Next to anonymity, automation is a cybercriminal’s best friend. Botnets—a network of compromised computers on the Internet under the command and control of a single computer—are a game-changer for e-fraudsters. Cybercriminals with a sufficiently large botnet have the potential computing power equivalent to a supercomputer at their disposal. A botnet can originate fraudulent transactions from many different computers from all over the world, making it harder to recognize fraud patterns through traditional velocity checks. There are a myriad of ways to exploit a botnet that I’ll describe in a minute, but first a little grounding on the world of bots and botnets.
Botnets bloom and grow from computers infected with bot software and then assimilated into the botnet. How do computers get infected? Symantec, McAfee, Trend Micro and the rest of the anti-virus software providers can tell you (and sell you) more on that subject than I. A big chunk of the burden to keep the Internet safe falls to you and me—consumers who must stay vigilant in keeping our computers clean and free of malicious code. As any security expert (or fraudster) will tell you, the human aspect of computing is ever-present and with everything human—susceptible to oversights, mistakes and exploitation.
If you’re not using some flavor of anti-virus software there’s a reasonably good chance your computer has been compromised by malicious software. Once established, automation enables botnets to grow like human cells dividing: exponentially and silently. How many bots are out there today? Some estimates I’ve read put the number as high as 15% of all computers worldwide are compromised. The Shadowserver Foundation, “an all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud,” are a good source of bot and botnet statistics. As of this writing, Shadowserver’s 90 day window reports roughly 6,000 botnets.
What can cybercriminals do with a botnet?
• Spammers use botnets to send unsolicited emails and/or conduct phishing scams. By launching their campaigns from unsuspecting drones, their success rate goes way up and their chances of being caught go way down.
• Distributed denial of service attacks (DDoS) whereby botnets hammer away at a website, soaking up all of its computing resources thereby rendering it inaccessible to visitors.
• Click fraud pays big dividends when hundreds or thousands of bots “click” on banner ads to get the reward fees doled out by advertising companies.
• Bots equipped for keylogging pose the biggest threat. Imagine the potential for losses that would stem from a cybercriminal ring equipped with a botnet capable of capturing keystrokes in the form of passwords, logins, credit cards and bank account numbers.
• Bots can be used to monitor for keywords when they appear in a window, and then send a screenshot—credentials and all to the attacker.
Bots are versatile and stealthy, capable of inflicting harm to consumers and businesses on a massive scale from anywhere to anywhere in the world. And according to reports issued by VeriSign’s iDefense Labs last week, you can rent a botnet starting at less than $9 bucks an hour. The implications are obvious and ominous: anyone with a credit card (stolen preferably) can use a botnet—you don’t have to possess the expertise (or patience) to build your own.
Earlier I stated that much of the burden to keep the Internet safe falls to you and me—that is, every consumer and business computer at risk of being taken over by a bot and assimilated into a botnet. But what steps, if any can websites take to help protect you from the threat of bots and botnets when you visit their site to create an account, log in or make a purchase on their website? Here’s one: look for signs that your computer has been compromised by a bot. This isn’t as simple as it sounds. The clever software developers that manufacture bots go to great lengths in their design to keep them hidden on your computer—once planted, bots can be extremely hard to detect. Or, rather than hunt for the bot on a visiting computer, they could reference the IP address in one or more of the botnet blacklist databases available that might indicate whether the visiting computer may have been assimilated by a botnet. As a discrete piece of information, this bit of insight is somewhat useful. When it’s tied to other pieces of information—such as observing the computer attempt lots of transactions with multiple credit cards at rate too fast for a typical person, or if the same login is used by many computers in different locations in a short time period—the likelihood of a bot at work is much stronger. Should a bank or e-merchant inform you if they see evidence that your computer has been compromised by a bot? If it were me, yes – I would definitely want to know; in fact, I would consider the added protection an important service factor when deciding which websites I do business with.
The five A’s that make cybercrime so attractive—affordability, acceptable risk, attractiveness, availability and anonymity have a new friend in another a-word: automation. Botnets are the assault weapon of the Internet.