Bots are ruining the internet.
When they’re not pummeling a website with usernames and passwords from a long list of stolen credentials, they’re scraping the price of hotels or train tickets and odds from betting sites to get the best data. Or, they’re just trying to knock a website offline for hours at a time. There’s an entire underground economy where bots are the primary tools used in automating fraudulent purchases, scraping content and launching cyberattacks. Bots are costing legitimate businesses money by stealing data, but also hogging system resources and costly bandwidth.
Clearly, the existing approach of playing bot Whac-A-Mole isn’t working.
“Until now you just had to suck it up as a cost of doing business,” said Johnny Xmas, director of field engineering at Kasada, an anti-bot startup that strikes at the heart of the bot economy itself by frustrating bots with complex tasks.
Their system is simple enough. Bots, said Xmas, are the “white noise” of the internet. Once a bot is started, they keep going until they’re told to stop or their job is done. Kasada tricks bots into thinking that their job is never done. By serving up a small but difficult math puzzle before the site even loads, it tricks the bot into spending its time solving the puzzle and not scraping the site as it thinks it’s doing.
Weeks earlier, Xmas tweeted a photo of Kasada’s proprietary platform Polyform. A single bot made close to four million requests to a website in a single day. Instead of loading the target website, Kasada pushed its randomly generated JavaScript code that loads silently in the browser to the bot instead. For more than 24 hours, the bot was sinking all of the cloud processing resources into trying to solve an impossible math challenge.
“This guy’s [cloud] bill is going to be nuts,” he tweeted.
We troll bots for a living. This one made 3.7M unsuccessful HTTP requests in 24 hrs, and we responded to each with a js cryptographic challenge, which effectively tarpits the bot by sucking up CPU resources. Expensive, Lambda CPU resources. This guy's AWS bill is going to be nuts pic.twitter.com/erfuvvQmru
— Johnny Xmas ❄️ (@J0hnnyXm4s) January 4, 2019
The company’s aim isn’t to defeat the bot, but the reason for starting it in the first place, said Sam Crowther, Kasada’s co-founder, in a call with TechCrunch. “We cost them money, making their projects not fiscally viable,” he said.
Here’s how it works. Each time someone — or something — visits a website, Kasada accurately fingerprints the requester, using several methods to determine if it’s a bot or not. If not, the site loads as if nothing happened, taking only a few milliseconds off the load time. If it’s a bot, Kasada throws the bot the puzzle, keeping it busy. The bot thinks the website has loaded and doesn’t trigger any warnings on the back-end, all while busily plunging its resources into trying to understand and solve the math problem. “You don’t want to alert the person behind the bot, or they’ll just keep trying,” said Crowther. That’s when the bot starts churning more and more of its resources, and eventually topping out. “The human launches the bot and walks away,” he said. “Often the account maxes out and runs out of money long before the human comes back.” Even if the bot is automatically adding more resources, it won’t ever solve the puzzle. All while the processor usage is spiking, the bots don’t have the resources to target other sites — whether it’s a paying customer or not, said Crowther.
“We’re cleaning up the internet,” said Xmas. “We want to disenfranchise bots from operating to begin.”
False positives are rare — just 0.07 percent of all requests are mistakenly flagged. The team often found that more often than not it’s an old, legacy browser that’s mistakenly flagged its fingerprinting, or that the browser is exhibiting bot-like behaviors through a malicious Chrome extension, for example. Xmas said the service sends a CAPTCHA puzzle to solve in case, allowing the human through.
Bot authors take weeks or even months to develop code that will target specific kinds of sites hoping for a big eventual payoff, Crowther explained. Retail outlets, hotels, major financial institutions and realty listings — all revenue-making customers in the company’s portfolio — are at risk of bots that, if successful, could reap a huge reward.
“One bot targeted a betting company we protected, grabbing odds so that the most cost-effective bets are being placed at the micro-level — like stock trading,” said Xmas. “They’ll put months into a bot that’ll defeat every bot detection system.”
But already the team is finding some bot owners meeting their match.
In one case, Crowther and Xmas — both based in the company’s Chicago office — said they had one company, which they declined to name, was the target of account fraud and scraping. The company came in and stopped the automated logins and scraping of identity documents — preventing a wider attack hitting some 30,000 consumers from identity theft.
“One case we had a betting site where 95 percent of the traffic were bots,” said Xmas. “Think of that. You’re paying for tons of servers, tons of bandwidth because you think you’re doing a ton of business — and you’re making a lot of money so it seems rational,” he said. “Then you find out that 95 percent of that was trash.”
“At first we thought, ‘oh shit, what did we break?’,” he said. “It turns out we broke an insane botnet.”
The two recalled how one suspected bot operator was so frustrated by the company’s anti-bot countermeasures, he sent an abusive note to the company.
“The guy who was running some bots figured out it was us who was stopping them,” said Xmas. “And he went to our website, hit the contact us button, and wrote a very angry letter.” Crowther said that the company caught the bot controller’s IP address because he submitted the “not very nice email” through its contact form. “We found out that he was located in Sydney,” where one of the company’s offices is located. Xmas joked that he told Crowther, knowing who the bot operator was, to “send him a t-shirt.”
Or, better yet, Xmas said, “take that angry email, blow it up, and make it the wallpaper in our Sydney office.”
New malware pulls its instructions from code hidden in memes posted to Twitter
Comment