As bots become more sophisticated, detection and blocking need to stay one step ahead of them. In this conversation with Itay Binder, Cyber Security Research Manager at HUMAN, we discuss one method used to attract and trap bad bots. He explains how HUMAN uses the honeypot method to achieve better decision making about “bot or not” and how that disrupts the cost model for attackers.
What is the honeypot method? How is this method used to fight bad bots?
When talking about honeypots in cybersecurity, we’re referring to a method used to attract attackers by simulating how vulnerabilities behave in a system or by luring an attacker to a specific endpoint. Since there is no reason for a legitimate user to access this type of endpoint, honeypots are an effective way of differentiating between legitimate human users and bots. Any attempt to communicate with the endpoint is considered suspicious and is easily flagged.
One example of a honeypot is adding an HTML input element on the page, but hiding it using the CSS. Legitimate human users will not be able to see the input element and so will never access it. Another example of a honeypot is to place two clickable elements, one on top of the other, in the same exact position on the page. A legitimate user will only be able to click on the upper element, whereas a bot scanning the page will click on both elements.
Would a human user ever be exposed to a honeypot?
No. Honeypots are hidden code on a webpage with no visibility to the user when the HTML or JavaScript is rendered in their browser. When a legitimate user browses the webpage they will see the regular webpage. Bots, on the other hand, scan the code and interact with it. For example, a bot might click a link that the hidden code refers to or attempt to scrape a photo that wouldn’t be visible to a legitimate user.
Can you give an example of how HUMAN uses honeypots?
One specific example can be seen in how we are using honeypots in Human Challenge. When we were developing Human Challenge, we started to see a trend of increased CAPTCHA solvers; an extremely cost-effective method attackers use to quickly bypass CAPTCHA challenges. Human Challenge is the first user-friendly verification that protects web and mobile applications from CAPTCHA-solving bots and CAPTCHA farms while also improving the customer’s experience in the application. Without going into too much detail, one way we accomplished this was by focusing on building honeypots to make Human Challenge much more difficult and much more expensive for bots to solve.
How does using honeypots break down the cost model for attackers?
We can arm our honeypots with techniques taken from the cryptographic fields which cause bots that reach the honeypots to have to put effort and computing risk into passing the challenge that is served - like a kind of computing challenge in order to get the page render.
This will affect performance, especially for large-scale attacks with millions of requests per minute. If the attacker is running a machine on the cloud in order to reach a lot of webpages, they will eventually have to pay for larger CPU usage and memory usage, making the attack less and less profitable. The attacker will experience a slow down in their performance and a higher resource usage, reducing the likelihood of repeated attacks.
HUMAN Bot Defender protects your web and mobile applications from bots. It provides the highest level of bot detection accuracy, identifying even the most sophisticated bot attacks with exceptional accuracy. Blocking alone is not enough; different modes of attack responses like honeypots, misdirection or serving deceptive content is required for optimal bot management.
Schedule a free demo of Bot Defender to learn more.
-
Platform
-
-
Human Defense Platform
One powerful platform to safeguard your entire organization from digital attacks
-
Account Takeover
Prevent account compromise
-
Account Fraud
Detect fake account creation
-
Transaction Abuse
Stop fraudulent financial transactions
-
Scraping
Block unwanted data exfiltration
-
Client-Side
Avoid client-side attacks and PII leakage
-
PCI DSS Compliance
Satisfy PCI DSS 4.0 requirements
-
Data Contamination
Ensure accurate data and analytics
-
Programmatic Ad Fraud
Protect digital advertising transactions
-
Malvertising
Serve clean ads
-
Human Defense Platform
-
-
Holiday Readiness Guide: Stop Fraud in its Tracks
EbookHUMAN Security on Google Cloud will help you stave off those holiday bot blues.August 21, 2023
-
2023 Bad Bot Holiday Report
ReportGrinch bots, carding, and account abuse during the holiday season.August 9, 2023
-
A CISO’s Guide to Fraud Prevention: The Art of Modern Defense in Online Fraud
EbookBy incorporating modern cybersecurity defenses and emphasizing proactive strategies, CISOs can more effectively safeguard their organizations.July 11, 2023
-
Holiday Readiness Guide: Stop Fraud in its Tracks
-
-
Products
-
-
Request a Free Bot Risk Assessment
Learn More
-
Request a Free Bot Risk Assessment
-
-
HUMAN Bot Defender
Protect web and mobile applications and APIs from sophisticated bot attacks
-
HUMAN Bot Defender
-
-
Account Defender
Safeguard online accounts from fraud and abuse
-
Account Defender
-
-
Code Defender
Protect your website from client-side supply chain attacks
-
Code Defender
-
-
Credential Intelligence
Stop real-world credential stuffing attacks with an additional layer of defense
-
Credential Intelligence
-
-
BotGuard for Growth Marketing
Protection for your marketing funnel and sales efforts
-
BotGuard for Growth Marketing
-
-
MediaGuard
Protection for DSPs, SSPs, media owners and brands from fraud
-
MediaGuard
-
-
cleanAD
Protect against malvertising
-
cleanAD
-
-
For Security
Minimize vulnerabilities and defend your organization from advanced threats
-
For Fraud
Prevent business loss and keep your customer’s experience friction-free
-
For Ad Tech
Protect advertising supply chains and digital channel investments to boost ROI
-
For Marketing
Improve your performance marketing by keeping fraudulent traffic out of your digital channels
-
For Product
Preserve digital experiences that are free of fraud and abuse for real humans
-
For Security
-
-
Learn
-
-
Blog
HUMAN Insight and Research from our team
-
Case Studies
See what customers have to say about HUMAN
-
Webinars
Videos and content about HUMAN expertise and industry intelligence
-
Blog
-
-
Resource Center
Blogs, whitepapers, research, videos, articles—all in one place
-
Documentation
Details about HUMAN's products and interfaces.
-
Resource Center
-
-
Satori Threat Intelligence Research Team
HUMAN’s Satori Threat Intelligence and Research Team proactively uncovers and disrupts bot-driven threats.
-
Bot Insights
Get the insights you need to protect your business from bots
-
Satori Threat Intelligence Research Team
-