Note: This article first appeared in Dark Reading.
In December 2017, people looking through the Federal Communications Commission's net neutrality comment form witnessed a miracle — the dead returning to life.
Or that's how it looked, anyway. In reality, cybercriminals used a botnet to post what an analysis by the New York State Justice Department estimated to be over 2 million identical comments under the names and street addresses of real people. In a strange twist, frustrated users quickly took to Twitter to report that some of these names belonged to their deceased family members and friends.
Though this instance of fraud may seem like a one-off, I believe we're only seeing the beginning of this kind of threat. We're likely to see more and more efforts to obscure or influence public opinion like this in the near future, and it will become more difficult to separate the bots from real users.
A Threat to Us All
In this instance, cybercriminals are using a tactic called skewing — deploying huge botnets to flood a comments section — to, well, "skew" public opinion. The bot comments not only drowned out real users but could also have shifted the sentiment of the public conversation about net neutrality. Though the FCC says it didn't pay much attention to the comments, the implications of the attack are more pressing than the attack itself. Identity fraud was used to influence a vote in Congress that would determine the fate of one of the most important Internet laws in our society — who knows what else these botnets could be used for?
It used to be that bots were easy to detect and stop because they behaved in ways that clearly broke the rules set by websites for users. In many cases, bots would try to inject code on the website they were invading, an action that is clearly not allowed and therefore subjects the account to banning or suspension by moderators.
The tricky thing about today's bots is that, on paper, they follow all the rules. They can register a real email address to create an account, confirm a password, and even pass CAPTCHA tests to "prove" that they're human users at a 70% success rate. At White Ops, we see that 75% of malicious bots are actually operating off of real humans' machines. They hide in the background, mimic behaviors and browsing times, and use their hosts' cookies and browsing history. That makes it an awful lot harder to identify bots, block them, and prevent them from tipping the scales of public opinion.
The only reason the fraudulent FCC comments were detected in the first place was because the botnet's operators made the mistake of impersonating deceased human users. On the whole, the botnet appears to have been fairly rudimentary, not very likely the work of sophisticated cybercriminals. Otherwise, this threat may have gone completely undetected among the form letters and authentic traffic, which raises a frightening question: how many of these attacks have already happened right under our noses?
While the damage done by cybercrimes, such as breaking into and stealing from someone's online bank account, can be disastrous, the implications of this kind of "zombie" network go far deeper. Cybercriminals most likely utilized similar botnets on both sides of the 2016 presidential election, and their effect on its results are ultimately impossible to quantify.
If left unchecked, these bots will steadily erode human users' trust in anything they see on the Web. Given how easy it is to impersonate human behaviors, how popular will the most popular stories in your feed be, really? Does the song that's topping the charts of your favorite streaming service or the latest viral video really have that many plays? Is the metric that's guiding your company's decisions based in anything real or the work of some unseen manipulator hiding in the shadows?
Make no mistake — the stakes here are high. In many ways, the Internet is ruled by algorithms and machine learning that curate what makes it to the top of the charts on a minute-by-minute basis. The ability to manipulate those rankings can have real value. It’s gaining that kind of visibility that fuels the multibillion dollar advertising industry that we know today.
In the near future, wars over public opinion could be determined by who has the most convincing bots, not the most convincing argument.
Stemming the Tide of Bot Traffic
The fraud campaign to take down net neutrality seems to be the work of amateurs, yet it still very well could have influenced a major congressional vote. Cybercriminals are installing malware on our computers and using them to do practically anything they want. We don't necessarily know what else hackers have accomplished using our names and addresses.
There's always a way to identify and stop new automated threats, no matter how large and untraceable they may seem. But it can't happen until cybersecurity professionals everywhere recognize the potential severity of this problem, not just for specific entities on the Internet, but for our ability to trust anything that we find online.
Some commentators have said the end of net neutrality heralds the death of the Internet — but ironically enough, it may be the wake-up call that inspires us to save it.