June 24, 2020

By Brady Harrison, Senior Data Analyst, Kount

Doorbells that are used to buy pizza or light switches used to watch YouTube? It’s all possible with botnets.

Many of the technical devices we rely on every day — webcams, baby monitors, thermostats, even doorbells — connect to the Internet and with limited or even no built-in security, they are easy targets for malware and takeover. Though an individual doorbell or light switch does not pose a significant threat to businesses, thousands of these devices are compromised every day and used for illicit purposes that can materially impact an organization.

Swarms of hundreds or thousands of compromised devices can be used to shut down a website, take over bank accounts, or test credit cards. Sophisticated botnet attacks are on the rise and can cause credentials leaks, unauthorized access to personal accounts, and data theft, including loss of monetary value and credit card information.

What is a Botnet?

A combination of the words “robot” and “network,” the term botnet simply means a group of internet-connected devices controlled by a central system. The phrase “Internet of Things (IoT)” describes the technology that connects everyday devices to the web to provide additional data or functionality. Unlike most personal computers and devices with robust antimalware and antivirus software, these everyday objects are easily infected with malicious software enabling remote control of the device because of lax security or poorly written code. Once under their control, hackers can run complex commands and software from very basic hardware embedded into these devices to aid in the theft of data and compromise other computers and systems.

Unfortunately, the difficulty and cost of launching a botnet attacks is falling at a rapid clip. Although not all botnets are malicious, cyber criminals can use them to instigate attacks such as account takeover, unauthorized access, data theft, and Distributed Denial of Service Attacks (DDoS attacks).

DDos Attacks – The Largest Attempted Occurred in Early 2020

DDoS attacks — launched with botnets — are used by fraudsters or hackers, to create a virtual traffic jam with hundreds of thousands of fake or malformed requests for data from a website or IP address that prevents legitimate users from accessing the site.

Amazon Web Service said it mitigated a 2.3 Terabyte DDoS attack in mid-February this year, the largest ever attempted. Today, most DDoS attacks usually peak in the 500 gigabyte range, which is why news of the AWS 2.3 terabyte attack was a surprise for industry players.

Some botnets are privately held and controlled, but many are freely available for purchase or even lease by the hour in order for fraudsters to execute scripts, no matter how illicit. Though many are run on the back of physical devices that have been compromised, the democratization of computing power also means bad actors can easily and cheaply spin-up thousands of virtual machines to execute attacks. That said, you get what you pay for in terms of the quality and number of compromised devices. The quality of botnets typically corresponds to their cost of use.

Once compromised or created as a virtual machine, each device can be programmed with “combo lists” or username and password combinations obtained via security breaches available on the dark web. The botnet is then commanded to go out on the Web and test those credentials against banks, quick service restaurants, or streaming services. For example, these botnets are sophisticated enough to independently go to a website, click on a particular screen, and execute a script to fill a checkout page with a particular email, card details, and shipping address thousands of times a minute at the press of a button. With a couple hours of coding, a botnet can make thousands of purchases, login attempts, or account changes.

By using a botnet connected with hundreds or even thousands of devices, all with their own unique IP addresses, the hacker attempts to obfuscate their location and circumvent basic velocity checks. In other words, they distribute their traffic across a variety of devices and locations to prevent their original identity and location from being easily determined.

Botnet Attacks for Account Takeover

There are a variety of attack vectors when using botnets, but the most common technique used to attempt criminal account takeover (ATO) is a brute force attack. A brute force attack occurs when the botnet systematically submits hundreds – sometimes thousands – of passwords with a single username until the correct combination unlocks the account. The goal of these attacks is to access some type of stored value locked behind a login. Once in an account, personal information can be stolen or the account is drained of value by making purchases, transferring funds, or spending loyalty points.

The end goal of these attacks is to access information/goods that can be resold in legitimate and/or dark marketplaces – with everything from stolen identities to discounted pizza – which is then quickly converted to cryptocurrency or cash.

To protect accounts, many solutions on the market today use “blunt” techniques to stop ATOs, which means they immediately block suspicious logins based on limited data and basic velocity checks. While effective at stopping the most common attacks, it fails to detect more sophisticated attacks and creates unnecessary customer friction. Denying a good customer access or applying additional layers of friction to confirm their identity causes customer frustration. This can result in brand damage in the mind of the customer as even the smallest level of friction can completely rebuff what was once a loyal customer. These blunt tools not only impact the customer experience, but also reduce revenue by blocking legitimate activity when dynamic friction would provide the same level of protection with fewer false positives.

