NEW 2024 State of Bot Mitigation Report – Download Your Copy

Adversarial Techniques2024-04-17T19:21:51+00:00
Adversaries are simply bypassing defenses
Adversaries are simply bypassing defenses
ADVERSARIAL TECHNIQUES

The sneaky shift: Adversaries are simply bypassing defenses

In recent years, motivated actors have begun to directly target the products used to defend your apps and fool them into thinking attack traffic is from real users. The arms race is underway and traditional tools can’t keep up.

Attackers meet underground to make bots mimic humans

In financially motivated communities, adversaries share ideas, tools, and services that make bots look and act like real users. The result? A supply chain that helps threats evolve to quickly bypass defenses.

Communities and bot forums

Cheap. Accessible. Effective. Attackers have a lot of tricks. To bypass defenses and evade detection, adversaries employ an array of techniques that defeats traditional bot management tools. Easy to find. Easy to use. Hard to defeat — with outdated “solutions.”

Cheap. Accessible. Effective. Attackers have a lot of tricks.

To bypass defenses and evade detection, adversaries employ an array of techniques that defeats traditional bot management tools. Easy to find. Easy to use. Hard to defeat — with outdated “solutions.”

Solver services

Some threat actors have realized the real business is in attacking the bot management solutions, not your applications directly. Like a SaaS vendor, they build and sell “solver services” that help fellow adversaries appear human and easily bypass bot defenses. This means there are quickly accessible bypasses for most bot management vendors — you can even find them using Google!

Robot graphic about anti bot defenses
Robot graphic about anti bot defenses

Solver services

Some threat actors have realized the real business is in attacking the bot management solutions, not your applications directly. Like a SaaS vendor, they build and sell “solver services” that help fellow adversaries appear human and easily bypass bot defenses. This means there are quickly accessible bypasses for most bot management vendors — you can even find them using Google!

SOPHISTICATION TO USE:

  • Low

COST:

80¢ – $3.50 per 1,000 solves

  • 1
    An attacker sets up a solver service for a specific bot management defense.
  • 2
    Other, less resourceful attackers exchange money for human bypass tokens
  • 3
    Bot traffic disguised as human traffic bypasses anti-bot defense
Graphic about headless browsers

Headless browsers and device simulators

Basic detections of the client environment are no longer effective. Attackers use highly customized versions of open-source DevTools like Puppeteer (with the Extra Stealth plugin) to appear as a legitimate client.

  • 1
    Attacker uses fully automated environments with human-like behavior to bypass defenses

SOPHISTICATION TO USE:

  • Medium

COST:

$20-$500
per month depending on scale

SOPHISTICATION TO USE:

  • Medium

COST:

$20-$500
per month depending on scale

  • 1
    Attacker uses fully automated environments with human-like behavior to bypass defenses

Residential proxy networks

Traditional detections like IP reputation and IP-based rate limiting are no longer effective, thanks to services that cheaply allow attackers to proxy their traffic through millions of legitimate consumer IP addresses. Free VPNs often secretly act as exit nodes on unsuspecting real users, providing cover for attackers.

Graphic about residential proxy networks
Graphic about residential proxy networks

Residential proxy networks

Traditional detections like IP reputation and IP-based rate limiting are no longer effective, thanks to services that cheaply allow attackers to proxy their traffic through millions of legitimate consumer IP addresses. Free VPNs often secretly act as exit nodes on unsuspecting real users, providing cover for attackers.

SOPHISTICATION TO USE:

  • Low

COST:

$50-500 per month

  • 1
    Attacker subscribes to a residential proxy network service
  • 2
    IP-based defenses bypassed by hiding in legitimate IPs from all over the world
Graphic about CAPTCHA bypasses

CAPTCHA bypasses

CAPTCHAs are ineffective and frustrate users. Attackers cheaply bypass them by using a combination of AI/ML, human farms, and reverse engineering — services that are, once again, easily findable through Google. The only things that benefit from CAPTCHAs are the bots who now appear human, thanks to “successful solves.”

  • 1
    Attacker extracts unsolved CAPTCHA from the anti-bot solution
  • 2
    Attacker pays CAPTCHA bypass service to solve the CAPTCHA
  • 3
    Bot bypasses anti-bot defenses with solved CAPTCHA

SOPHISTICATION TO USE:

  • Low

COST:

50¢ per 1,000 CAPTCHAs

SOPHISTICATION TO USE:

  • Medium

COST:

50¢ per 1,000 CAPTCHAs

  • 1
    Attacker extracts unsolved CAPTCHA from the anti-bot solution
  • 2
    Attacker pays CAPTCHA bypass service to solve the CAPTCHA
  • 3
    Bot bypasses anti-bot defenses with solved CAPTCHA
Graphic about machine learning poisoning

Machine learning poisoning

Machine learning-based detection can sound promising, but often doesn’t hold up against adversaries that know how to fool it. By customizing their tooling, attackers can feed ML-based detections statistically accurate (but fake) data, which appears human.

Machine learning poisoning

Machine learning-based detection can sound promising, but often doesn’t hold up against adversaries that know how to fool it. By customizing their tooling, attackers can feed ML-based detections statistically accurate (but fake) data, which appears human.

Graphic about machine learning poisoning

SOPHISTICATION TO USE:

  • Medium

COST:

FREE (essentially)

  • 1
    Bot confuses the machine learning model by overloading it with fake information
  • 2

    Machine learning defenses are bypassed by hiding amongst the noise

Graphic about de-obfuscation

De-obfuscation

Bot Management often uses obfuscated code to hide how bot detection works. Most solutions rely on open-source tools with well-known vulnerabilities to de-obfuscation. Once an attacker understands exactly how your defenses work, they are effectively useless.

  • 1

    Attacker obtains detection script

  • 2
    Attacker reverse engineers script and learns the data needed to classify as human
  • 3

    Bot bypasses the anti-bot solution by providing it with fake data

SOPHISTICATION TO USE:

  • Low

COST:

Free (essentially)

SOPHISTICATION TO USE:

  • Low

COST:

Free (essentially)

  • 1

    Attacker obtains detection script

  • 2
    Attacker reverse engineers script and learns the data needed to classify as human
  • 3

    Bot bypasses the anti-bot solution by providing it with fake data

Want to learn more? Let’s learn together.

The Truth About Your Bot Detection’s Threat Intelligence

The traditional data used to differentiate between humans and bots can no longer be trusted. Bots are evolving quickly.

Freebie Bots: The Latest Threat to Retailers

Steep discounts drove Cyber Monday online sales to hit record highs, but some discounts were created by mistake.

See why adversaries
say Kasada is the
solution they respect