CyberWire Daily - An increase in bypassing bot management? [Research Saturday]
Episode Date: September 17, 2022Sam Crowther, CEO of Kasada join's Dave to discuss their work on "The New Way Fraudsters Bypass Bot Management." Kasada researchers recently discovered a new type of bot called Solver Services, which... is used and created by bad actors to bypass the majority of bot management systems. The research states "Now it’s easier than ever for mainstream bot operators to scrape content, take over accounts, hoard inventory, and commit other forms of automated fraud against organizations using legacy bot management solutions." Attackers are able to by these “Solver” bots, APIs, and services for less than $500 per month to make a profit. The research can be found here: The Emergence of Solver Services: The New Way Fraudsters Bypass Bot Management Vendors Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
We actually uncovered this ecosystem that did not really exist a few years ago and has
just been getting stronger and stronger. And that's this system of solver bots, the solver APIs that have been built and distributed
to actually target specific anti-bot vendors and bypass them completely.
That's Sam Crowther.
He's founder of anti-bot company Casada.
The research we're discussing today is titled The New Way Fraudsters Bypass Bot Management. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler,
zero trust, and AI. Learn more at zscaler.com slash security.
Now, just to be clear, we're using the term solver bot here as in to solve a problem.
Is that where the phrase comes from?
Yeah, so solver being a generic term, I guess the succinct description of them is basically
their goal is to get a valid cookie to someone to abuse, right?
That's essentially what they do.
So I think where solver comes into it is these anti-bot vendors have JavaScript challenges which need solving, and these adversaries have built tools
to solve the challenges and return the valid responses in order to be classified as human
and let people abuse the backend system. Well, let's walk through this together. I mean,
can we start off with just a description
of how bot mitigation typically works? Yeah, so bot mitigation comes in two components. One is the
client side, and then one is the network and session of the back end side. So on the client
side, a key part of any of this detection is understanding what's happening within the browser,
right? Does this browser look real? Is it moving its mouse?
Does it look like it has a human behind it?
So that upfront detection component
means that traditionally,
botters have to be very, very sophisticated and skilled
in order to be correctly classified as human.
The server side or the backend side
is where it's looking at, you know,
pattern analysis within sessions. Okay, this session's human, what's it doing? How many login
attempts is it making? And things like that. Now, this has sort of evolved in sophistication,
you know, over the last five or 10 years to the point where, you know, there is some very
sophisticated client-side defenses and some awesome machine learning models on the backend.
But, you. But inevitably,
that's just changed the way these folk attack. Well, let's dig into the attacks then. I mean,
how are they coming at this? So what they've realized is that as the anti-bot vendors get
better and better, it pushes the skill floor, essentially, like the minimum skill set required up in order to beat them.
So there's a small group of people
who all of a sudden have a very valuable skill
which they can sell en masse.
And so what they've started doing
is reverse engineering these JavaScript challenges, right?
And actually creating automated tools
that reverse engineer them fully automatically,
look at the data that they're expecting to be collected from the browser,
feed legitimate data straight back to their APIs,
and then obtain legitimate sessions.
And so they're doing this in a way that's actually got no browser whatsoever.
And because some of these vendors are so ubiquitous,
it means that the client base for
them is absolutely huge. We track the revenue of one of the big Solver API vendors, and they're
making probably $150,000 a month selling this service. And all they need to do is maintain
their little decoder to correctly interpret the JavaScript and send the correct information to the anti-bot vendor.
How sophisticated of an effort are we talking about here?
So this definitely depends on the specific vendor.
Some are definitely less sophisticated than others.
And look, I would say none of the adversaries are PhDs
or anything like that.
A lot of them are just people who are interested in bots,
who understand the way browsers work
and have realized this is a good way to make some cash.
So they're very smart individuals,
but it's not like they're these sophisticated crime rings
or anything.
Usually it's just one or two people
who realize they've got a valuable skill.
Can you take us through an example
of one of the sessions that you all have tracked here?
Yeah, so what we've seen for some of these solver APIs
is actually where they're used in fraud.
