Cequence Security today issued the EMA study “The Imitation Game” detailing the frequency and types of inexpensive, easily launched automated malicious bot attacks that exploit the business logic of applications. These attacks are launched to hijack user accounts, create fake accounts, scrape content, carry out application distributed denial of service attacks, and launch other types of attacks.
Among key findings:
– 85 percent of all respondents believe they are a target for automated attacks including account takeovers, application denial of service and fake account creation.
– Only 17 percent of respondents feel their APIs are a primary target with the number expected to increase (not because of more visibility) but because of more APIs being built into applications. As context, 60 percent of respondents believe their organization’s web-based applications are the primary target.
– 57 percent of the respondents regularly see attackers relaunch attacks from the same source in an effort to thwart the initial detection, highlighting the sophistication and agility of the attack campaigns.
– Major malicious bot attack types respondents’ public-facing web, mobile, and API-based applications experienced over the last month:
- 52 percent of respondent websites were targeted by application distributed denial of service (DDoS) attacks;
- 38 percent report fake account creation and vulnerability scanning/reconnaissance attacks;
- 26 percent experienced account takeover/credential stuffing, where malicious #bots try to wrest control of user accounts by testing user/password combinations stolen from other websites and published on the dark web;
- 23 percent reported content scraping;
- 18 percent reported automated shopping to buy high-demand items that limited quantity per buyer;
- 17 percent reported denial of inventory (loading shopping cart but not purchasing to prevent others from buying);
- 17 percent reported gift card/loyalty program fraud;
- 14 percent reputation bombing/enhancement; and
- 13 percent reported denial of wallet attacks (purposely driving traffic to a public-facing application to increase resource consumption and costs).