Cybercrime Archive

The need for bot management is fueled by the rise in automated attacks. In the early days, the use of bots was limited to small scraping attempts or spamming. Today, things are vastly different. Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more. In its “Hype Cycle for Application Security 2018,” Gartner mentioned bot management at the peak of inflated expectations under the high benefit category.

Despite serious threats, are enterprise businesses adopting bot management solutions? The answer is, no. Many are still in denial.  These businesses are trying to restrain bots using in-house resources/solutions, putting user security at risk. In a recent study, Development of In-house Bot Management Solutions and their Pitfalls, security researchers from ShieldSquare found that managing bots through in-house resources is doing more harm than the good.

Against 22.39% of actual bad bot traffic, advanced in-house bot management solutions detected only 11.54% of bad bots. Not only did these solutions fail at detecting most of the bad bots, but nearly 50% of the 11.54% detected were also false positives.

Bot management
Figure 1: Bots Detected by In-house Bot Management Solutions vs. Actual Bad Bot Percentage

So why do in-house bot management solutions fail? Before we dive deeper into finding out the reasons behind the failure of in-house bot management solutions, let’s look at a few critical factors.

More Than Half of Bad Bots Originate From the U.S.

As figure 2 shows (see below), 56.4% of bad bots originated from the U.S. in Q1 2019. Bot herders know that the U.S. is the epicenter of business and showing their origin from the U.S. helps them in escaping geography-based traffic filtration. For example, many organizations that leverage in-house resources to restrain bots often block the countries where they don’t have any business. Or, they block countries such as Russia, suspecting that’s where most of the bad bots originate. The fact is contrary: Only 2.6% of total bad bots originated from Russia in Q1 2019.

bot management
Figure 2: Origin of Bad Bots by country


Cyber attackers now leverage advanced technologies to sift through thousands of IPs and evade geography-based traffic filtration. When bots emanate from diverse geographical locations, solutions based on IP-based or geographical filtering heuristics are becoming useless. Detection requires understanding the intent of your visitors to nab the suspected ones.

One-Third of Bad Bots Can Mimic Human Behavior

In Q1 2019 alone, 37% of bad bots were human-like. These bots can mimic human behavior (such as mouse movements and keystrokes) to evade existing security systems (Generation 3 and Generation 4 bad bots, as shown in figure 3).

bot management
Figure 3:  Bad Bot Traffic by Generation

Sophisticated bots are distributed over thousands of IP addresses or device IDs and can connect through random IPs to evade detection. These stealthy detection-avoiding actions don’t stop there. The programs of these sophisticated bots understand the measures that you can take to stop them. They know that apart from random IP addresses, geographical location is another area that they can exploit. Bots leverage different combinations of user agents to evade in-house security measures.

In-house solutions don’t have visibility into different types of bots, and that’s where they fail. These solutions work based on the data collected from internal resources and lack global threat intelligence. Bot management is a niche space and requires a comprehensive understanding and continuous research to keep up with notorious cybercriminals. Organizations that are working across various industries deploy in-house measures as their first mitigation step when facing bad bots. To their dismay, in-house solutions often fail to recognize sophisticated bot patterns.


Deploy Challenge-Response Authentication

Challenge-response authentication helps you filter first-generation bots. There are different types of challenge-response authentications, CAPTCHAs being the most widely used. However, challenge-response authentication can only help in filtering outdated user agents/browsers and basic automated scripts and can’t stop sophisticated bots that can mimic human behavior.

Implement Strict Authentication Mechanism on APIs

With the widespread adoption of APIs, bot attacks on poorly protected APIs are increasing. APIs typically only verify the authentication status, but not the authenticity of the user. Attackers exploit these flaws in various ways (including session hijacking and account aggregation) to imitate genuine API calls. Implementing strict authentication mechanisms on APIs can help to prevent security breaches.

Monitor Failed Login Attempts and Sudden Spikes in Traffic

Cyber attackers deploy bad bots to perform credential stuffing and credential cracking attacks on login pages. Since such approaches involve trying different credentials or a different combination of user IDs and passwords, it increases the number of failed login attempts.  The presence of bad bots on your website suddenly increases the traffic as well. Monitoring failed login attempts and a sudden spike in traffic can help you take pre-emptive measures before bad bots penetrate your web applications.

Deploy a Dedicated Bot Management Solution

In-house measures, such as the practices mentioned above, provide basic protection but do not ensure the safety of your business-critical content, user accounts and other sensitive data. Sophisticated third- and fourth-generation bots, which now account for 37% of bad-bot traffic, can be distributed over thousands of IP addresses and can attack your business in multiple ways. They can execute low and slow attacks or make large-scale distributed attacks that can result in downtime. A dedicated bot management solution facilitates real-time detection and mitigation of such sophisticated, automated activities.


South African banks have been experiencing a sustained campaign of distributed denial of service (DDoS) attacks since last week, as part of a wave of ransom-driven incidents taking place throughout October.