Kount’s Botnet Detection and Prevention Technology Platform

While Kount has always been adept at detecting and stopping botnet accounts at checkout, moving that detection and prevention higher in the customer workflow is critical to mitigating the cost of these attacks on your business and customers. Kount Control – Account Takeover Protection evaluates user behavior, device, and network anomalies to detect high-risk activity posed by bots, credential stuffing, and brute force attacks. The protection layer of Kount Control determines in real time whether a login should be allowed, declined, or challenged with step-up authentication and we are able to accomplish this in milliseconds.

Kount detects and prevents millions of botnet attempt events dynamically every day. When a Kount customer sees a big spike in traffic, this can be a great sign of a growing business and in-demand products. However, when this spike is evaluated within the context of other fraud and risk metrics, this can be a sign of a botnet attack. For one eCommerce platform that Kount protects, we quickly identified that a spike in traffic was not an increase in sales, but rather a sophisticated card testing attack from compromised accounts. Using anomaly detection, we were able to prevent the fraud attempt with the suite of tools that are part of Kount’s fraud prevention platform and without any human intervention.

Though the above example represents a high level of complexity, many of these attacks are not-hyper sophisticated. For example, one attacker placed more than 25,000 orders in less than an hour using a fake email address. They attempted to circumvent fraud detection by changing their IP address regularly, but were easily detected and defeated. Despite consistently changing customer data, in this high-velocity attempt, it was easy to see that the email was fake and with Kount’s AI-driven unsupervised machine learning paired with supervised machine learning, we were able to easily identify these transactions as high risk.

  • Unsupervised Machine Learning: Detects emerging fraud attacks
  • Supervised Machine Learning: Learns from past decisions to prevent new attacks

For every business Kount protects, we develop a sense of what “normal” looks like in order to detect events that are out of the ordinary. This means we are able to follow a business’ traditional digital sales traffic or transaction percentages in addition to more advanced early warning signs. When an event or collection of events occurs that is outside of this normal, such as an increase in decline rates, we can immediately notify our customers’ internal teams that an attack occurred and was rebuffed in real time via unsupervised and supervised machine learning paired with our industry expertise and best practices.

Some criminals see the high-profile vulnerability of thousands of requests and take a more subtle approach by making the same number of attempts spread out over days, weeks, or even months. These slow-rolled attacks are called “Drip Attacks.” Much like a leaky faucet, they attempt to stay under the radar by limiting the number of attempts per hour by spreading the attack across a much longer timeframe and slowly feeding credentials until gaining a successful hit. Rather than thousands of events in an hour, they may make a single purchase every 10 minutes in an attempt to circumvent velocity or IP checks. These attacks are costly and deliberate and require a higher level of expertise to execute yet are effective against basic fraud tools that are trained to catch simple velocity attempts.

Kount is able to determine how many times an email has been seen in the last hour, day, or more by accessing a variety of signals from all transactions with our supervised and unsupervised machine learning. Kount is not limited by time-bounded transaction velocities – we are still going to make the same connections that this is a high-risk customer/event based on the context around the event itself and the billions of other events Kount has evaluated.

These attacks are not treated as isolated incidents. Once we detect an attack, we apply this newfound knowledge across our network to protect other clients from a similar attack. When the same device, email, address, or card is used again somewhere else on the Kount network, we are able to access that risk in real time in the context of the attack. In other words, Kount applies a “herd immunity” to the rest of Kount’s merchant network based on what we have already seen. This is referred to as Kount’s network effect.

Bot attacks occur every day and can substantially impact any type of digital business and with the democratization of computing power and available fraud knowledge, they will only become more prevalent and sophisticated as more value is locked behind logins, account creations, or checkouts online.

The good news for Kount customers is that we stop these attacks before they do any damage and without the need for human intervention.

Brady Harrison is a Senior Data Analyst specializing in fraud mitigation and performance at Kount. Via machine learning, data analytics, and research, he ensures customers can scale their business while maintaining an appropriate risk posture against cybercriminals. With a passion for security and curiosity for all things cybercrime, he is an experienced speaker and panelist on fraud mitigation and risk covering a variety of topics from eGift card fraud to account takeover.

Learn more about Kount’s Account Takeover Protection Solution

Get a Demo