Bad Bots. PHOTO: Cybercrime Magazine.

“Bad Bots” Traffic Surge Strikes Financial Services Sector

It is becoming more difficult than ever to distinguish between genuine visitors and bots mimicking human behavior

Charlie Osborne

London – Sep. 1, 2021

The financial services industry is one of the top targets for sophisticated botnets in the quest to conduct fraud, new research suggests. 

Due to the valuable financial data they hold, banks, payment providers, and money transfer services are among organizations that are constantly targeted by threat actors.

From targeting the SWIFT banking service in high-profile heists to phishing emails sent to members of the general public masquerading as a bank alert, financial service attack vectors employed vary — and the use of so-called “bad bots” is on the rise.

While legitimate bots are developed to perform tedious or repetitive tasks on behalf of a user, bad bots are directed to perform malicious activities. These may include data scraping and mining, Distributed Denial-of-Service (DDoS) attacks, generating spam, carding, and brute-force attacks against internet-facing systems.

According to Imperva’s 2021 Bad Bot Report, botnet operators are constantly evolving their tactics and it is becoming more difficult than ever to distinguish legitimate traffic from malicious visits to online services, in the financial sector and beyond.

The researchers have distinguished sophisticated bots from simple software that only uses scripts and single, assigned IP addresses through the moniker “advanced persistent bot” (APB). These bots will attempt to avoid detection by mimicking human behavior, such as through the production of mouse clicks and movement, and they may also use P2P networks or cycled IP addresses.

Imperva says that 57.1 percent of today’s bots can be considered APBs. 

The cybersecurity firm estimates that since the beginning of this year, only 37 percent of internet traffic to financial platforms is human, and approximately 31 percent of network traffic is generated by malicious bot applications.

Within the report, Imperva outlined four major attack vectors used to target financial services.

Credit card fraud: Malicious bots are being used by cybercriminals to monetize leaked credit card numbers by automating guesswork and attempting to “crack” cards further. Private Account Numbers (PANs), purchased or downloaded from the dark web, could be fed into a bot, for example, which then performs phishing activities to obtain the data required to use the card in fraudulent transactions. A bot could also roll through CVV, expiration, and postcode guesses in tandem with a PAN on payment websites.

Account takeovers: Account takeovers, including credential stuffing, can be performed by bots by using lists of common usernames and passwords in automatic attacks. Credentials leaked on other domains can also be attempted to successfully log in to a financial services platform.

DDoS attacks: Distributed Denial-of-Service campaigns are commonly associated with botnets as hijacked devices — ranging from PCs and mobile devices to routers and home IoT products — and could be launched to overwhelm a domain with traffic and stop legitimate visitors from accessing a financial service.

Imperva says that DDoS attacks against the financial sector have “significantly increased” since Apr. 2021.

Data harvesting and scraping: Content and data scraping are performed by both legitimate and malicious bots. In the latter case, scrapers may be used to replicate full websites for use in phishing campaigns, which is a serious and frequent challenge for financial platforms.

Speaking to Cybersecurity Ventures, John Cosgrove, senior product manager of Advanced Bot Protection at Imperva, said that successful impersonation is about “far more than keystrokes and mouse clicks.“

“Operators are becoming savvy in disguising their activity. For example, for traditional analytics and security tools, bots using a real web browser are indistinguishable to human users, making it easier than ever to carry out automated attacks like credential stuffing and account takeover. Proxy lists and services are also increasingly popular as they allow bot operators to appear from residential ISPs and mobile networks rather than traditional cheap data centers which are easy to spot with IP reputation.”

Notably, Imperva is also tracking continued attacks on online insurance quoting services for the purposes of data harvesting and in order to disrupt these platforms, causing an increase in website bounce rates.

“Indeed, the financial services industry as a whole is under sustained DDoS assault, with 22 percent of all application DDoS attacks targeting financial services companies in the first half of 2021,” Cosgrove added.

– Charlie Osborne is a journalist covering security for ZDNet. Her work also appears on TechRepublic, Cybercrime Magazine, and other media outlets.

Go here to read all of Charlie’s Cybercrime Magazine articles.