In my last article about Bots and Scrapers for abuse, we explored some of the issues surrounding scripts and bots for abusing retailers. Recently, more light has been shed upon even more abuse coming to the Web in the form of aggressive API’s and bots to automate Web processes. Beyond competitors and price index advantages, people are using bots for profits and personal advantages.
Game playing robots are plentiful these days. Sites like game-automation.software.informer.com offer software to users to help them progress their game characters while they are away from the computer.
Blizzard Entertainment sued Ceiling Fan Software to stop the sale of software bots to automate World of Warcraft characters. Ceiling Fan Software faces a judgment of $7 million and must disable any active licenses for the software. Blizzard won a similar judgment a few years ago against another bot company called MDY Industries, which created the popular Glider bot. Honor Buddy and other bots continue to sell their tools for gamers to use and more will come to the surface.
Additionally, California Governor Jerry Brown recently passed a law making bot use for ticket purchases illegal. However, that doesn’t stop sites from selling ticket-purchasing software. Ticketbots.net lists many software packages for scalpers to take advantage of their sites. Ticketmaster has been using CAPTCHA traditionally to attempt to foil bots. However, we know companies like Vicarious have published they can break CAPTCHA with greater than 99% accuracy.
Let’s look at a couple more examples of automation and abuse.
We’ve noticed that companies are subverting search engine ratings by selling “Wikipedia services,” and Wikipedia has been shown to get the higher search engine rankings. The king of these Wikipedia reputation managers is a company called Wiki-PR, which specializes in editing Wikipedia on behalf of its paying clients. The promise on its Twitter profile couldn’t be clearer: “We write it. We manage it. You never worry about Wikipedia again.“
The services that Wiki-PR advertises on its website are a catalog of behaviors that run completely counter to the principles, rules and etiquette of the Wikipedia community. Under "Page Management" they promise:
“You’ll have a dedicated Wikipedia Project Manager that understands your brand as well as you do. That means you need not worry about anyone tarnishing your image—be it personal, political, or corporate.”
Another section focuses on "Crisis Editing":
“Are you being unfairly treated on Wikipedia? Our Crisis Editing team helps you navigate contentious situations. We’ll both directly edit your page using our network of established Wikipedia editors and admins. And we’ll engage on Wikipedia’s back end, so you never have to worry about being libeled on Wikipedia.”
We’ve also seen Yelp work with the Attorney General of New York to perform a sting operation against companies posting fake reviews and conducting their own PR and crisis editing on Yelp. Of course, Yelp is no stranger to being accused of being its own “PR and crisis editing” firm.
Many of these “PR firms” have learned to use “article spinners” and aggressive API’s to automate the writing of the fake reviews and positive “spin” on these review sites. The challenge many sites that are subject to face is: How do you determine a real user from an artificial one?
As Director of Security Solutions, David Hobbs is responsible for developing, managing, and increasing the company’s security practice in APAC. Before joining Radware, David was at one of the leading Breach Investigation Firms in the US. David has worked in the Security and Engineering arena for over 20 years and during this time has helped various government agencies and world governments in various cyber security issues across all sectors.