Attack of the Bots

Consumers continue to enjoy the freedom and flexibility of transacting online and are fueling the demand for “digital first” businesses. The unique online footprint we leave as we transact online is becoming more intricate and networked. However, fraud attacks are following suit, transforming from static and isolated breaches toward highly organized, cross-border and networked assaults.

One particularly worrying trend for digital businesses is the relentless evolution of bot attacks. ThreatMetrix detects millions of botnet attacks in the Digital Identity Network every year.

One particularly worrying trend for digital businesses is the relentless evolution of bot attacks. ThreatMetrix detects millions of botnet attacks in the Digital Identity Network every year. Bots and their networked counterparts, botnets, are the malicious army of the cybercrime world. They’re typically a series of computers (and more recently mobile phones) infected with malware, that is controlled by hackers to run huge, networked automated tasks. Device owners often don’t realize they are part of a botnet, transacting while the fraudster launches targeted attacks in the background.

Botnet attacks have traditionally taken the form of large volume distributed denial of service (DDoS) or spam attacks, and have been mitigated by web application firewall (WAF) solutions. However, ThreatMetrix has started to notice a worrying shift towards attacks that are managing to bypass existing controls. Low and slow attack rates can mimic legitimate user traffic, going undetected by many WAF solutions. In addition, attacks are leveraging the flood of stolen credentials available and successfully bypassing static identity checks.

For many businesses, these new attack vectors could be extremely damaging. Although a DDoS attack may quickly disable a website, an attack that breaches customer accounts, or opens a swathe of fraudulent new accounts, could be enough to destabilize business reputation and long-term revenue. Just a small chink in businesses defenses can put thousands of trusted customers at risk.

Organized botnet attacks are clever and unforgiving. They are looking for the next easy target, striking not just at an operational level, but at the heart of customer trust. As we march into the age of digital-first businesses, the focus should not simply be about acquiring new customers, or even about keeping the fraudsters out, but actually detecting who the good customers are among the onslaught of automated attacks.

How Can Botnets Disable Businesses?

Botnets can be used for virtually any malicious intent where a network will be more successful than a single attack. However, there are some specific botnet trends that ThreatMetrix is seeing, particularly around identity testing, which follow the evolution of fraud attacks in general. The most common uses for a botnet attack include the following:

  • To conduct a distributed denial of service (DDoS) attack – Traditionally one of the most common attacks of a botnet army, used to disable an entire website or network. Attacks have also evolved to include application layer DDoS attack, which target specific functions or features of a website, often as a decoy to an impending security breach.
  • To launch spam/perform click fraud – Botnets have been used to great effect to launch spam advertising campaigns to convince unwitting consumers to part with their credit card details for fake or non-existent products. Likewise, they can be used to perform repetitive tasks for financial gain by the botnet controller.
  • To steal sensitive credentials – This might be through keylogging, to gain access to high value targets such as online banking sessions or specific password information. Credentials can then be combined with other known or bought information to build complete stolen identities. When accounts are infiltrated, customer trust can be irreparably damaged, impacting lifetime value and referral rates.
  • To test stolen identities – Botnets can be used to mass test stolen credentials harvested from a previous breach. This allows the fraudster to:
    • Infiltrate existing accounts.
    • Open new accounts with stolen credentials that appear wholly legitimate to the unsuspecting business. This could have devastating consequences for a new business trying to build up to trusted customer base. Without a more holistic approach to verifying identity, organizations could end up with a swathe of fraudulent new accounts.
  • Social engineering/distribution of phishing emails to infect more computers – Botnets can distribute phishing emails far and wide, either to enroll more machines into the botnet army or to gain access to machines for other fraudulent purposes.

Why Are Traditional Methods Failing?

Attack Speed/Frequency

Fraudsters know that high-volume attacks are easier to detect and prevent, so have morphed their attack profiles to look similar to legitimate customer traffic. They are adopting low and slow tactics rather than high volume/high frequency. This manages to bypass WAF solutions that would traditionally detect high-volume attacks.

Cybercrime attacks are no longer purely transactional. Fraudsters operate in complex criminal networks, sharing information and intelligence worldwide to increase their success.

The techniques are clever: fraudsters adapt their individual bot traffic to just slip under the radar of traditional rate control detection. For example, an individual bot might generate just a handful of attempts to target a single website or organization. However, given this avoids detection, the botnet can continue to attack at this rate over weeks or months, leveraging their full bot army, to inflict relatively high-volume attacks against multiple organizations.

The other challenge for WAF detection is that although login/website hits may increase, each individual IP address (representing one bot) is only sending a relatively small number of requests to the target site.

Low volume failed login attempts from the same IP address, for example, may simply indicate a forgotten password, a user inadvertently using Caps Lock, or a shared IP address used by multiple users, hence low volume botnets continue to bypass detection.

The Availability of Stolen Identities

Cybercrime attacks are no longer purely transactional. Fraudsters operate in complex criminal networks, sharing information and intelligence worldwide to increase their success. Following the regular and high-profile breaches of companies such as Experian, Scottrade and TalkTalk, personal credentials have flooded the dark web, ready to be bought up by the next criminal gang.

These myriad pieces of personal information can be stitched together with data from further attacks to build convincing identity profiles. They can then be used by botnets to open fraudulent new accounts. The worry is, these legitimate credentials easily defeat static identity checking systems.

Fighting Clever Tactics With the Power of Global Shared Intelligence

ThreatMetrix uses an identity-centric, layered approach to effectively detect botnet attacks. This advanced solution combines information about identities, devices, locations and malware to detect high-risk behavior or compromised devices. ThreatMetrix leverages the following key capabilities to handle the evolution of advanced botnet attacks.

Detecting low and slow attacks even if they look like legitimate traffic

WAFs trends to present bots, along with legitimate activities, as indeterminate traffic, yielding very poor visibility. ThreatMetrix uses context-based information to perform behavioral analysis of users during periods of normal operation and compares such data to that gathered during a slow-rate attack. This enables ThreatMetrix to differentiate between a human and a bot the moment they land on the site.

Harnessing global shared intelligence to verify true identity

Even if bots rotate through different IP addresses and devices, ThreatMetrix can tie all their actions back to the same digital identity. Digital identities are pieced together by analyzing the myriad connections between devices, locations and anonymized personal information. In addition, the ThreatMetrix Digital Identity Network processes billions of transactions for thousands of global online businesses and is in a unique position to identify cross-industry, cross-business, cross-geography attack signatures.

Botnet proxy detection

Once a device becomes part of a botnet (via malware infection), it can be instructed to provide a web proxy service. Fraudsters use this proxy to cloak their true IP address and location. Fraudulent transactions therefore appear to originate from the legitimate user’s IP address, making them hard to detect. ThreatMetrix TrueIP technology can pierce through infected machines to find the IP address of the cybercriminals behind the proxy.


With the evolution of ever-more sophisticated, global and networked fraud attacks, traditional fraud and security solutions needs a drastic upheaval. Botnet attacks are one of the biggest threats to digital businesses today, making it harder to detect the good customers from the onslaught of bad ones.

No longer can organizations simply rely on traditional, static methods to detect large volume attacks on their servers. They need a holistic, layered approach that can detect attacks even when they are convincingly disguised.

With the evolution of cybercriminals who attack at a critically controlled level, who have access to complete stolen identities and who can hijack legitimate login sessions to look like trusted customers, organizations need a more dynamic way to authenticate user transactions. It is only through combining the power of shared global intelligence with dynamic identity assessment that business can be sure of more complete fraud protection.

close btn