Distil Network’s Rami Essaid on the attack of the bots

The 2014 Sony hack and recent attack on Yahoo were arguably two of the biggest .com blunders of all time – events that will undoubtedly remain in the minds of all millennials. Such cyber-attacks shook the web and begged the question of every management structure across the world: “Are we safe?”

All too many industries remain unaware of the threat of bots, particularly online gaming. Hackers no longer need to engage armies of hacking cronies, all they need to wreak havoc on companies’ online servers is a number of bots they have coded themselves.

‘Bad bots’, as they’re called, can easily imitate players and cash out on any earnings they might have accumulated in their account, on any online gaming platform. The threat is increasing and looks to move onto mobile next, as it has a less secure API and is more easily penetrable.

Distil Networks leads in the detection and mitigation of ‘bad bots’ online. CEO and co-founder Rami Essaid is keen to educate the egaming world on a very prevalent cyber security threat that has become well known within other industries.

EGR Technology: What exactly is a ‘bad bot’?

Rami Essaid (RE): We help companies tell the difference between real people and bots, which are automated computer programmes that are accessing their web infrastructure. Any website or gaming app is made for real people to interact with it, but bots are coming in to attack. Hackers are using fake tools, pretending to be real people to either commit fraud or try and game the system.

Half of all web traffic is bots, now some of those are good bots like Google, that send you tracking to help you acquire customers. One in five users on any site is a bad bot. These are doing everything from trying to take over accounts, to steal information and it’s hurting all sorts of industries.

Specifically in gaming we’ve found that is has become a pretty big target because there is real money involved. It’s hard to say that the industry is fully regulated under one framework. The users are from all over the world and the sites are not governed in places that are going to have a lot of recourses. It really falls upon site owners to take action. We’re seeing fraudsters and hackers using bots a lot to attack these websites.

EGR Technology: How are they affecting the egaming industry?

RE: One issue is the idea of account take over. Time and time again over the past couple of years we have heard about breaches. You’ll remember Ashley Maddison and Yahoo. What happens in those breaches is that usernames and passwords get stolen. People tend to use the same username and password all over the place, and if the hackers get hold of one list then they can go and try it on a bunch of different sites, where 1–5% will work. Now they have a proper username and password for a gaming site that has real money behind it. By the time you log in and find out your account’s been taken over, the money’s already been cashed out.

The next threat that hackers are leveraging is finding holes in the security infrastructure. They write a bot that looks for vulnerabilities and can exploit them. Each of these steps is now automated and it makes the hacker’s life a lot easier. It significantly increases your exposure, if you aren’t able to identify bots against real people.

Some of these gaming sites are sensitive to their lines. Instead of spending time and money competitors are just ripping off their lines and then smart people are actually trying to play the odds on the lines by finding discrepancies and trying to exploit lines that aren’t updated fast enough. We’re seeing that the professionals are using bots to look for odds that don’t make sense and finding places where an algorithm might be off. For example, during the Super Bowl one website had the coin toss odds at 50/50, where the New England Patriots always pick heads. The odds should have really had 10-1. One website didn’t know, and that kind of discrepancy can be found by professionals. They lost thousands of dollars because punters were able to recognise and exploit it.

EGR Technology: How new is this as a cyber threat?

RE: It’s been around forever, but what’s funny is that bots started before humans were really using the web. The use of bots for fraud and hacking has been on the rise in more recent years.

EGR Technology: How aware are operators of the threat of bots?

RE: Some are aware, which is why we know that it is a problem for the industry. Some have come to us and we are working with them. I think there is a pretty broad naivety across most sites. They don’t attribute the problems they face with account security issues to bots. We found this with a number of different industries; they understand the problem but they don’t understand the tool that is causing the problem.

EGR Technology: What’s the solution?

RE: What we do is identify bots versus real people, and in doing that we’re able to help companies clarify which are good and which are bad bots, and block them from ever accessing their sites.

EGR Technology: How do these operators start to recognise the problem?

RE: They start seeing their web application come to a crawl, and their performance is impacted. They start seeing their bandwidth immunisation spiking or their servers are overwhelmed. It’s almost like a ‘denial of service’ attack for them. We help show them it might not even be someone trying to take them offline but instead use a web scraper to scrape all their odds. They are going about it so aggressively that too heavy a load is being put on the servers.

EGR Technology: How aware of cyber security threats is the egaming industry at large?

RE: I’m biased in the fact that we work with financial, ecommerce and healthcare companies, and the gaming industry is not quite at the same level which is interesting, but they have just as much to lose. They are a newer industry that’s booming at breakneck speed and they haven’t been able to mature in their security apparatus, as over years some of the more traditional industries have.

EGR Technology: How are you spreading the word on these threats?

RE: We’re working with a couple of our big gaming companies to come out with a couple of case studies that will help people understand. We’ll try to highlight the before and after. Two of our clients, both global brands, want to share the journey they went though, and hopefully it starts resonating. These companies saw loads on their infrastructure and started by asking us to help them protect it. They dug into it more and were able to find how bots were acting across the different aspects of their site.

We just released our bad bot report for 2017 in which we highlight all the different ways bots impact a website. The report found that websites requiring a login are almost certain to be attacked by bad bots, with 96% of such sites targeted by malicious bots.

EGR Technology: Finally, what’s the next biggest cyber threat that will hit?

RE: What we’re seeing is that mobile is so much less secure than web applications. Mobile APIs are not very secure at all and the app itself is easily hit. That’s where we’ll see the next generation of attacks in the coming years.