researchHQ’s Key Takeaways:
- Malicious bots will grow smarter, bypassing bot mitigation measures and gaining wider mainstream awareness.
- Despite the costs of buying and running bots, the bot economy is projected to continue increasing in size.
- Bot-protection is an ever-growing component of web application protection.
Every year(ish), I publish our AppSec predictions — three of the threats that look to be the biggest problems in the upcoming year. In the past two years, the predictions were: credential stuffing/account takeover attacks, API attacks, and supply chain attacks.
This year is slightly different. The predictions are a little more targeted, but they are mostly around the same lines. Over the past year, we’ve augmented our Threat Intelligence Service (part of Barracuda Advanced Bot Protection) with more sensors and intelligence. Combined with our customer conversations and other threat research, we have the following predictions:
Bots will grow smarter and become a bigger part of mainstream awareness
In a way, you could say that pandemic-induced boredom has caused the public awareness of bots to come to the forefront. Bots — especially sneaker bots — have been growing in popularity over the past few years. People used these bots to “cop” the latest sneaker or other popular limited-item “drops” and then resell them for profit. This trend has been growing for quite some time, but the release of the new AMD RX6000 graphics cards, Ryzen 5000 series processors, and the Sony Playstation 5 has led to pretty much everyone interested in these products and learning about the bots.
The AMD example is quite interesting in that it prescribes specific bot mitigation measures — including the use of CAPTCHAs, purchase limitations per account, reservations, bot management solutions, and much more. Many of these solutions don’t phase today’s bot makers. CAPTCHAs, including reCAPTCHAv3, are quite easily bypassable by bots, and they can get around most other methods as well, with the exception of advanced bot management solutions.
The reCAPTCHA approach is an example of how bot mitigation solutions are more likely to annoy humans than bots. The older image-based reCAPTCHA that we all know and “love” broke a couple of years ago, and Google released v3 , which is based on user “reputation.” One of the things that give you a higher reputation is the behavior of your Google account, and there are now services that can provide you with “high reputation” accounts.