So let's say a fraud group wants to, you know,
wash a million credit cards,
which is some activity we've seen through a payment provider.
What they'll do, instead of building something themselves,
they approach one of these solvers and they say, okay, I want to buy a million sessions
and I want an SLA that all of them will work. And if any don't work, you replace them.
So, they'll take those million sessions and then they will load them into their bot
in order to go and actually, you know, commit the act of fraud that they wanted to,
you know, I guess they set out to.
And so this has become more and more common, right, where these fraudsters have realized
they can just pay a little bit of money and outsource one of the most difficult parts
of any sort of fraud operation, which is beating security systems.
And so what's the cat and mouse here?
I mean, in terms of, you know, the folks whose websites are falling victim to this,
what's to be done there?
Look, this is a responsibility of the anti-bot vendors, right?
That's where the game is.
There is a very clear difference in folk and their ability to iterate
and prevent this sort of behavior.
And understanding that this is even a problem is the first step
to being able to solve
it. But it shouldn't fall on the customer. This is absolutely a responsibility of the individual
providing the service. And look, what we're starting to see is it's evolved from the anti-bob
vendors, but it's starting to move also into some of the anti-fraud vendors as well. And if that
trend is to continue, it won't be long before, you know,
someone can buy an off-the-shelf solution to beat most e-commerce, you know, website security
products. How do I know if I have a problem here? Look, this is one of the interesting and also
scary parts of this, right, is their whole business model is getting sessions that
look good and that are valid. And so, look, usually the best way to figure out if there's
a problem is actually look at your own web traffic data. All right, if you look at, say,
login requests or checkouts over the last two months, what pattern does it follow? Does it
follow day-night cycles? Does it look
like human activity? Does it spike up and down, you know, sort of sporadically? Those are actually
the best indicators that something like this is going on. Because unfortunately, you can no longer
rely on the data and reporting from a vendor when this sort of threat is very, very real.
Hmm. So, what sort of threat is very, very real.
So what sort of questions should I be asking my vendor?
I mean, if I'm engaged with someone who is selling me services to protect me against bots,
how do I make sure that they've got the latest,
greatest stuff out there to keep me safe?
I think this is very much a dialogue around
how aware of the
problem are people and understanding their strategies to address it, right? And it's going
to be different for everyone, but making sure that they can actually articulate this is what we
actively do to combat this type of activity is very important because, you know, what we see is
people sort of hand wave, oh, we have machine learning, we have this, we have that. And the reality is, none of that really matters if someone can send the data that's expected to
the machine learning model, right? ML is only as good as the data it gets. So it's very important
that any vendor in this space has a very active strategy to almost dismember this type of solving
activity. Can you walk us through some of the technical aspects here?
I mean, what specifically are the solver services doing under the hood?
Yeah, so what they're typically doing is decompiling the JavaScript
that gets delivered to the client,
transforming it into a, you know, a format that they can easily interact with it in,
and then looking at what sort of data attributes
it's expecting from the client,
it'll then rebuild essentially the entirety
of a virtual browser to make sure all the data is legitimate
and then package that up and send it to the client.
So it's a relatively streamlined process,
which means it's very cost efficient
for a lot of the folk building and selling them.
And where would someone go to buy this sort of thing?
You head to Discord, head to various hacking servers.
Honestly, it's actually very, very accessible.
It's not like it's on the dark web.
You know, it is something anyone really who wants to get access to it can.
Do you suspect that, you know, we're in a cat who wants to get access to it can.
Do you suspect that, you know, we're in a cat and mouse game for the foreseeable future here?
Absolutely.
Like what they're doing is not illegal, which is unfortunate.
They are actively bypassing security systems, yet they're not the ones committing the crime.
And so I think they leverage that in their justification, I guess, of what they're doing. Our thanks to Sam Crowther from Casada for joining us. The research is titled
The New Way Fraudsters Bypass Bot Management. We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital
executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Rachel Gelfand, Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karpf, Eliana White,
Puru Prakash, Justin Sabey, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.