Arkose Labs https://www.arkoselabs.com has analyzed and reported on tens of billions of bot attacks from January through September 2023, collected via the Arkose Labs Global Intelligence Network. Bots are automated processes acting out over the internet. Some perform useful purposes, such as indexing the internet, but most are Bad Bots designed for malicious ends. Bad Bots are increasing dramatically, and Arkose estimates that 73% of all internet traffic currently (Q3, 2023) comprises Bad Bots and related fraud farm traffic.[1]
Internet bots are software applications designed to automate many tedious and mundane tasks online. They’ve become an integral part of what makes the Internet tick and are used by many Internet applications and tools. For example, search engines like Google rely on bots that crawl through web content to index information. Bots go through millions of web pages’ text to find and index terms that these pages contain. So, when a user searches for a particular time, the search engine will know which pages have that specific information.
Travel aggregators use bots to continuously check and gather information on flight details and hotel room availabilities to display the most up-to-date information for users. This means that users no longer need to check different websites individually. The aggregators’ bots consolidate all of the information, allowing the service to display the data simultaneously.
Thanks to artificial intelligence and machine learning developments, bots are also being used to complete more complex tasks. Business intelligence services use bots to crawl through product reviews and social media comments to provide insights on how a particular brand is perceived.
The top five categories of Bad Bot attacks are:
- Fake account creation
- Account takeovers
- Scraping,
- Account management
- In-product abuse
These have not changed from Q2, other than in-product abuse replacing card testing. The most significant increases in attacks from Q2 to Q3 are SMS toll fraud (up 2,141%), account management (up 160%), and fake account creation (up 23%).
The top five targeted industries are technology (Bad Bots comprise 76% of its internet traffic), gaming (29% of traffic), social media (46%), e-commerce (65%), and financial services (45%). If a bot fails in its purpose, there is a growing tendency for criminals to switch to human-operated fraud farms. Arkose estimates there were over 3 billion fraud farm attacks in H1 2023. These fraud farms appear to be located primarily in Brazil, India, Russia, Vietnam, and the Philippines.
The growth in the prevalence of Bad Bots is likely to increase for two reasons: the arrival and general availability of artificial intelligence (primarily gen-AI) and the increasing business professionalism of the criminal underworld with new Crime-as-a-Service (CaaS) offerings.
See: https://redskyalliance.org/xindustry/crime-as-a-service-caas
From Q1 to Q2, intelligent bot traffic nearly quadrupled. “Intelligent [bots] employ sophisticated techniques like machine learning and AI to mimic human behavior and evade detection,” notes the report (PDF). “This makes them skilled at adaptation as they target vulnerabilities in IoT devices, cloud services, and other emerging technologies.” They are widely used, for example, to circumvent the 2FA defense against phishing.
Separately, the rise of artificial intelligence may or may not relate to a dramatic increase in ‘scraping’ bots that gather data and images from websites—from Q1 to Q2, scraping increased by 432%. Scouring social media accounts can pick the type of personal data that gen-AI can use to mass produce compelling phishing attacks. Other bots could then be used to deliver account takeover emails, romance scams, etc. Scraping also targets the travel and hospitality sectors.
Scraping, it must be said, is a legally murky area. It is not specifically illegal, but if it defies a website’s published terms of use, it is certainly immoral. Some services openly offer web scraping facilities. This case demonstrates the relationship between CaaS, AI, and bots (here primarily scraping).
“This is a website you can use to make sure your bots aren’t getting prevented by a website,” Kevin Gosschalk, founder and CEO of Arkose Labs, said, referring to a specific provider that will not be mentioned. “You can purchase this software. It has enterprise support and so on. But it is purpose-built to commit a crime. That is what it does. And there are many other different websites like this, but they look like legitimate businesses. It is a good example of a product purpose-built to commit fraud.”
It is also an excellent example of Crime-as-a-Service. CaaS enables wannabe criminals who may have the intent but not the skills to engage in cybercrime. “The massive rise of CaaS has completely changed the economics for adversaries,” continued Gosschalk. “It’s much cheaper to attack companies, and the attacks are just better because it’s a dev shop doing the attacks instead of just individual cybercriminals.”
The continuing increase in the volume of Bad Bots suggests they remain profitable for the criminals. The arrival of gen-AI will improve the performance of Bad Bots, while the growth of CaaS will increase the number of Bad Bot operators so that it will get worse. The only solution is Bad Bot detection and mitigation to limit the bots' access to their human or system targets. If it is not profitable, they will not do it.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://www.securityweek.com/bad-bots-account-for-73-of-internet-traffic-analysis/
Comments