Don’t let Grinch bots put coal in your stocking

Check out all the on-demand sessions from the Intelligent Security Summit here.

From a cybersecurity perspective, the end of 2021 had two newsworthy events: The Log4j zero-day exploit and widespread use of Grinch bots. While the former has hopefully been resolved, even if it is still being felt by security teams, the latter doesn’t have an easy solution. To make matters more difficult, we expect to see an increase in bots impacting both the online shopping experience and retail organizations as we enter 2023. Ultimately, it will take an industry-wide effort to combat these bots and bring the joy back to virtual shopping. 

Just like its namesake, a Grinch bot actively works to steal gifts from under the noses of holiday shoppers. Grinch bots are designed to quickly buy products online as they become available. These bots are often created to purchase a product that’s on sale, then sell it for a profit. The advantage of using a bot to make these purchases is that it can move faster than human shoppers, snapping up entire inventories of a product in seconds. 

These Grinch bots, and other bot attacks, don’t just harm consumers, however. Think about it: If a bot is programmed to select a store’s inventory of a product and choose the store pickup option, and never actually picks up or pays for the product, the store’s inventory will be frozen. And when a bot makes fraudulent purchases, the brands will still need to pay the credit card transaction fees, potentially resulting in a brand’s removal from point-of-sale platforms. Transaction fees and frozen inventories can both be crippling for brands and their ability to do business. 

Bots aren’t going away anytime soon

Ultimately, bots harm the customer experience and hurt a brand’s reputation. In fact, a recent survey found that for 97% of organizations, bot attacks impacted customer satisfaction. In one particularly egregious example, a popular footwear brand found that 97% of the traffic for an online sale was made up of bots. Needless to say, that probably left the majority of human customers with a negative shopping experience. Consumers now expect a seamless, level playing field when it comes to online shopping. As supply chains are still stretched, replenishing inventories that have fallen victim to bot attacks can become costly and time-intensive. 


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

This has become such an important issue that the U.S. Congress even stepped in and proposed a “Stopping Grinch Bots Act” to try and clamp down on these bots. While the act hasn’t yet been passed, brands can still take steps to thwart the bots, improving customer experience and safeguarding inventories from cybercriminals. Bot traffic increased 106% year-over-year in 2021. It’s past time for the retail industry to take action.

Application developers must account for bots during the development process. Retail owners need to be aware of the threat posed by bots and protect their brand and their customers. Security practitioners have to limit access to their sites to actual customers. 

Defending against bot attacks is all about the context 

One way cybercriminals are using bots to attack organizations is by targeting the APIs that power many online transactions. In a recent survey, 60% of brands reported that bots were targeting their APIs at the beginning of 2022. That’s up from 46% in 2021. Often, threat actors will use bots as part of their reconnaissance efforts to identify vulnerabilities, especially with APIs.

API weak points typically expose more business logic and, thus, more data, including personally identifiable information (PII). Attackers use bots in this phase because it allows them to quickly explore, gather information and test things out while being less likely to be detected.    

As attackers are figuring out how to outmaneuver security controls, defending against bot attacks can be difficult. For example, for organizations that do business only in certain regions, geo-blocking has been a standard security control — you simply block any IP addresses coming from a location where you are not doing business. However, today, attackers using botnets made up of thousands of IP addresses. This can work around geo-blocking. When they realize that certain countries, continents or regions are getting blocked (that is, user agents, payloads or geographic IPs), they simply edit their attack traffic. 

Modern solutions for modern bots

Attempting to block bots can end up like a game of “whack-a-mole.” The result is to prevent actual human customers from accessing the site, making purchases or having a positive experience. This is obviously not a sustainable business practice. So brands should look to modern solutions for today’s complex bot problems.

One important method for mitigating the bot threat is to gain context. Not every bot attack is overt. Often attackers go “low and slow” to stay beneath any detection threshold and not trip any defenses that may get them blocked. Gaining historical context, however, helps security teams identify patterns and suspicious behavior to better protect against bots. 

Regardless of your protection method, if your organization has yet to do so, now is the time to seriously begin preparing for the deluge of holiday shoppers. Taking action now may be the difference between ensuring your customer experience remains a positive one, and leaving your customers feeling like they got a lump of coal in their stocking.

Neil Weitzel is SOC Manager at ThreatX

Originally appeared on: TheSpuzz