E-commerce Firms Beware! A New Type of Bad Bot Is Targeting Your Login Page this Holiday Season

Cybercriminals are siphoning PIIs of millions of shoppers. Dubbed “AuthBots” because of their persistent attempts at cracking authentication, this botnet group targets e-commerce firms with large-scale credential stuffing & cracking attacks to take over user accounts. Using an army of bots run from fraudulently acquired IP addresses, the AuthBots made nearly 2.3 billion hits on login pages of e-commerce businesses during Q1 — Q3 2019. AuthBots target all e-commerce firms with mandatory login.

Security researchers from Radware first noticed similar bot fingerprints across many e-commerce domains in late 2018 and started tracking the botnets. The following report illustrates the sophistication and rapid evolution of AuthBots and its damaging effect on the e-commerce ecosystem. The analysis is possibly only a fraction of AuthBot’s true impact. The total ongoing impact of AuthBots on the e-commerce ecosystem may be larger since Radware researchers’ analysis is limited to the domains monitored by us.

A Snapshot of AuthBot Operation

Observed First: Late 2018
Volume: Nearly 2.3 billion hits on login pages of e-commerce firms during Q1 — Q3 2019
Operation Infrastructure: 52 million of AuthBot hits originated from 10 prominent data centers/public clouds
Operation method: (1) Credential stuffing attacks using stolen/purchased credentials (2) Credential cracking or brute force attack

Advanced Techniques to Evade Detection

• Manipulation of geolocation and IP addresses through Proxy Servers
• Over half of AuthBot hits originated from datacenters/public cloud services
• Most of the IPs used by AuthBots are in the US
• Distributed over hundreds of randomly assigned IP addresses & residential proxies
• Human-like keystrokes and mouse movements
• Use of machine learning and Robotic Process Automation (RPA) to help bots work as a standalone software module
• Daisy-chained to manage through one centralized server

Figure 1: Origin of AuthBots — Top 10 Public Cloud/Data Centers

Figure 2: Origin of AuthBots — Top Countries

Business Impact

• From Q1 — Q3 2019, a significant percentage of traffic was AuthBots on targeted e-commerce firms’ login page.
• Once an AuthBot operation is successful, PII and payment card details of compromised accounts are stolen.

Figure 3: Business Impact of AuthBots — Monthly Presence

Recommendations to Prevent AuthBot Attacks

AuthBots are predominantly fourth-generation bad bots. These bots can connect through thousands of IPs based in different geographies and mimic human behavior. Detecting and mitigating AuthBots requires advanced technology such as one from a dedicated bot management solution provider. However, the following are a couple of measures that e-commerce firms can implement to restrain AuthBot activity until they deploy a dedicated solution.

1. Block Bad Bot Harboring Public Clouds/Data Centers
2. Monitor Failed Login Attempts and Sudden Spikes in Traffic
3. Build Capabilities to Identify Automated Activity in Seemingly Legitimate User Behaviors

Learn more about AuthBots in the E-commerce Industry Automated Threat Landscape report, download now

Note: A version of this article first appeared in Digital Commerce 360.