- Bots pretending to be a Google bot – 12% of the web application attacks
- Application DDoS – 9% of the sample Barracuda researchers analysed
- Visa was the clear focus with more than three-quarters of attacks; Mastercard, Diners, and American Express at much smaller volumes
- Fuzzing attacks, injection attacks, fake bots, App DDoS and blocked bots are the top five attacks performed
February 16, 2021: In December, Barracuda Networks, a trusted partner and a leading provider of cloud-enabled security solutions, identified automated attacks using bots to exploit vulnerabilities in web applications. The top five attacks using automated tools were fuzzing attacks, injection attacks, fake bots, App DDoS and blocked bots. Cybercrime has become a massive business, and scammers are increasingly turning to bots and automation to make their attacks more efficient and effective and help them avoid detection.
Automated attacks use bots to try to exploit vulnerabilities in web applications. These attacks can range from fake bots posing as Google bots to avoid detection to application DDoS trying to crash a site by subtly overloading the application. Barracuda researchers analyzed a sample of two months of blocked data on web application attacks and found a massive number of automated attacks. Nearly 20% the attacks detected were fuzzing attacks, trying to find the points at which applications break to exploit. Injection attacks were the next at about 12%, and most of the attackers were using automated tools like sqlmap to try getting into the applications. They have been the top attack in the latest OWASP Top 10 and have been present in every iteration since the first list. They show no sign of going away given the relative ease of execution and the possibility of large returns for the cybercriminals.
Bots pretending to be a Google bot or similar accounted for just over 12% of the web application attacks. Application DDoS (distributed denial of service) was surprisingly dominant, making up more than 9% of the sample Barracuda researchers analyzed, and it was being executed across all geographies. Meanwhile, only a small portion of attacks (less than 2%) come from bots blocked by site admins.
An overwhelming number of data exfiltration attempts seen in the sample were for credit card numbers and social security numbers, etc. Visa was the clear focus, accounting for more than three-quarters of these attacks. This was followed distantly by JCB with more than 20%, and Mastercard, Diners, and American Express at much smaller volumes.
Speaking on the threat spotlight, Murali Urs, Country Manager-India, Barracuda Networks, commented, “While analyzing the current state of encryption, our researchers identified that even though it can prevent a variety of attacks like man-in-the-middle, and provides one layer of protection for users visiting websites, attacks can still occur within the stream. Nearly 92% of the traffic Barracuda researchers analyzed over the two-month period is HTTPS whereas less than 10% of traffic is served over HTTP. This is encouraging progress and good news for the state of web application security. Our researchers have also recognised the dominance of Chrome as the most popular browser used for 47% of the traffic, followed by Safari, which accounted for 34% of usage. Surprisingly, corporate systems that preferred Internet Explorer are moving on to Edge while Firefox is losing ground to it.”
With online shopping expected to continue in full swing in the post-pandemic world, eCommerce teams should start taking necessary steps to safeguard their applications against bad bots. They must install a well-configured web application firewall as a service solution and make sure that the application security solutions include anti-bot protection to effectively detect advanced automated attacks. eCommerce websites should further turn on credential stuffing protection to prevent account takeover.
To safeguard web applications against newer attacks, such as bots and API attacks, defenders can be overwhelmed at times due to the number of solutions required. The good news is that these solutions are consolidating into WAF/WAF-as-a-Service solutions, also known as Web Application and API Protection services (WAAP). Organizations should look for solutions that include bot mitigation, DDoS protection, API security, and credential stuffing protection — and make sure it is properly configured.
It is also important to stay informed about current threats and how they are evolving as the new attacks have fewer protections and they tend to be let through due to a lack of understanding and, in some cases, shadow applications being deployed without appropriate protections.