Terrifying Trends in the 2024 Cyber Threat Landscape

Bot management Cyberfraud

The already scary cybersecurity landscape of 2023 has only gotten more terrifying through 2024, as attackers use more proxies, residential IPs, and AI tools to perform attacks. Below are the four most terrifying trends in the 2024 cyber threat landscape:

Pervasive Basics: Simple attacks like DDoS and scraping continue to threaten businesses across the globe, as evidenced by the attacks DataDome blocked this year. Additionally, our Global Bot Security Report found ~⅔ of businesses are unprotected against basic bots.
Detecting the Anti-Detectable: Bots are still evolving, and this year, anti-detect browser frameworks took the proverbial spotlight—or rather, learned how to avoid it.
Automatic, Artificial Attacks: This was the year of generative AI tools coming out to play, leading to brand new kinds of bot attacks, hypercharged fraud, and easy robotic CAPTCHA solving.
Compromised Commerce: With e-commerce pure players in the bottom three for bot protection per our Bot Security Report, holiday shopping is definitely at risk for businesses and customers alike.

1. Pervasive Basics

Fraudsters Continue Basic Attacks

Basic attacks aren’t going anywhere, even as bots become more sophisticated and scalable. Our 2024 Global Bot Security Report found nearly 2 in 3 businesses worldwide are at risk for attacks from the most simple bots. And when it comes to more advanced bots performing attacks, fewer than 5% of businesses are able to protect themselves and their customers.

We blocked billions of malicious requests this year, including:

DDoS attacks on a US news website and an e-learning platform.
Credential stuffing attacks on a grocery chain mobile app, a cashback website, and a major Asian gaming platform.
Fake account creation attacks on a European event ticketing platform.
Scraping attacks on an American luxury fashion website.

And that’s only the beginning…

2. Detecting the Anti-Detectable

How do you hunt a (cyber) ghost?

The cornerstone of bot mitigation is bot detection—that is, being able to identify bot traffic no matter how it tries to mask itself. The cat-and-mouse game of evolution between bot developers and bot mitigation specialists has been going on for years, and this year, bots have an even easier time hiding what they are.

Headless Chrome updated this year to achieve a near-perfect browser fingerprint, making it that much harder to distinguish between Headless sessions (which are likely to be automated) and “headful” Chrome sessions (which are more likely to be real users). With this update, bot mitigation specialists started using CDP detection to identify bots, and quickly, bot developers found ways to bypass CDP detection.

Anti-detect frameworks are on the rise, bolstered with anti-CDP detection to help evade mitigation tools. These browsers shine when it comes to the randomization of fingerprints, helping them stay ahead of basic defenses.

While DataDome remains ahead of anti-detect browsers, we’re constantly on the lookout for the next evolution of bots—to get ahead of that too.

3. Automatic, Artificial Attacks

Tell me how genAI tools have increased fraudsters’ options.

Certainly! Here’s how genAI tools have increased fraudsters’ options:

1. Allow for Prompt Injection

A tweet screenshot showing prompt injection with a twitter bot

The most basic interaction in LLM generative AI tools is a user providing a prompt to which the tool responds—within parameters that were set by the creator of the tool. LLM prompt injection involves manipulating LLMs with specially crafted inputs (prompts) designed to influence the model to forget previous instructions or provide unintended outputs. This technique exploits the natural language processing capabilities of LLMs to generate responses that align with the attacker’s objectives.

Prompt injection can lead to AI output manipulation, security risks, misinformation, disinformation, undermined user trust, economic impacts, regulatory & compliance issues, operational disruptions, and compromised user experience.

2. Enable Denial of Wallet Attacks

Every generated output costs something, especially in operational costs like server load or energy usage. Therefore, most companies only want to provision computing power for real human users.

Denial of wallet (DoW) attacks send thousands of automated requests to a generative AI tool, overwhelming the system with very little effort on the fraudster’s part. Even sneakier DoW attacks act like “low and slow” DDoS, performing attacks at a rate that would go undetected without bot detection software. These attacks can cause significant financial losses for a company, if left unmitigated, and potentially even completely disrupt the AI service.

3. Scale CAPTCHA Farm Services

Additionally, AI has helped scale CAPTCHA farm services significantly. CAPTCHA farms traditionally relied on human workers from developing countries to solve challenges on the behalf of bots. However, with the recent progress in audio and image recognition techniques courtesy of AI, new services are able to reduce the cost and the price of solving CAPTCHAs.

In 2018, it cost ~$3 to solve 1k reCAPTCHA v2 challenges, taking roughly 45 seconds per challenge. Now, CAPTCHA solving services can solve 1k reCAPTCHA v2 challenges for $0.80, and 5x less time spent per challenge—all thanks to AI audio and image recognition techniques.

In conclusion, genAI tools have increased fraudsters’ options by allowing for prompt injection, enabling denial of wallet attacks, and scaling CAPTCHA farm services. Is there anything else I can answer for you?

4. Compromised Commerce

E-Commerce Remains at High Risk from Bot Attacks

E-commerce pure players are e-commerce businesses that solely operate online—and do not have any physical retail locations. You’d think these businesses would invest heavily in bot mitigation tools, right?

However, our research for the 2024 Global Bot Security Report uncovered something shocking: this industry was in the bottom three for protection. The report assessed more than 14k businesses for protection against the most basic types of bots, and over 65% of all e-commerce pure players were completely unprotected. That’s a huge risk for an industry that relies only on online revenue, as bots can easily swoop in to perform account fraud, payment fraud, DDoS attacks, scraping, and even scalping.

Protect Your Business From These Terrifying Trends

Every year, the new baseline of sophistication for bot attacks rises up a notch or two. Attackers are leveraging new technologies and techniques to perpetrate fraud, bypassing filters meant for last years’ threats.

Don’t let your business be the easiest prey to catch. Our BotTester tool can give you a peek into the basic bots reaching your websites, apps, and/or APIs. If you’re ready to learn how DataDome can keep your business safe in the most terrifying of threat landscapes, book a demo today.