Bot operators are perpetually devising innovative techniques to sneak past security as they go about their dubious, often downright illegal business. Emulating human behavior and traffic patterns are key elements of their strategy. One of the many layers comprising this strategy is reporting their user agents as web browsers or mobile devices that are widely used by legitimate users. In recent years, the trend of bots using mobile web browsers as a disguise is on the rise: Imperva’s latest Bad Bot Report revealed that 35.6 percent of all bad bot traffic in 2021 was self-reported as mobile clients. This mirrors the human trend where about 50 percent of traffic originates from mobile devices.
Another intriguing finding was that for the first time, a mobile browser was the second most popular choice of disguise, with 16 percent of bad bot traffic reporting their user agent as Mobile Safari. Imperva Threat Research data from the first half of 2022 confirms that this trend is gaining popularity, as Mobile Safari now accounts for 20 percent of bad bot traffic. This begs the question – why Mobile Safari? Could the improved user privacy settings provided by this browser be the reason for such a notable increase in popularity? Are these settings, meant to protect users, being exploited by bad actors to mask their behavior and evade detection? And most importantly – does this technique prove useful?
Bots appreciate the privacy, too
In the current bad bot threat landscape, we are observing several sophisticated actors that are consistently improving their methods of spoofing requests to appear as human as possible. Generally speaking, most bad bots will try to rotate or cycle through certain browser parameters to simulate a unique request each time, but that can be seen as an exhaustive method in the eyes of more sophisticated actors. These actors strive for optimization of their strategies; they know from experience to lean on devices that report fewer attributes to the origin. For example – iOS-based devices appear to be a favorable choice. The reason for this appears to be Apple’s user privacy settings which limit the number of attributes that the browser reports to the origin, thus making bots harder to distinguish from human clients. Put simply, these bot operators are abusing a set of features to hide their true identities that were actually designed to benefit legitimate users.
During the early reconnaissance phase of an attack, bot operators simulate each step of a human user’s request. The simulation enables them to observe what are the major differences between each browser. This leads them to surmise that there are fewer attributes sent from the iOS request compared to other web clients, resulting in an implementation of that rotation in their scripts. Some browser automation tools, like Puppeteer, for example, go a long way toward supporting these attacks by adding script browser overrides that further assist attackers in mimicking iOS as much as possible.
Let’s talk about effectiveness
The bottom line is that, yes, emulating browsers that report fewer attributes to the origin can help bad actors more effectively evade detection. To what extent? That ultimately depends on your bot management solution. The fight against bad bots is a never-ending cat and mouse game that happens around the clock, requiring a solution that can adapt quickly to the latest threat. Imperva’s Advanced Bot Protection team is continuously making changes and improvements to detection mechanisms and machine learning models. The team has been closely monitoring this trend as well, which led to the implementation of new detection ML models specifically targeting this kind of behavior.
Having a solution capable of continuously adapting to threats is essential in a bot management solution. In addition, it must offer best-in-class detection that does not rely solely on a number of devices and/or user attributes to classify a request. Instead, it should provide a multi-layered detection approach that incorporates machine learning, capable of identifying real-time bad bot behavior and adapting to it. It also helps establish a baseline for normal behavior, as well as enables automated detection and response. Learn more about what you should look for when considering a solution in our Buyer’s Guide: Ten Essential Capabilities of a Bot Management Solution.
Protect your business from malicious automation with Imperva
Imperva’s market-leading Advanced Bot Protection prevents bot operators, attackers, unsavory competitors, and fraudsters from abusing, misusing, and attacking your applications. It safeguards businesses from today’s most sophisticated bot attacks by protecting websites, mobile apps, and APIs against every OWASP automated threat. Advanced Bot Protection embraces a holistic approach, combining the vigilant service, superior technology, and industry expertise needed to enable customers with full visibility and control over human, good bot, and bad bot traffic, offering multiple response options for each. And most importantly, it does so without imposing unnecessary friction on legitimate users, maintaining the flow of business-critical traffic to your applications.
Advanced Bot Protection is part of the market-leading Imperva Web Application & API Protection (WAAP) solution. Start your Application Security Free Trial today to protect your assets from automated threats.
Try Imperva for Free
Protect your business for 30 days on Imperva.