be devastating. Although a DDoS attack may quickly disable a website, other types of botnet attacks could actually be worse.
A botnet creating new accounts with stolen credentials strikes. How could a new business detect whether the 100 new accounts added to their database are legitimate? For a fledgling start-up, every new customer is incredibly valuable. What impact could a large volume of fraudulent new accounts have on overall business success? Or what if the attack was an automated identity testing session that hacked in to existing customer accounts and stole sensitive credentials? Hard fought and hard won. Would customer trust be irreparably damaged?
Organized botnet attacks are clever and unforgiving. They are looking for the next easy target and a new business may well be it. Perhaps the focus should not simply be about acquiring new customers, or even about keeping the fraudsters out, but actually detecting who the good customers are among the onslaught of automated attacks.
The botnet disguise
Fraudsters are compounding the problem by adjusting their botnet attack patterns to mimic usual customer behavior: low and slow tactics rather than high volume / high frequency. This manages to bypass traditional web application firewall (WAF) solutions that would detect high volume DoS attacks.
The problem is that WAFs were designed to prevent attacks against Web services – not those on customer identity. As a result, they rely heavily upon IP Reputation services and IP velocity filters to detect bots. This method has been proven ineffective against bots that rotate IP addresses and have access to previously leaked user credentials, often from another site, enabling them to fly under the radar.
Fighting clever tactics with the power of shared intelligence
The good news for business owners is that by leveraging the power of shared global intelligence, botnets can be stopped in their tracks. ThreatMetrix offers the following key solutions:
- Harnessing global shared intelligence – Even if bots rotate through different IP addresses and devices, ThreatMetrix can tie all their actions back to the same digital identity. The ThreatMetrix Digital Identity Network processes billions of transactions for thousands of global online businesses and is in a unique position to identify cross-industry, cross business, cross-geography attack signatures.
- Detecting low and slow attacks even if they look like legitimate traffic – WAFs tends to present bots, along with legitimate activities, as indeterminate traffic yielding very poor visibility. ThreatMetrix uses context-based information to perform behavioral analysis of users during periods of normal operation and compares such data to that gathered during a slow-rate attack. This enables ThreatMetrix to differentiate between a human and a bot the moment they land on the site.
- Botnet proxy detection – Once a device becomes part of a botnet (via malware infection), it can be instructed to provide a web proxy service. Fraudsters use this proxy to cloak their true IP address and location. Fraudulent transactions therefore appear to originate from the legitimate user’s IP address, making them hard to detect. ThreatMetrix TrueIP technology can pierce through infected machines to find the IP address of the cybercriminals behind the proxy.