Botnet AttackWhat Happens When Hackers Enlist Their Victims to Do Their Dirty Work?

What is a Bot Scam? Understanding & Preventing Botnet Attacks

In your mind, picture the kind of guy who commits identity theft. You’re probably imagining a shady guy in a dark room, working diligently to try and break into your account.

There are obviously crooks doing that manual hacking work. They’re not the biggest threat, though. Cybercrime is an industry unto itself, and anyone who uses a computer is at risk. That’s because, in the case of botnet attacks, cybercriminals may be using your machine to do their dirty work, without you even knowing it.

How Do Botnets Work?

Let’s start with some fundamentals.

What we refer to as a bot is in reality a computer program used to perform automated tasks. Mostly, these tasks are routine, uncomplicated, and repetitive. Bots have legitimate uses; for example, search engines use bots to scour the internet and identify new or updated content on web pages.

An army of bots — called a botnet — can do the job considerably faster than humans, and with fewer errors. A botnet (short for robot network) is not a program itself, but rather a group of electronic devices that are all running the same script or program. As with any other application of botnets, the goal is to do a lot of work with a minimal amount of human input required.

What is a Botnet Attack?

Botnet Attack

[noun]/bôt • net • ə • tək/

A botnet attack is an attempt by a hacker to conduct large-scale, automated cyberattacks through a massive network of hijacked, internet-connected devices, rather than manually controlling one single machine.

Bots have legitimate uses; the problem is when scammers deploy botnets to facilitate fraud. With a botnet attack, the work in question could be brute force attacks to try and guess account passwords, or to overwhelm a server and conduct a DDoS attack.

Merchants are particularly susceptible to botnet attacks for two big reasons. First, most merchants submit transactions for processing on the daily. This creates an monetizable and always-on testing environment for scammers, who can test stolen cards or launch credential stuffing attacks with ease.

The other reason is that many merchants operate at scale. They submit dozens, hundreds, or even thousands of transactions for processing at once. Botnet attackers can use this volume to either fly under the radar among the backdrop of mostly legitimate payment activity, or actively exploit a merchant’s infrastructure to attempt thousands of transactions at once.

How Do Hackers Create Bot Networks?

The first step in committing a botnet attack is creating the network itself. Hackers can infect targeted machines with malware through a variety of methods, enabling outside access. The end result is an entire network under the control of the attacker. Any device that connects to the internet could potentially be compromised, including:

• Computers
• Tablets
• Mobile Phones
• Smartwatches
• Fitness Trackers
• Smart Home Devices
• Doorbell or Security Cameras
• Web Servers
• Network Routers

In order to remain hidden from the device’s owner, the malware programs must be very small and take up minimal processing power. The crook will need to infect a large number of machines to get the job done. In theory, a dozen infected devices could be called a botnet, but botnets often consist of millions of linked devices.

Hackers can use a variety of methods to gain control of a device, including phishing, installing Trojan horse viruses, exploiting security vulnerabilities, and deploying social engineering attacks. As we’ll see, crooks can even leverage a botnet attack to infect machines for use in a different botnet attack.

After it has been hacked and infected, the “zombie” device will be linked back to the central botnet server. All the linked devices can then be operated remotely through Command and Control (C&C) software, enabling the attacker to send commands to all the compromised systems at once. 

Centralized vs. Decentralized Botnet Attacks

There are two common types of botnets hackers use. In one version, all the connected programs/machines are governed by a single machine (called a “bot herder”). In other words, one server is giving orders to each individual bot in the network.

For the hacker, the downside of this method is that the entire operation can be shut down from a single machine. This is generally not the preferred attack method, for obvious reasons.

In a decentralized botnet attack, each bot in the network shares responsibility for giving attack instructions. As long as the hacker can communicate with a single device in the network, they can still execute the attack through all the other linked devices. This greatly increases the difficulty of tracking the attack to its source. 

In either situation, though, a single attacker with an extensive army of zombie bots can spread rapidly. They can target and infect every computer in a company, or even compromise entire networks.

