Botnet attacks: What are they and how to prevent them
Doorbells that order pizza or light switches that watch YouTube? It’s all possible with botnets.
Many of the technical devices we rely on every day — webcams, baby monitors, thermostats, doorbells — connect to the internet. But limited or no built-in security measures make them easy targets for malware and takeover. Though individual doorbells and light switches don’t pose significant threats to businesses, thousands of these devices are compromised every day and used for illicit purposes that can materially impact an organization.
Bad actors can use hundreds or thousands of compromised devices to shut down websites, take over customer accounts, or test credit cards. These sophisticated botnet attacks are on the rise and can lead to credential leaks, unauthorized account access, and data theft, including loss of monetary value and credit card information.
What is a botnet attack?
“Botnet” is a combination of the words “robot” and “network” and refers to a group of internet-connected devices controlled by a central system. The phrase “Internet of Things” describes the technology that connects everyday devices to the web to provide additional data or functionality. Unlike most personal computers and devices with robust anti-malware and anti-virus software, these everyday objects are easily infected with malicious software that allows for remote control of the device. Once devices are under their control, bad actors can run complex commands and software from the basic hardware embedded into these devices to aid in data theft and other attacks.
Unfortunately, the difficulty and cost of launching a botnet attacks is falling rapidly. Not all botnets are malicious, but bad actors can use them to launch account takeover attacks, gain unauthorized access to customer accounts, steal data, and launch Distributed Denial of Service Attacks (DDoS) attacks.
Some botnets are privately held and controlled. But many are freely available for bad actors to purchase or lease by the hour to execute scripts, no matter how illicit. Though many are run on the back of compromised physical devices, bad actors can easily and cheaply spin-up thousands of virtual machines to execute attacks. Once compromised or created as a virtual machine, bad actors can program each device combo lists of usernames and passwords obtained via security breaches.
The botnet is then commanded to go out on the web and test those credentials against banks, quick-service restaurants, or streaming services. In some cases, botnets are sophisticated enough to independently go to websites, open particular screens, and execute scripts to fill checkout pages with email addresses, card details, and shipping addresses thousands of times a minute. With a couple of hours of coding, a botnet can make thousands of purchases, login attempts, or account changes.
By using a botnet connected with hundreds or even thousands of devices, all with their own unique IP addresses, the bad actor can hide their location and circumvent basic velocity checks. In other words, they distribute their traffic across devices and locations to prevent their original identity and location from being easily determined.
Case study: The largest attempted DDoS attack occurred in early 2020
Bad actors use botnets to launch DDoS attacks to create a virtual traffic jam with hundreds of thousands of fake or malformed requests for data from a website or IP address. These attacks prevent legitimate users from accessing a site. Amazon Web Service said it mitigated a 2.3 Terabyte DDoS attack in February 2020, the largest ever attempted. Today, most DDoS attacks usually peak in the 500 gigabyte range, which is why news of the AWS 2.3 terabyte attack was a surprise for industry players.
Botnet attacks for account takeover
Bad actors have a variety of attack vectors when they use botnets. But the most common technique used in an account takeover is a brute-force attack. A brute-force attack occurs when the botnet systematically submits hundreds – sometimes thousands – of passwords with a single username until the correct combination unlocks the account. The goal of these attacks is to access some type of stored value locked behind a login. Once in an account, bad actors can steal personal information or drain the account of value by making purchases, transferring funds, or spending loyalty points. Ultimately, bad actors can resell information or goods on legitimate or dark marketplaces.
To protect accounts, many solutions on the market today use “blunt” techniques to stop account takeover. They immediately block suspicious logins based on limited data and basic velocity checks. But they fail to detect more sophisticated attacks and create unnecessary customer friction. Denying a good customer access or applying additional layers of friction to confirm their identity causes frustration. Even the smallest level of friction can damage a brand’s reputation and rebuff a loyal customer. These blunt tools not only impact the customer experience, but they also reduce revenue by blocking legitimate activity. Dynamic friction would provide the same level of protection and result in fewer false positives.
Kount combines advanced AI and machine learning to prevent botnet attacks
Bot attacks occur every day and can substantially impact any type of digital business. And as computing power expands, they will only become more prevalent and sophisticated as businesses store more value behind customer accounts. The good news is Kount’s solutions can stop botnet attacks before they do any damage and without the need for human intervention. Let’s look at a few kinds of botnet attacks and how Kount stops them.
Botnet attack: Web traffic increase
Kount has always been able to detect and stop botnet attacks at checkout. But moving that detection and prevention higher in the customer journey is critical to mitigating the cost of these attacks on your business and customers. Kount Control for account takeover protection evaluates user behavior, device, and network anomalies to detect high-risk activity posed by bots, credential stuffing, and brute-force attacks. Kount Control’s protection determines in real time whether a login should be allowed, declined, or challenged with step-up authentication.
For example, a businesses seeing a spike in web traffic can be a great sign of a growing business and in-demand products. But when a spike is evaluated within the context of other fraud and risk metrics, more traffic can be a sign of a botnet attack. For one e-commerce platform, Kount quickly identified that a spike in traffic was not an increase in sales. It was a sophisticated card testing attack from compromised accounts. Using anomaly detection, Kount’s suite of tools prevented the fraud attempt without any need for human intervention.
Botnet attack: Placing mass orders with fake email addresses
It’s important to note that not all botnet attacks are that sophisticated. For example, a bad actor can program a botnet to place more than 25,000 orders in less than an hour using a fake email address. The bad actor attempts to avoid fraud detection by changing their IP address regularly. Despite consistently changing customer data in this high-velocity attempt, Kount Command’s AI and machine learning can easily detect that the email is fake and flag transactions as high-risk. The advantage here is that unsupervised machine learning detects the emerging fraud attack while supervised machine learning uses past decisions to identify high-risk activity.
For every business, Kount’s AI develops a sense of what “normal” looks like to detect events that are out of the ordinary. Essentially, it can follow a business’s traditional digital sales traffic or transaction percentages as well as more advanced early-warning signs. Let’s say an event or collection of events occurs outside the norm, such as an increase in decline rates. Kount uses two types of machine learning, as well as industry expertise and best practices, and notifies internal teams that an attack occurred and was rebuffed in real time.
Botnet attack: Slow-roll drip attacks
Some bad actors see the high-profile vulnerability of thousands of requests and take a more subtle approach. They’ll make the same number of attempts across days, weeks, or even months. These slow-rolled drip attacks limit the number of attempts per hour by spreading the attack across a much longer timeframe. They’ll slowly feed credentials until they get a successful hit. Rather than thousands of events in an hour, they may make a single purchase every 10 minutes to avoid velocity or IP checks. Drip attacks attacks are costly and deliberate and require a higher level of expertise to execute. And they’re effective against basic fraud tools that are trained to catch simple velocity attempts.
Kount’s Email Insights uses supervised and unsupervised machine learning to determine how many times an email has been seen in the last hour, day, or more by accessing a variety of signals across transactions. Kount is not limited by time-bounded transaction velocities. It’s going to make the same connection that an event is high-risk based on the context around the event itself and the billions of other events Kount has evaluated.
Kount doesn’t treat any botnet attacks as isolated incidents. Once Kount detects an attack, the knowledge is dispersed across the Identity Trust Global NetworkTM to protect others from similar attacks. When the same device, email, address, or card is used again elsewhere on the network, Kount’s networked data can better assess risk in the context of the attack, applying “herd immunity” to the rest of Kount’s merchant network based.