Heading into Black Friday, Cyber Monday and this holiday season, the biggest security threat may come from bots designed to steal credentials, overwhelm e-commerce sites and siphon funds from gift cards.

To better understand the threat, the San Francisco-based bot detection and mitigation company Distil Networks analyzed 2016 holiday traffic to approximately 600 e-commerce sites as well as a sample of 2,600 non-e-commerce sites over a six-day period.

Distil found bots – automated programs or scripts programmed to perform very specific tasks at the request of their architect – most likely deployed for one or more reasons over last year's holiday season, performing various tasks, such as:

1. Scraping sale prices so competitors can match deals in near real-time.

2. Flooding a competitor's site with more requests than it can handle (denial of service) to affect their sales.

3. Skewing analytics to impact conversion rates or performance metrics.

4. Clicking on ads to drive up digital ad spend costs.

5. Obtaining limited-availability or temporarily-lowered goods to resell at a higher cost later.

6. Populating forums (likely the customer review section of the site) with ads for a competitor.

7. Stealing gift card balances. The Distil team actually started noticing increased bot activity on customer websites with gift card processing capabilities in February 2017.

“One of the good things for consumers is price breaking bots are going into overdrive,” Edward Roberts, director of product marketing at Distil Networks, offered. “So, competitors scraping each other's prices to make sure they're not getting beaten by a deal from one of their competitors are going to increase. This will help lower prices.”

However, the good news for consumers is not all good news for e-commerce sites.

Last year, according to Distil, bad bots accounted for 15.6% of web traffic on e-commerce sites and about half (7.8%) were advanced persistent bots. Good bots, such as search engine crawlers, application performance tools, and scanners accounted for 9.3% of traffic. The remaining 75.2% was human.

In 2016, almost 25% of requests made on e-commerce sites came from a bad bot. On average, bad bots create 22% of e-commerce traffic. There was a noticeable spike in bot traffic just before midnight on Cyber Monday, which indicated bots were preparing for their assault on the day when most sale prices change to lure online shoppers.

E-commerce sites are particularly vulnerable during spikes in traffic such as Black Friday and Cyber Monday. “They're probably trying to hide themselves in increased traffic of online shoppers,” Roberts said, who advised organizations and businesses to look for signs of abnormal website traffic. “Don't think that is just an accident.”

Bad bots go to great lengths to avoid detection and penetrate deeper into applications. Once behind the login page, they can access shopping carts to scrape more exclusive product pricing, resulting in skewed cart abandonment metrics.

Unfortunately for e-commerce, bad bots prefer sites with pricing and proprietary data, such as those offering product descriptions, logins, web forms and payment processors. Sites that possess one or more of these characteristics almost certainly have skewed analytics. According to Distil's Bad Bot Report 2017, 97% of websites have pricing and proprietary data getting scraped. They are also springboards for other criminal activities, such as fraud and outright theft.

Roberts explained bad bots strike 96% of logins looking to takeover accounts or test stolen login credentials collected from other sites or breaches. In 2016, hackers stole some three billion credentials, some of which they used in account takeovers.

Bots hitting e-commerce sites is not only bad for businesses but also for financial institutions because of the increase in criminal activity involving credentials that coincide with account takeovers related to APB activity.

The big security threat called credential stuffing is the use of automated means to test stolen logins/passwords en masse against other websites. The practice isn't new, but machine-learning instruments such as bots are helping to fuel its growth.

Other terms used in relation to credential theft include password recycling, using the same password against multiple online accounts and credential spilling, the release of massive amounts of user credentials onto the dark web.

During a credit card breach, the primary account number and cardholder name get leaked. While some payment sites accept the PAN and cardholder names as verification, others require additional fields such as the CVV number, card expiration date and cardholder address.

According to Distil, a bad bot making guesses on 30 payment sites can match the CVV, expiration date and address to the cardholder name and PAN in four seconds (1,2,3,4). Using such a system, a person can verify 21,600 stolen credit cards per day.

This affects the card theft victims, the issuing financial institutions, such as credit unions, and the payment sites. “Financial institutions have to deal with all the chargebacks and remedies for the fraudulent payments,” Roberts explained.

APBs also arbitrage deals on competitor sites by reserving inventory on one site and post the same items for sale elsewhere. They only complete the transaction on the first site when an item sells on another, thereby skewing conversion rates because abandoned carts contain items that don't sell.

APBs can also execute JavaScript and accept and store cookies to emulate mouse clicks and varying click patterns, appearing as valid human customers and tracked accordingly.

Unforeseen and massive traffic spikes are the most obvious way to tell if bad bots are attacking a site. This is particularly true if the source of the traffic spike is unusual, such as from a foreign country or from proxy networks. Another side effect of an aggressive bad bot campaign can produce traffic numbers beyond a web infrastructure's capacity, leading to denial of service.

Distil Networks noticed some bad bots are becoming increasingly more efficient as their operators utilized low and slow techniques. Those are attacks where numerous bots make only small or a few requests, generating less noise and making them much harder to detect.

During the past year, the Distil Networks analyst team uncovered GiftGhostBot, an APB targeting gift card payments processes on websites. The bot attempts to defraud consumers from the money loaded on gift cards from a variety of retailers.

Fraudsters probe a rolling list of potential account numbers and requests each balance. If successful in obtaining the balance, fraudsters can resell the account number on the dark web or use them to purchase goods.

GiftGhostBot distribution occurs worldwide using hosted providers, mobile ISPs and data centers, using JavaScript to avoid detection. On one customer website, the Distil analyst team recorded four million bad bot requests per hour, almost 10 times their normal level of traffic. On average, the operators of GiftGhostBot can test as many as 1.7 million gift card account numbers per hour.

Distil expects more gift card abuse between Thanksgiving and Christmas in 2017, when gift card sales should surge. “We might see a spike of bot operators trying to steal the balances on newly processed gift cards.”

About 40% of gift card recipients do not use the total value of their cards, so stealing balances most likely goes unnoticed in most cases. CEB projects total gift card volume will reach $160 billion by 2018.

Continue Reading for Free

Register and gain access to:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Roy Urrico

Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).