The South African Banking Risk Information Centre (Sabric) issued a warning that banks in the country had been experiencing repeated attacks of this nature, and that ransom notes had been delivered to a number of staff email addresses. These attacks appear to have begun sometime early in the month.

The DDoS campaign does not appear to be related to the recent attack on the IT infrastructure of Johannesburg, in which a ransom was also demanded. It is unclear if there is any relationship with recent hacking activity directed at South African ISPs, which have been hit by a wave of similar attacks in recent weeks.

The statement indicated that this is believed to be a part of a multi-jurisdictional attack that has been taking place in locations outside of South Africa, but did not name the other countries being targeted.

Impact of the 2019 South African bank DDoS attacks

Impact to South African bank customers has been minimal thus far. The Sabric statement indicated that the organization expects this to continue to be the case, anticipating only “minor disruptions” to online services.

The statement also indicated that no customer information had been exposed in the wave of ransom driven attacks.


The DDoS attacks appear to be focusing on the public-facing elements of South African banks. This attack type is not a data breach risk to sensitive customer data or financial information, as it seeks only to knock bank servers offline by pestering them with constant requests from thousands of devices.

South Africa’s ongoing cyber security woes

The wave of attacks comes only months after a report in the national Times newspaper indicating that South African cybersecurity was in a precarious state, due primarily to a lack of available skilled staff in the country.

With a significantly higher rate of internet connectivity than most other countries in Africa, South Africa is a major regional target. Ironically, the banking sector of the country has generally been regarded as being the best-prepared for potential cyber attacks. However, even in the banking sector, both public and private industry have been very reluctant to share information about any sort of cyber attacks.

A regional security study conducted over the summer by World Wide Worx reinforces the idea that organizations in the country are anticipating a realistic level of cyber attacks and are trying to be prepared, but are struggling to keep their IT security staff at adequate levels. 35% of South African businesses are expecting regular attacks, and 57% are equipped to detect an attack within a few minutes, but only 55% feel that they have adequate skill in their IT security teams to successfully protect the business. 77% of IT decision makers also reported running outdated software that made the company highly vulnerable.

All of this is part of a general “brain drain” experienced across all of South Africa’s professional sectors in the past few years. The country has lost about 900,000 skilled professionals, and cannot keep up with importing replacements due to restrictive visa policies. These professionals are mostly fleeing due to significant economic advantages in other English-speaking countries that have a similar shortage of qualified professionals.

Financially motivated DDoS attacks trending upward?

DDoS-attacks-for-ransom are not a new phenomenon, but they have not generally been a preferred method of cyber criminals seeking remuneration.

DDoS attacks have typically been more the province of disgruntled former employees, or even students looking to postpone a test they do not want to take. This attack type has to date been associated more with mischief, petty revenge and projection of power than as a means of reliably making money.

That may be changing. While phenomena such as the resurgence of ransomware and the abundance of unprotected cloud storage servers have been dominating the news, DDoS attacks have been quietly growing as well. In the first quarter of 2019, the overall attack count was up 200% from 2018 and attacks of over 100 GB in size were up a whopping 967%.

DDoS attacks are the primary driver behind the creation of botnets, which are in turn mostly composed of Internet of Things (IoT) devices. What use is a compromised smart coffee maker or smart thermostat? The main use is as one of thousands, even millions of devices yoked together in a botnet to drain the cyber resources of a DDoS target with repeated online requests.

Unfortunately, the IoT industry has a broad and unresolved security problem. Many products ship with no password at all, or a default password that is common to that device type and cannot be changed. Even if the end user is able to change the password and practices good security hygiene with all of their IoT devices, the manufacturer may undercut them by never pushing firmware patches to address vulnerabilities that have developed.

Protection from DDoS attacks

DDoS protection is usually handled capably by a good web host. Network capacity is the key concern. Most hosts have much greater capacity than the typical DDoS attack size, which is why you don’t hear about these attacks grinding web activity to a halt every other day.

Organizations in South African tried to be prepared for #cyberattacks but are struggling to keep their IT security staff at adequate levels. #respectdata 

The massive spike in large-scale DDoS attacks in 2019 is a somewhat troubling trend in this regard, but these attacks are typically not a big concern for businesses unless they are using a smaller web host (or for some reason are hosting on their own local servers without resources and redundancy measures distributed in the cloud).



Tens of thousands of Wi-Fi routers are potentially vulnerable to an updated form of malware which takes advantage of known vulnerabilities to rope these devices into a botnet for the purposes of selling distributed denial of service (DDoS) attack capabilities to cyber criminals.

A new variant of Gafgyt malware – which first emerged in 2014 – targets small office and home routers from well known brands, gaining access to the devices via known vulnerabilities.

Now the authors of Gafgyt – also known as Bashlite – have updated the malware and are directing it at vulnerabilities in three wireless router models. The Huawei HG532 and Realtek RTL81XX were targeted by previous versions of Gafgyt, but now it’s also targeting the Zyxel P660HN-T1A.

