Bumb Bots madness

Forum Moderators: open

Message Too Old, No Replies

Bumb Bots madness

Really?

blend27

12:24 am on Nov 29, 2020 (gmt 0)

Digging into headers here..

Arrival comes to MyAccount page >> GET,..OK. >> Then Post 3 times.

All of that would be OK till I looked at wah-wah-wah what hey are trying to do...

Page has 3 forms: Search Site, Log in and a form that has 62 fields to fill(bot trap), and all that with in 2 seconds.

Single POST request in "http_content" header contains variables for all 3 forms at once.

Here is the kicker: THIS particular site is coded to with IF statements that take each site if it is just happened.

IF form submitted for Login >> do this >> End.

IF form submitted for Change Currency >> do that>> End

IF form submitted for EMail Updates >> do that > End

The POST request sent contains data for all 3 scenarios.

Nice to have right?

NickMNS

12:44 am on Nov 29, 2020 (gmt 0)

The bot reads the page, extracts all the form fields it finds, and then sends a request to your end point with the values paired with the form fields. It doesn't actually fill in the fields and press submit. It doesn't see or care about the if statements. It simply parses the html for form tags and then grabs "name" attributes for each input.

blend27

1:30 pm on Nov 29, 2020 (gmt 0)

-- The bot reads the page --

Oh, I know that much,.... I think.!

I've looked up the logs/headers for the past 3+ month and it looks like it is not an isolated incident. To be exact the URI path the bot takes is exactly the same, before it gets into a bot trap of course.

It looks more of an attempt to poison data than a scrape or spam attempt.

Site searches are logged, subscriptions/preferences are logged, bots from MX, LT and TW changing currency to CAD$ is also logged.

Giggly to look at it at most, when Headers i see.

Bot does take the unique Cookie though which allows it to proceed to a post action, could also be headless - no screen resolution is reported by JS, but at the same time JS is executed to draw submit button on 2 forms.

Fun + Turkey leftovers!

tangor

8:14 am on Nov 30, 2020 (gmt 0)

Here the Turkey has flown its last flight ... big appetites. :)

Hackers and bad actors, however, keep flying the same lame attempts decade on decade... I suppose that could be considered some kind of "permanence" in the real world.

blend27

10:00 pm on Nov 30, 2020 (gmt 0)

Hint: Edg/8n.n.6nn.nn UA

As well just throw in there: Missing the e at the end.

Throw back at @Lucy

blend27

5:49 pm on Dec 22, 2020 (gmt 0)

They stopped for couple of weeks..... gave me time to think this thru!

I digested the logs and it was all clear: now the first hit is free(and it matches all the headers that needed to process GET request, picks up a session cookie). Then POST comes in 30+ seconds later(slow scraper/spammer). Cause they are submitting multiple forms in the same POST everything gets blocked.

Oppa!