Bad Bots and the Dark Side of APIs

At the back end of 2021, the Stopping Grinch Bots Act bill was proposed in the US. The bill aims to target so-called “bad bot” traffic which, according to cybersecurity firm Imperva accounted for 25% of ALL website traffic in 2020.

We’ve written about the relationship between bots and APIs, but that article is more than five years old, which might as well be a lifetime in the API space. In light of that, this seemed like a perfect time to revisit this issue.

Below we’ll be looking at the role APIs play in bots and, on the flip side, how bots can be used to attack APIs. We’ll also cover several different ways to protect your organization and your APIs from bot abuse.

Using Bots to Game eCommerce

In 2017, Omri Iluz wrote on PerimeterX wrote that “scalpers plan meticulously, and their bots lie in wait, tirelessly pinging a checkout site to see if a sale begins a few seconds ahead of schedule…They study the URLs for retail sites, and use data-scraping techniques to guess the product ID (which is usually short) for an unreleased product.”

Iluz continues to say that “by subscribing to Twitter APIs, bot-masters learn about a sale milliseconds before everyone else — this translates into multiple purchase opportunities. They may even have their way into the backend of an eCommerce site to place orders.”

“Subscribing to Twitter APIs” is vague, but there are major clues that APIs and automation are at work here. For example, prolific affiliate marketer SNKR_TWITR posts links to product drops and restocks out to his 400,000 followers with lightning speed beyond that of a manual user. This is not to say, however, that there’s anything illegal or unethical about his processes.

Most people who create sneaker bots are cagey about explaining how they work. That’s understandable since bots sell for hundreds or even thousands of dollars. There are hints on relevant subreddits and elsewhere, however, that using different sites’ APIs to “cop” products is something of a gold standard in botting.

This fascinating video covers a legitimate way to use Python to monitor a Shopify API and, ultimately, purchase in-demand items automatically.

It’s worth pointing out, though, that there’s much more to all of this than just using APIs. User thebiggestbot writes on Reddit that it’s “not [just] about finding the endpoint, writing a monitor involves bypassing server-side caches, rate limiting, and anti-bot measures such as PerimeterX… You’ll also have to spend money on proxies.”

Many of those terms probably sound familiar if you’re used to securing APIs…

From “Must Cop” Kicks to “Must Hack” User Data

Outside of the eCommerce space, many other APIs are also susceptible to bots. Just as bots might be used to overwhelm a server or network in a DDoS attack, they can be used to probe APIs. Here, however, the aim is not to overwhelm the service but to mine user data and attempt to retrieve unauthorized resources.

In 2021, organizations using Microsoft Power Apps accidentally exposed 38 million records, including COVID-19 contact tracing data, Social Security numbers, and email addresses. The cause? APIs were publicly accessible by default, requiring security implementation by individual organizations. Using bots to call these APIs at scale allowed hackers to identify those who had not done so.

Peloton also had problems this year with a faulty API that permitted unauthenticated requests of user account data. A botnet would be used to exploit a situation like this because it allows for rapid data acquisition, infinitely quicker than calling an API manually, before the flaws in question can be fixed.

Equifax also experienced an extremely costly breach relating to APIs back in 2017. Unsurprisingly, the principles of bot management — hard blocking, rate limiting, redirecting, delaying access — are rapidly gaining traction among those in the business of securing APIs.

Beating the Bots

Salt Labs reports that API attacks, whether by bots or by humans, are up 348% in 2021. Radware called APIs the “next big threat,” and suggest that only 24% of organizations can distinguish between real users and bots.

In that respect, although not every API attack is bot-driven, identifying human-generated API traffic (and legitimate app traffic) versus bot traffic is vital to successful API management. That means ensuring that you’re taking actions like the following:

  • Catch bad actors when they’re still in the reconnaissance stage. The Salt Labs post quoted above states that “attackers need to poke and prod on APIs to learn the business logic they’re exercising and look for flaws.” It’s a smart idea to watch out for calls that are out of the ordinary or activity that feels excessive.
  • Establish human usage baselines. Developing an understanding of what your typical API users do will help identify bots and malicious behavior. You might consider looking into dedicated API security platforms, which use algorithms and AI to do precisely this.
  • Use an API gateway to rate limit and ban requests. An API gateway or microgateway won’t prevent every attack, but it can help you take the appropriate action (i.e., banning API keys) when it occurs. However, that still might not be enough — a recent Forbes article suggests beefing up your DevSecOps presence to combat attacks.
  • Have perimeter-level security beyond a gateway. In a 2020 blog post, identity and authorization platform Cloudentity writes about some of the measures their service takes: identity management, traffic policy management, edge gateway enforcement, privacy/consent object-level authorization, and other tactics.
  • Avoid misconfigured APIs. Finally, a measure that should be obvious…but apparently isn’t obvious enough. According to an IBM Security X-Force report, two-thirds of cloud breaches are due to misconfigured APIs. Many of which stem from human error.
  • Make sure your authentication controls are up to scratch and limit access to potentially sensitive data wherever possible. Oh, and test, test, test your weak points. If you can find them, it’s a safe bet that attackers will be able to as well.

As APIs become more and more embedded in the process of making high-value transactions online, security measures that might have once seemed like overkill will gradually become the status quo.

Will the Stopping Grinch Bots Act Work?

By the time legislation relating to tech practices passes, it’s usually too late to prevent anything — most botters have probably already bought and sold their holiday stock by now. What’s more, the Stopping Grinch Bots Act was proposed once before in 2019 and failed to receive the necessary votes.

As we’ve seen above, there’s more to botting than just using APIs — the practice tends to rely more on data scraping and other processes. But they still muddle the issue.

Consider the example of using a POST request to check out on a retailer’s website using an API endpoint. Even though such an action isn’t necessarily malicious, it might theoretically contravene the text of a law like the Stopping Grinch Bots Act.

All of which means that lawmakers have to tread carefully and can only outlaw very specific use cases. This might explain why, despite the introduction of the Better Online Ticket Sales (BOTS) Act in 2016 that banned bots from accessing ticketing websites, buying face-value tickets to gigs and shows remains a headache. Plus, fines are unlikely to deter people who invested significant amounts of money into bot infrastructure, cook groups, proxies, and other technologies.

Ultimately, it’s probably up to individual retailers and organizations to protect their sites, APIs, and other services from malicious bots or exploits. The guidance above is a way to start doing that, but staying one step ahead of bad bots will continue to be an uphill battle.