In all cases, the malware is using a scanner function to find units facing the open internet before taking advantage of vulnerabilities to compromise them.

The new attacks have been detailed by cybersecurity researchers at Palo Alto Networks. The Gafgyt botnet appears to be directly competing with another botnet – JenX – which also targets the Huawei and Realtek routers, but not Zyxel units. Ultimately, the attackers behind Gafgyt want to kill off their competition by replacing JenX with their own malware.

“The authors of this malware want to make sure their strain is the only one controlling a compromised device and maximizing the device’s resources when launching attacks,” Asher Davila, security researcher at the Palo Alto Networks Unit 42 research division told ZDNet.

“As a result, it is programmed to kill other botnet malware it finds, like JenX, on a given device so that it has the device’s full resources dedicated to its attack”.

Control of the botnet allows its gang to launch DDoS attacks against targets in order to cause disruption and outages.

While the malware could be used to launch denial of service campaigns against any online service, the current incarnation of Gafgyt appears to focus on game servers, particularly those running Valve Source Engine games, including popular titles Counter-Strike and Team Fortress 2. Often the targeted servers aren’t hosted by Valve, but rather are private servers hosted by players.

The most common reason for attacks is plain sabotage of other users: some young game players want to take revenge against opponents or rivals.

Those interested in these malicious services don’t even need to visit underground forums to find them – Unit 42 researchers note that botnet-for-hire services have been advertised using fake profiles on Instagram and can cost as little as $8 to hire. Researchers have alerted Instagram to the accounts advertising malicious botnet services.

“There’s clearly a younger demographic that they can reach through that platform, which can launch these attacks with little to no skill. It is available to everyone and is easier to access than underground sites,” said Davila.

As more IoT products become connected to the internet, it’s going to become easier for attacker to rope devices into botnets and other malicious activity if devices aren’t kept up to date.

The routers being targeted by the new version of Gafgyt are all old – some have been on the market for more than five years – researchers recommend upgrading your router to a newer model and that you should regularly apply software updates to ensure the device is as protected as possible against attacks.

“In general, users can stay safe against botnets by getting in the habit of updating their routers, installing the latest patches and implementing strong, unguessable passwords,” Davila explained.

The more frequent the better, but perhaps for simplicity, considering timing router updates around daylight savings so at least you’re updating twice a year,” he added.


There’s been a massive decrease in the amount of server hacks on Rainbow Six Siege since Ubisoft initiated a strategy to combat denial-of-services and distributed denial-of-service (DoS/DDoS) attacks. Taking a number of measures, including having less matches on each server and monitoring network traffic, has yielded considerable results, making the shooter much more stable.

In a report from Ubisoft, DoS/DDoS attacks are down 93% since many of the precautions outlined were taken. Ban waves have been introduced to detect perpetrators, servers now take on less than three matches each, punishment for quitting too many matches – a side-effect of players caught in an attack, known as the escalating abandon sanction – has been disabled, and there’s heightened network traffic monitoring.

Legal action against a number of offenders, and people hosting and offering the services behind these attacks, is being pursued. While anyone caught has been banned, the report states that “prominent” attackers and cheat-makers are the ones facing legal threat. Finally, Ubisoft are working with the Microsoft Azure team to develop broader solutions that will provide “a substantial impact on DDoS, DoS, Soft Booting, and server stressing.”

This plan was revealed back in September, when hacks had become regular enough to necessitate game-wide action. Cheating players were slowing matches down via manufactured lag in order to force opponents to quit. Such behavior spiked around the start of the Operation Ember Rise season.

The BBC interviewed one of the purveyors of these cheats a while back, who claimed top ranked players are among his customers. He made £1,500 a week from selling the hacks, and at the time said his work wasn’t detected by the game – odds are his methods are now ironed out.


A number of South African internet service providers (ISPs) are limping away from a widespread distributed denial of service (DDoS) attack on Sunday.

According to a MyBroadband report, ISPs Afrihost, Axxess, and WebAfrica are all currently affected.


























As of Monday morning, both Afrihost and Axxess are still struggling with intermittent connectivity and poor network performance.

WebAfrica failed to provide an update.

It’s not yet clear when their services will be restored.

DDoS attacks in a nutshell

A DDoS attack inundates the target server with too many requests, slowing it down to a crawl and in some cases bringing it to a complete halt.

More famous attacks in the past include 2016’s DynDNS attack, which left a vast swathe of the internet inaccessible.

In the same year, the SABC was also a victim of an attack.

Reddit, the PlayStation Network and the now defunct Mt. Gox bitcoin exchange have all suffered similar attacks in the past.

The DDoS on these ISPs comes just days after Sabric (the SA Banking Risk Info Centre) announced that South Africa’s banks were hit by DDoS attacks of their own.