How Botnet Attacks Work: From Infection to Attack

Although a botnet attack may appear random, it’s really the terminal stage of a four-phase lifecycle.

The attack starts when thousands of everyday internet-connected devices, from PCs and phones to smart TVs and security cameras, get roped into a bot network. At this stage, malicious bot herders are less concerned about the particular type of device infected and more concerned that the device can be controlled. 

Once infected, devices begin reporting to a hidden command and control (C&C) server. If the bot herder is the puppet master, then this server is the set of strings that the puppet master uses to manipulate all the bots at once. C&C servers are often decentralized or hidden behind layers of proxy networks, which make them incredibly resilient and difficult for authorities to identify and shut down.

With the network in place, the bot herder can begin to launch attacks, which happen when thousands of devices carry out coordinated commands simultaneously. When these attacks hit merchants, they often manifest as card-testing events, site-crashing denial-of-service (DoS) attacks, or spam campaigns that involve bad traffic from every corner of the globe.

Common Botnet Attacks Strategies: How Do Hackers Use Botnets?

When building their botnet, hackers specifically try to gain security access at the administration level or higher. The greater access a zombie device has, the easier it is to infect other machines. Admin access also enables a wider range of potential attack types.

Some of the most common tactics deployed by hackers conducting botnet attacks include:

Using Botnets for Fraud-as-a-Service (FaaS) Schemes

Technology is no longer a barrier to entry, as scammers with limited technical knowledge can simply buy a botnet on the dark web. They can rent access to a botnet and launch complex attacks for less than the price of a cup of coffee; a classic example of a fraud-as-a-service (FaaS) arrangement.

In some cases, these underground, criminal services function just like legitimate SaaS platforms, offering user-friendly dashboards and subscription plans. A DDoS attack, for instance, might be sold for $50 per hour, while card testing services may charge a fixed fee per thousand attempts. This accessibility removes technical barriers to entry and allows even the least sophisticated bad actors to launch massive, automated attacks against eCommerce businesses with minimal investment and near-total anonymity.

This is a highly profitable criminal model. For bad actors, botnet attacks are low-risk, high-reward propositions, and that’s in large part why merchants continue to face an unrelenting barrage of bot attacks.

How Botnet Attacks Impact Your Business

Every time you experience a botnet attack, you incur a litany of direct costs, operational chaos, and fines that can jeopardize the long-term health of your business. Negative impacts include:

How to Detect Botnet Attacks in Real-Time

Bots do not behave like human customers. They leave a distinct, automated fingerprint, and identifying these patterns in real-time can help you deflect or thwart an attack before it causes catastrophic damage. Here are some warning signs to consider:

