Co-authored by Nick Rieniets, Kasada Field CTO
The long-term efficacy of a bot mitigation solution depends on the integrity of the data being collected. But what happens when the client (bot) manipulates the data?
A successful bot operation must master the art of blending into the crowd. Each session that the bot sends must simultaneously look different from the other sessions whilst appearing identical to human requests. Mastering the art of dynamic deception allows the bot operator to avoid being classified as a bot.
Digital Fingerprint Harvesting
Bot operators work in communities that share ideas. Some of these communities sell toolkits or even whole-stolen digital fingerprints. Digital fingerprints are copies of real user sessions and browser data, and they can be loaded into bot frameworks to almost exactly imitate a real user who is using a browser. This allows them to fool the data collection and classification process of bot mitigation vendors.
These datasets are obtained in a few different ways, but the primary method uses browser or device malware. An unsuspecting user would download and run a malicious file that would infect the users’ machine. When the user opens targeted sites, the insidious code would then begin silently collecting real cookies and other browser information, such as mouse clicks, before sending it home to a command server. Fraudsters then resell this data, usually on the dark web.
The predominantly Russian-based anti-detect browsers, such as MultiLogin and LikenSphere, allow users to import harvested fingerprints. These tools allow for “full stack request rotation” – meaning that each session can be sent with a different set of request headers with a matching digital fingerprint.
Digital fingerprint harvesting, as an adversarial technique, was developed to combat the early-stage bot mitigation solutions. This technique is highly effective against a bot mitigation solution that identifies bots based on fingerprint commonality. In the continuous game of cat vs. mouse, these techniques ultimately lead to the evolution of the next generation of vendors, such as Kasada.
Harvesting Other Data to Manipulate Automated Browsers
Digital fingerprint harvesting isn’t the only approach bot operators use to fool ineffective bot mitigation vendors. The more common practice in these bot builder communities is to keep a record of which things a particular vendor is looking for in order to identify bots as automated activity.
A community-based approach like this is effective against most bot mitigation vendors, and it erodes the information asymmetry needed to win a defensive position. Popular open source projects, like Puppeteer Extra Stealth Plugin, focus on customising automated browsers to evade detection. To do this, they leverage the knowledge of specific client-side attributes that a particular vendor is collecting and analyzing. They modify Puppeteer so that the attributes almost exactly match what would be collected from a regular Chrome browser that is used by a real human.
This represents the next level of complexity for bot operators: the act of customising a browser, by either importing a digital fingerprint or removing the remnants of an automation toolkit.
Advanced Harvesting Techniques Require New Approaches
The bottom line is that bot operators are successfully evading bot mitigation solutions that rely on device fingerprinting. Bot mitigation vendors need to make it extremely difficult for attackers to understand what information is being collected, whether it is through not using device fingerprinting or other methods. This breaks the DevOps cycle of the bot builder, preventing them from understanding why their bot is being detected, frustrating them, and forcing them to give up.
To learn more about how Kasada extends beyond outdated device fingerprinting approaches and obscures the data it collects, read our blog about advanced obfuscation or schedule your free threat briefing.