What are Malicious Automated Attacks?

Malicious Automation

Malicious automated attacks are web/API/Mobile requests sent with malicious intent, that evade traditional bot detection techniques. The purpose of bad actors using malicious automation attacks can be:

  • Scrape product prices or website content

  • Validate a set of leaked user credentials

  • Automated password reset

  • Bulk fake account creation

  • Account takeover attempts

  • PII theft

  • Theft of money, goods, and services

  • Commit a combination of threats from OWASP Automated Threats

Malicious automation on website thrives on the foundation of recent advancements in cloud and mobile computing. Bad actors can easily build online bots that are highly scalable, extraordinarily efficient, and difficult to detect & trace origins. This transition has fundamentally transformed the underlying dark-economy of automated attacks on web applications, causing malicious automated attacks to become ubiquitous across virtually any web-facing functionality in an enterprise.

Contrary to traditional viewpoints, malicious automation has morphed into a highly sophisticated and modern form of attack. Widely available attack tools and custom formatted attacks can learn and automate the entire flow of a given application, allowing bad actors to move skillfully towards a target while hiding behind real visitors.

Malicious automation has many forms such as scripts, sophisticated attack tools, or real browser automation techniques. Such tools are commonly used to launch malicious automated attacks on online websites. A Web, API or a mobile request triggered by automated threats are syntactically correct, which means they do not trigger any vulnerability signal in the application stack and do not trip any alerts in traditional bot detection security solutions or web application firewalls.

Why is Malicious Automation hard to stop?

Due to significant advancements in cloud computing power and mobile computing, malicious automation is a chronic problem for most enterprises.

A few examples of solutions that are incapable of effectively detecting or mitigating automated attacks include:

  1. Captcha - Modern sophisticated bots can easily defeat captcha systems and Captcha's introduce significant user friction and subsequent revenue reduction.

  2. Simple mitigation techniques (IP blocking & Rate limiting) - Easily fooled by most tools and techniques, either by rotating IPs, attacking via “low & slow” method, and using “trusted” cloud sources.

  3. Web Application Firewalls - WAFs won’t alert on syntactically correct actions. Since malicious automation is a syntactically correct attack, WAFs provide no detection ability.

  4. IDS & IPS - These scan a variety of protocols and need to make decisions extremely fast; inevitably missing sophisticated malicious automation attacks. Lack of historical look-back capability prohibits behavioral analysis and machine learning, which are essential for advanced detection.

At InfiSecure, we believe that every online business needs protection from malicious automation today, and every company transacting online will need it tomorrow.