Increase in holiday bot attacks, new type of Grinch Bot uncovered
Kasada has released new data on the latest fraud and malicious automation trends, revealing increased threats during the holidays; rising attacks by bots; and the discovery of a new amped up All in One (AIO) Grinch Bot that is being used extensively during hype drop sales.
The Kasada Threat Intelligence team has shared trends and key insights based on its customers' eCommerce traffic this holiday season.
Key Highlights Include:
- 4x increase in automated online gift card lookup attempts
- 10x increase in malicious login attempts due to credential stuffing
- Discovery of a new type of sophisticated all-in-one bot (AIO) used prominently during hype drop sales that is more efficient and effective than its predecessors
- Majority of Black Friday bad bots come from the USA, followed by Australia and the UK
"As we approach 2022, the frequency and severity of bad bots continue to threaten online businesses," says Sam Crowther, CEO and founder, Kasada.
"The level of sophistication we are witnessing within the botting community is at an all-time high as they continue to collaborate and improve upon their methods to conduct online fraud and generate profits through the use of malicious automation."
Gift Card Fraud - the Unintended Gift - Drove a 4x Increase in Fraud Attempts
Gift cards have been purchased at a higher rate than ever before, as they've served as a stopgap for consumers who encountered empty shelves. It is predicted that gift cards will make up40% of total gift purchases this season, making them an ideal target for fraudsters.
Kasada saw automated gift card balance lookups quadruple over the past two months. This is a key indicator that fraudsters are using bots to identify and steal gift card balances. Typically, stolen cards are spent before they are actually received as gifts, meaning people may be unintentionally giving zero-balance gift cards to friends and loved ones this season.
Credential Stuffing - 10x Increase in Malicious Login Attempts
Kasada has seen a dramatic increase in account takeover attempts fuelled by large-scale credential stuffing. This occurs where attackers use credentials from other breaches to takeover customer accounts to sell stolen account details, which are used for credit card washing, loyalty, gift card and reward points draining. Kasada identified a 10x increase in malicious login attempts due to credential stuffing during the period between Black Friday and Cyber Monday, compared to the prior weeks in November.
AIO Breeds New Grinch Bot Variant
Similar to prior years, some of the most sophisticated botting activity occurs during coveted hype drops, where high-demand and limited-edition goods are released at a specific time and day. This year Kasada saw a heightened use of all-in-one bots (AIO) which automate the scanning and checkout process for hot items such as electronics.
In addition, Kasada researchers discovered a new Grinch Bot overtaking the types previously used. This new bot, which replays stolen telemetry through an API, is especially economical, scalable, and effective, while allowing it to bypass legacy anti-bot detection methods.
Kasada researchers have noticed that this new bot has quickly become the de-facto method used for premium hype sales. The team observed in recent hype sales that this new Grinch Bot spikes from 0% to 99% of the total bot requests for the duration of the sale, and then once the inventory is gone, it disappears until the next drop.
U.S. Leads the Globe in Black Friday Attacks - But China Took the Holiday Off
During the period between Black Friday and Cyber Monday, Kasada saw the majority of bad bots coming from the USA, followed closely by Australia and the United Kingdom.
Past research has shown that attacks originating from China are typically near the top of any botting activity list, but during this time period China was 6th at only 2.3% of overall bad bot traffic. This suggests that post-Thanksgiving holiday sales are more of a western trend, even amongst botters.
Kasada researchers continue to observe the use of residential proxy networks to hide bots within seemingly legitimate traffic. Within the United States, bot operators have purchased IP addresses that are specific to a retailers historical traffic, making it difficult for eCommerce providers to distinguish between good and bad traffic.