Expert Q&A: How to use honeypots to lure and trap bots

As bots become more sophisticated, detection and blocking need to stay one step ahead of them. In this conversation with Itay Binder, Cyber Security Research Manager at HUMAN, we discuss one method used to attract and trap bad bots. He explains how HUMAN uses the honeypot method to achieve better decision making about “bot or not” and how that disrupts the cost model for attackers.

What is the honeypot method? How is this method used to fight bad bots?

When talking about honeypots in cybersecurity, we’re referring to a method used to attract attackers by simulating how vulnerabilities behave in a system or by luring an attacker to a specific endpoint. Since there is no reason for a legitimate user to access this type of endpoint, honeypots are an effective way of differentiating between legitimate human users and bots. Any attempt to communicate with the endpoint is considered suspicious and is easily flagged.

One example of a honeypot is adding an HTML input element on the page, but hiding it using the CSS. Legitimate human users will not be able to see the input element and so will never access it. Another example of a honeypot is to place two clickable elements, one on top of the other, in the same exact position on the page. A legitimate user will only be able to click on the upper element, whereas a bot scanning the page will click on both elements.

Would a human user ever be exposed to a honeypot?

No. Honeypots are hidden code on a webpage with no visibility to the user when the HTML or JavaScript is rendered in their browser. When a legitimate user browses the webpage they will see the regular webpage. Bots, on the other hand, scan the code and interact with it. For example, a bot might click a link that the hidden code refers to or attempt to scrape a photo that wouldn’t be visible to a legitimate user.

Can you give an example of how HUMAN uses honeypots?

One specific example can be seen in how we are using honeypots in  Human Challenge. When we were developing Human Challenge, we started to see a trend of increased CAPTCHA solvers; an extremely cost-effective method attackers use to quickly bypass CAPTCHA challenges. Human Challenge is the first user-friendly verification that protects web and mobile applications from CAPTCHA-solving bots and CAPTCHA farms while also improving the customer’s experience in the application. Without going into too much detail, one way we accomplished this was by focusing on building honeypots to make Human Challenge much more difficult and much more expensive for bots to solve.

How does using honeypots break down the cost model for attackers?

We can arm our honeypots with techniques taken from the cryptographic fields which cause bots that reach the honeypots to have to put effort and computing risk into passing the challenge that is served - like a kind of computing challenge in order to get the page render.

This will affect performance, especially for large-scale attacks with millions of requests per minute. If the attacker is running a machine on the cloud in order to reach a lot of webpages, they will eventually have to pay for larger CPU usage and memory usage, making the attack less and less profitable. The attacker will experience a slow down in their performance and a higher resource usage, reducing the likelihood of repeated attacks.

HUMAN Bot Defender protects your web and mobile applications from bots. It provides the highest level of bot detection accuracy, identifying even the most sophisticated bot attacks with exceptional accuracy. Blocking alone is not enough; different modes of attack responses like honeypots, misdirection or serving deceptive content is required for optimal bot management.

Schedule a free demo of Bot Defender to learn more.