April 20, 2018
As digital transactions continue to grow, customers are storing more personal information in online accounts than ever before. Attackers target organizations where they are most vulnerable by trying to hijack customer and employee accounts using stolen credentials. One of the easiest ways for cybercriminals to do this is using bots – hijacked Internet-connected devices that run automated tasks, in this case to test the validity of stolen identities. Botnets are formed from multiple bots to further increase the efficiency of malicious attacks – most commonly account takeover (ATO) and distributed denial-of-service attacks (DDoS) attacks.
Botnet attacks are becoming harder to detect as cybercriminals adopt cleverer tactics to evade existing fraud defenses. Brute force attacks have been replaced with “low and slow” tactics that mimic patterns of trusted customer behavior. Many organizations simply turn to their existing solutions for botnet protection but find that traditional technologies are not always well equipped to handle these new types of attacks. Businesses must find more effective ways of blocking botnet attacks, given the huge impact account takeovers can have on customer trust, brand reputation and revenue.
Botnet attacks are widely thought of as a security issue best handled by Web Application Firewalls (WAFs) especially for DDoS attacks. But one surprising trend is the surge in “low and slow” attacks designed specifically to evade network security countermeasures. Cybercriminals orchestrate these botnet attacks to appear like legitimate traffic, which is particularly hard for the WAFs to detect.
WAFs were designed to prevent attacks against Web services – not against customer identities. As a result, they rely heavily upon IP Reputation services and IP address velocity filters to detect bots. This method has been proven ineffective against botnets that rotate IP addresses and have access to previously leaked user credentials, often from another site, enabling them to go undetected.
Such vulnerabilities expose companies to increased fraud losses and customer attrition due to lack of trust. Furthermore, customers have a poor online experience due to false positives forcing additional authentication steps. In addition, the level of brand risk is often initially hidden, as hackers farm user credentials under the radar. This creates a huge compliance and customer lifetime value risk, even if fraud losses and data theft are not immediately apparent.
The ThreatMetrix Solution for Botnet Attacks
Instead of relying on traditional WAF methods, ThreatMetrix uses an identity-centric, layered approach to effectively detect botnet attacks. This advanced solution combines information about identities, devices, locations and malware to detect high-risk behavior. ThreatMetrix leverages four key capabilities to handle the new type of low and slow botnet attacks.
Low and Slow Botnet Identification
WAFs tends to present bots, along with legitimate activities, as indeterminate traffic yielding very poor visibility. ThreatMetrix provides immediate insight by identifying cases where the event profiling was limited due to the existing WAF solution’s susceptibility to granular intrusion. This indeterminate traffic can be properly identified once it is configured with ThreatMetrix. The ThreatMetrix account takeover solution can accurately identify botnet behavior using only a handful of policy rules. Analyzing these events can help stop botnets from bypassing existing profiling.
User Identity and Behavior Analytics
Behavioral profiling and analytics continuously catalog all the activities related to a device, account or persona. This enables detection of low volume, low frequency attacks, even if they are distributed. A rule set to monitor for an IP address associated with multiple email accounts provides tremendous insight on whether traffic is botnet related. ThreatMetrix can help alert businesses to many different types of “divergences” or “anomalies” based on varying account markers, traffic origins, and time frames.
Global Shared Intelligence
Botnet attackers are increasingly adopting strategies to stay below the detection threshold of individual businesses, but they invariably leave an identifiable global footprint. For example, bots can rotate through different IP addresses and devices but ThreatMetrix can tie all their actions back to the same digital identity. ThreatMetrix Digital Identity Network processes billions of transaction for thousands of global online businesses and is in a unique position to identify cross-industry, cross business, cross-geography attack signatures.
Botnet Proxy Detection
Botnets leverage proxies to hide their traffic but ThreatMetrix can locate hidden proxies that botnets operate through. The new generation of private botnet proxies do not appear on public proxy lists and cannot be detected by the usual methods. Our TrueIP can pierce through proxies to find the IP address of the fraudster behind the proxy, including traditional anonymous proxies and ones used by botnets. When TrueIP is coupled with other transaction data and device fingerprinting, it may be that the same TrueIP address has been used via different proxies with unrelated account or credit card details. This means there is a high probability that all transactions from that device are fraudulent. ThreatMetrix will also analyze the connections made by these fraudsters to help determine whether they are using various tools to cloak their location or intent.
The ThreatMetrix Advantage
ThreatMetrix offers the broadest combination of defenses against account takeover in a solution that imposes little burden on your IT resources or your customers.
- Rapid, lightweight deployment:
The SaaS-based ThreatMetrix Cybercrime Protection Platform secures your applications without the need to add or deploy servers, user tokens, or additional infrastructure.
- All logins protected without adding friction:
Unlike strong authentication solutions that require token deployments and extra user steps to log in, the ThreatMetrix solution easily secures all logins without unnecessary friction.
- Up-to-date, global insight:
Integration with the ThreatMetrix Digital Identity Network provides constant access to current threat intelligence derived from millions of real-time transactions.
- Real-time responsiveness:
ThreatMetrix delivers real-time insight, so you can identify potential account takeovers before they compromise your business.