AppSec predictions 2021: Bots get bigger and smarter

This is the first of a three-part series of AppSec predictions for 2021.  You can read the complete series here.

Every year(ish), I publish our AppSec predictions — three of the threats that look to be the biggest problems in the upcoming year. In the past two years, the predictions were: credential stuffing/account takeover attacks, API attacks, and supply chain attacks.

This year is slightly different. The predictions are a little more targeted, but they are mostly around the same lines. Over the past year, we’ve augmented our Threat Intelligence Service (part of Barracuda Advanced Bot Protection) with more sensors and intelligence. Combined with our customer conversations and other threat research, we have the following predictions:

Bots will grow smarter and become a bigger part of mainstream awareness

In a way, you could say that pandemic-induced boredom has caused the public awareness of bots to come to the forefront. Bots — especially sneaker bots — have been growing in popularity over the past few years. People used these bots to “cop” the latest sneaker or other popular limited-item “drops” and then resell them for profit. This trend has been growing for quite some time, but the release of the new AMD RX6000 graphics cards, Ryzen 5000 series processors, and the Sony Playstation 5 has led to pretty much everyone interested in these products and learning about the bots.

  

 The AMD example is quite interesting in that it prescribes specific bot mitigation measures — including the use of CAPTCHAs, purchase limitations per account, reservations, bot management solutions, and much more. Many of these solutions don’t phase today’s bot makers. CAPTCHAs, including reCAPTCHAv3, are quite easily bypassable by bots, and they can get around most other methods as well, with the exception of advanced bot management solutions.

The reCAPTCHA approach is an example of how bot mitigation solutions are more likely to annoy humans than bots. The older image-based reCAPTCHA that we all know and “love” broke a couple of years ago, and Google released v3 , which is based on user “reputation.” One of the things that give you a higher reputation is the behavior of your Google account, and there are now services that can provide you with “high reputation” accounts.

One of the ways to detect bots is IP reputation, and then blocking datacenter IP ranges is one of the leading methods of blocking bots. Now you also have a number of services that offer residential IP ranges to bypass these restrictions. Some of these are from VPN services that people use to bypass content restrictions by using residential IPs to bypass these IP reputation checks.

While we talk about the exploitation of scarcity and running bots for resale, the socio-economic factors that contribute to the rise of bots is also quite important. To start with, bots are expensive. Really good bots cost thousands, and people end up renting out bots to make money. Beyond buying the bot, you also need to buy subscriptions to good residential proxies because all the good sites block the usual suspect IP ranges, like specific countries and datacenter IP ranges. So, it gets quite expensive to buy and run a bot. However, in our research, we are seeing more and more people getting into botting, especially around bigger launches. There is a whole economy around bots, with marketplaces like Tidal, Botmart, Botbroker, etc. Some of these marketplaces have middlemen who will make sure you don’t get scammed while buying or renting bots. Most bot makers have their own discord support channels and offer proper support. The bot economy is quite big and is going to keep growing quite a bit. This economy also runs on scarcity; Cook groups or the groups that provide all the support and information for bot users have limited spots and cost a fair bit in terms of subscription.

Getting back to the people who are actually doing the botting and resale, we’ve seen a number of posts on the various forums from people who are getting into botting in just the past few months. People are hurting economically and see this as a way of making some extra cash. There are posts on forums of people trying to figure out the cheapest way to get into botting and talking about spending their savings on bot rentals to make some money during the holidays. A growing number of people from the EU and Canada are getting into this scene, which was earlier dominated by U.S. users. A number of these users are students.

In our Threat Spotlight from early December 2020, we looked at two specific patterns in bot behavior. We looked at data from our Advanced Bot Protection systems and had two specific findings: one, bot makers seem to follow a regular schedule of working hours; and two, bad bots seem to hide quite well in standard browser traffic. It's a small wonder then that Gartner predicts in their 2020 WAF Magic Quadrant that bot protection is now an ever-growing part of web application protection.

By 2023, more than 30% of public-facing web applications and APIs will be protected by cloud web application and API protection (WAAP) services, which combine distributed denial of service (DDoS) protection, bot mitigation, API protection, and web application firewalls (WAFs). This is an increase from fewer than 15% today.​
​
Source: Gartner Magic Quadrant for Web Application Firewalls 2020

While we talk about bots, good old queueing up for buying limited edition items is still prevalent. A sneaker launch in Singapore caused massive crowds, ignoring pandemic restrictions and leading to the shutdown of the store for a brief period by the government!

Come back next week for part two in this series.  Meanwhile, join our application security experts for an informative panel discussion about current cybersecurity trends, web application security, 2021 technology predictions, and a lot more. This webinar is free and available on-demand:

2021 applications security predictions: Bot, API, and supply chain attacks
Watch the webinar here