Five ways to stop automated website attacks with reCAPTCHA Enterprise
John Chirhart
Customer Engineer, Google Cloud
Brian Sreniawski
Cloud Partner Engineer, Google Cloud
Automated website attacks have become a staple of cybercrime, with bots serving as one of the easiest ways a bad actor can threaten websites. Bots can be used to steal sensitive information and money, or they can shut a website down entirely. Bots are being used to threaten all types of online activity each day for government agencies, costing billions of dollars each year and going beyond the simple, distributed denial-of-service (DDoS) attacks.
It’s possible to reduce or eliminate the risk of automated website attacks before they cause damage with reCAPTCHA Enterprise. Google Cloud’s reCAPTCHA can differentiate between automated biomimicry and actual human behavior to stop attacks.
There are over 21 different types of automated attacks – documented in the OWASP Automated Threat Handbook – that reCAPTCHA Enterprise is regularly used to defend against.
Let's look at the top five types of automated website attacks and how reCAPTCHA Enterprise can help public sector organizations defend against each of them.
1. Account Creation
Using reCAPTCHA Enterprise as part of Account Creation is one of the most effective steps organizations can take to stop automated attacks. If your website uses accounts to give users a voice or give them access to services, you can deny bots that access by stopping them from signing up. This powerful option is often overlooked. One less bot-driven account means one less bot available for attack. We recommend agencies focus on Account Creation as a way to concentrate defenses upfront.
2. Cashing Out
Bots can use stolen or previously validated payment methods and account login credentials to buy high-value merchandise or to fraudulently send money. This is called cashing out. For government agencies, this financial hijacking can affect tax refunds and claims payments. Refund requests are common targets. reCAPTCHA Enterprise can prevent this. It returns a score based on user interactions with the website to evaluate if users are legitimate human users or if they are likely bots. ReCAPTCHA scores web interactions from 1.0 (likely a good interaction) to 0.0 (likely an abusive action). This robust risk analysis can prevent fraudulent activities without affecting valid ones.
3. Credential Stuffing
Credential stuffing consists of bots trying thousands of username and password combinations until they find one that works. Many constituents use the same credentials across multiple websites. This means that public sector sites can potentially be accessed when any other website has a leak. reCAPTCHA Enterprise stops outside leaks of this nature from damaging other websites. The state of Wisconsin’s Workforce Development used reCAPTCHA Enterprise to help reduce false claims by recognizing bot behavior and taking further measures to seek to validate them as legitimate.
4. Denial of Inventory
There are major supply chain disruptions as a result of the ongoing pandemic. With factories and ports shut down, key goods are often hard to find. Bad actors use the resulting hoarding of goods to their advantage through “denial of inventory” attacks. Bots buy up enormous quantities of in-demand goods and resell them for sizable profits. Public sector organizations cannot escape this either: these attacks have inhibited the distribution of Personal Protection Equipment (PPE), vaccines, and financial assistance. reCAPTCHA Enterprise can alert and stop market manipulation as it is happening, saving dollars and, potentially, lives.
5. Skewing
With analytics data driving so many decisions today, it should be no surprise that automated website attacks are being used to manipulate these metrics. Skewing comprises repeated link clicks, page requests, or form submissions with the intent to alter metrics and analytics data. In the public sector, these attacks are being used to manipulate everything from news article popularity to public support for legislation. Often politically motivated, the intention behind Skewing is to give one organization an edge over another or to alter public sector decision-making. reCAPTCHA Enterprise distinguishes between legitimate and illegitimate usage to help defend against these attacks.
Automated website attacks are a serious concern for all websites. For public sector websites that rely on the trust of users and constituents, maintaining this trust is often critical to their missions. When a website goes down or leaks information, that trust suffers. Plus, the financial loss that often comes with these attacks cannot be overlooked. reCAPTCHA Enterprise can stop attacks in their tracks.
For more information about the 20+ different types of automated attacks, view the OWASP Automated Threat Handbook