Credential Stuffing

Credential stuffing is an example of a brute-force attack, in which large numbers of usernames and passwords are automatically entered into websites until they are matched to an existing account. This particular attack vector is fed by password reuse. Password reuse is the tendency of people to use the same password across multiple accounts, including professional and personal accounts. In large data breaches, attackers often dump lists of usernames and passwords from breached systems and, in turn, other attackers purchase and download long lists of user credentials, hoping that consumers used these same credentials for their banking, ecommerce, and other online accounts. An attacker can feed a password dump from an attack into a botnet under their control and program the bot to try to use those credentials against all internet-facing servers of hundreds of organizations simultaneously. This allows attackers to then hijack the account for their own purposes, often committing fraud, emptying bank accounts, and making bogus purchases.

Denial-of-Inventory

Malicious bots are fully capable of denial-of-inventory (DoI) attacks, repeatedly making and canceling purchases, holding and/or consuming inventory, scraping sites, stealing information, and a host of other unwanted activities. Beyond DoI, attackers also use malicious bots to deplete goods or services from inventory, but without actually purchasing the goods. In short, these attacks use bots to select and hold items from limited inventory or stock by adding them to their carts, but without purchasing. This prevents legitimate users from buying the items themselves.

Mirai

A particularly infamous piece of malware, known as Mirai, uses a somewhat similar approach to take over vast numbers of poorly protected IoT devices, mostly consumer based. These IoT devices have a default username and password set when sold to consumers. Unfortunately, many consumers and businesses (who also have IoT devices) don’t change this default password upon purchase, meaning they can easily be hijacked. Mirai, using a table of common factory default usernames and passwords, continuously scans the internet for the IP addresses of IoT devices with open telnet ports, and then logs into them to infect them with the Mirai malware. Infected devices continue to function normally, marked only by occasional sluggishness and increased use of bandwidth, meaning that the owners of these devices often don’t realize that the device has been hijacked.

Mirai has an even more insidious attribute: it’s self-propagating. Not only did it infect large numbers of IoT devices worldwide, but it also came with worm-like capabilities similar to the malware of the early 2000s, such as SQL Slammer, Nimda, CodeRed, Conficker, and others. These pieces of malware spread on their own with no human intervention, and Mirai did the same thing. After a device was infected, it in turn began to scan the internet and infect other IoT devices in the same fashion. To increase the damage if inflicted, Mirai was prepackaged with a plethora of DDoS attack tools baked in.

Travel Industry

The airline industry has been heavily targeted by and is often particularly susceptible to malicious bots. In fact, according to Distil Networks, in 2017 more than 40% of all inventory-stealing bot traffic was directed toward the airline industry. Frequently, these attacks take the shape of DoS or DoI attacks in which malicious bots are used to deplete goods or services from inventory, but without actually purchasing (or purchasing, but then shortly thereafter canceling the purchase) goods. In short, these attacks use bots to select and hold items from limited inventory or stock by adding them to their carts, but without completing the purchase. This renders legitimate users unable to buy, pay, or confirm the items themselves.

For example, in one real-life scenario, an Asian airline noticed that large numbers of seats were being reserved and then released right before the 24-hour reservation cancellation deadline. As a result, prospective customers booked flights with competitive airlines instead. This resulted in a severe financial hit for the targeted airline. Eventually, the affected airline worked with a security partner to initiate a series of bot management activities in the form of Java script and human-interaction challenges to successfully thwart the malicious bot onslaught.

In another example, an international car rental agency was seeing a high volume of car rental reservations being made and then cancelled at the last minute. Again, the culprit was identified as a malicious bot being used by a competitor. Bot management solutions were employed to deter the threat.

Retailers

When it comes to online retailers, malicious bots engage in electronic cart-stuffing activities that generate a loss of sales due to the appearance of low inventory, which drives customers to shop other retail options. Competitive advantage is certainly a motivator for deceitful businesses, especially when they manufacture or sell products that are very similar to their competitors. Diverting purchasers away from your sites is a reality that all online retailers face.

Online ticket retailers who sell tickets to concerts, shows, plays, and other venues have also been affected by malicious bots. Scalpers often use bots to hold large numbers of seats in limbo. However, scalpers often won’t make a purchase until they have other buyers lined up to purchase the tickets they resell.

This kind of customer- and inventory-stealing bot traffic is not just the domain of criminals. Some unscrupulous companies use bot traffic against their competitors. Even companies that don’t engage in that type of behavior still often rely on these types of bots to scrape competitors’ websites to find the latest pricing data and ensure they are setting their prices at the same level as their competition.