"I'm in this guy's browser, I can just wait until he completes all authentication, and then I'm going to be on the inside," says Williamson. "Eventually, he's going to send money to someone else. If you can automate that transaction, it makes it impossible to discern what's real and what's the bot."
"From the bank's perspective, I can't just tell my customer to go away," he says. "Being able to selectively break an automation is the key for disrupting these attacks. It's true of anything that uses automation, like DDoS."
What the good guys can do is affect change at the website level, and change what the underlying markup code of the website is each time it loads without changing the user interface. This way the website always looks the same to the user and their experience isn't disrupted, but the code supporting it looks different, thus stumping the botnet on the infected machine. After all, automation needs the page to be predictable to automate against it; if it can't figure out how to put in a username and password and hit the submit button, automation doesn't work anymore.
"So now your botnet that knows what to do when it gets to, say, Bank of America, sees this and says, 'This is gobbledygook' and doesn't know what to do," says Williamson.
The economy of cybercrime
Like the malware itself, what the economy of cybercrime comes down to is automation: attackers can make money quickly and easily because with botnets, they don't have to do the heavy lifting. And the bad news for the good guys is that defending networks from such attacks is an arduous process.
"If you can automate one of these attacks, it's the reason 10 guys can make millions a month because scripts are doing work in the background," says Williamson. "And for someone defending networking, every small change from an attacker makes you go back to square one, write a signature for it, etc. Every time a web server burps with a new piece of malware, you have to go reanalyze it."
The trick then is to turn the tables and put all of the hard work on the side of the attacker. By crippling automated — by constantly changing website code, for example — the attackers are now the ones being forced to constantly do the hard cerebral work as they go back to square one and manually adjust their game plans. Suddenly, cybercriminals are raking in less money over time and their economy begins to crumble.
Sign up for CIO Asia eNewsletters.