• Sudden spike in authorization attempts: A high volume of transactions, especially for small, identical amounts (e.g. $1.00).
• Multiple cards, one address: Dozens of different card numbers all using the same shipping address could be a sign that the fraudster is using a freight forwarder to conceal their address.
• Rapid-fire submissions: A velocity of transaction attempts from a single IP or user that is physically impossible for a human.
• High decline volume: An abnormally high ratio of card declines concentrated in a short timeframe.
• Testing velocity limits: A pattern of transactions just below your preset velocity limits (e.g. 4 attempts when the limit is 5).
• Sequential card numbers: Repeated attempts using card numbers that are numerically sequential (e.g. ending in ...1234, ...1235, ...1236).
• Similar transaction patterns: Testing BINs by using many different card numbers all issued by the same bank.
• Repeated attempts with slight variations: The same card being tested multiple times with small changes to the Card Verification Value (CVV) or expiration date.
• Abnormal spike in failed logins: A sudden, massive increase in failed login attempts or password reset requests.
• Multiple accounts, one IP: One IP address attempting to log in to dozens or hundreds of different customer accounts.
• Inhuman login velocity: Hundreds of login attempts per minute, far exceeding any normal human behavior.
• Mass account lockouts: A sudden increase in customers being locked out of their accounts due to repeated failed attempts.
• Unusual traffic spikes: A massive surge in site traffic without a corresponding marketing campaign or sales event.
• Traffic from odd sources: High traffic from known data centers, cloud hosting providers, or proxy services instead of residential ISPs.
• Server slowdowns: Unexplained high CPU, memory, or bandwidth consumption that makes your site slow or unresponsive.
• Connections from known botnets: Your firewall or web application firewall (WAF) logging a high volume of blocked connections from known malicious IP ranges.
• Residential proxy indicators: Traffic that is globally distributed but shows coordinated, identical behavior patterns.
• IP and billing mismatches: A high volume of transactions where the IP address location does not match the billing address country.
• Overnight or weekend activity: A major spike in activity during off-business hours when your monitoring and staff are at a minimum.
• Event-timed attacks: An attack that begins right around the same time a limited-edition product drops or a major sale goes live.
• Coordinated multi-vector attacks: A simultaneous attack on multiple endpoints, such as login pages, checkout, and “add to cart” functions.
• New accounts, high-value purchases: Brand-new accounts that are created and immediately attempt to make repeated large or expensive purchases.
• Bulk account creation: A rapid influx of new accounts created with similar or nonsensical email addresses or usernames.
• Dormant accounts waking up: Long-inactive customer accounts that suddenly become active with new login attempts or password resets.

Responding to an Active Botnet Attack

Knowing that you’re the victim of a botnet attack is no fun. But, panic is the enemy. Instead, carrying out a calm, methodical, and pre-planned incident response plan can help you minimize financial and operational damage. Consider the following steps:

Botnet Attack Prevention Strategies for Merchants

A robust defense against botnet attacks is a multi-layered one. Fraud detection and prevention tools should target vulnerabilities across the entire buying journey, from signup and login to checkout and payment. Here are some security measures to consider:

Implementing a Multi-Layered Bot Defense Strategy

In the section above, we talked about developing a time-based incident response plan. We’ll now discuss how you can complement your responses with defensive tactics, beginning on the first day of the attack and beyond.

As mentioned above, “Level 1” of your defense strategy should be about triaging. At the most basic level, you should be focused on stopping the immediate bleeding with tools you already pay for.

For example, enable every available filter within your payment processor’s dashboard. Set aggressive velocity rules, strictly enforce AVS/CVV checks, and add CAPTCHA to checkout and login flows. This high-impact first step can help you establish a baseline defense and document your starting traffic patterns.

“Level 2” of your defensive strategy should mark a shift from a purely reactive to a proactive defense posture.

For as little as $20 a month, you can add a basic web application firewall to filter known bot signatures and deploy simple device fingerprinting. This security layer can help you differentiate bad traffic from good by analyzing a user’s browser type, operating system, and IP reputation.

“Level 3” of your defense strategy is where you shift to predictive defense by investing in a dedicated bot detection service.

By analyzing behavioral biometrics — such as mouse movements, typing cadence, and mobile swipe patterns — you can generate a score for a user’s “humanity” in real-time. This allows you to stop sophisticated bots that mimic human behavior without ever showing a CAPTCHA, and adding friction, to a legitimate customer’s buying experience.

At “Level 4,” bot protection is a fully integrated part of your business intelligence and security operations. In practice, this means deploying a custom-trained machine learning model fed by your own transaction data, integrated with real-time threat intelligence feeds, and managed by a dedicated security team that can identify and adapt to new attack vectors as they emerge.

Digital Security is an Ongoing Issue

In the end, it doesn’t matter whether you’re an individual user or responsible for an entire company network. In either case, the most effective way to mitigate the risk posed by botnet attacks is to prevent them from happening in the first place.

Training, vigilance, and up-to-date systems and virus protection tools are all strong methods of botnet takeovers. In fact, prevention is typically the best way to deal with any type of digital crime, including account takeover attempts and other fraud threats.

A comprehensive strategy can help identify threats before they happen and protect your business and revenue. To learn how we can help, speak to one of our experts today.