How to create your own Russian bot army
Today, everywhere we look we hear talks about Russian bots taking over the internet.
From tampering with the US Election to spreading fake news and Pro Russian views on Facebook and Twitter.
I even found out they have their own Wikipidea page!
This got me really interested in the subject of bots and after many fun experiments i can finally share with you how with little effort, you too can have your own bot army!
What i will go over in this post:
How create a bot that performs actions on a given website
Detecting if a website is vulnerable to bot actions
Bypassing Captchas and Login Security measurements
- Basic understanding of HTTP
- Basic development in python
I condemn the use of any information in this article for malicious bot activity,
The information in this article is to be used for learning purposes only
The good old bot days
In the good old bot creating days, it was enough to write a simple script that sends HTTP POST and GET requests a website in order to imitate the behavior of a standard user on the website.
The easy way to counter this problem is to switch from automating HTTP GET and POST requests to automating the browser in itself.
Selenium: your partner in crime
What is Selenium?
Selenium is a framework for testing web applications.
Selenium allows us to automate actions on browsers with a feature called Selenium WebDriver.
This driver accepts commands from the user and sends them to the browser to be executed.
These commands include:
- Typing keys in text boxes
- Clicking objects and buttons on a webpage
- Surfing to a webpage
- simulating mouse cursor movement and dragging objects
- Many more…
Selenium WebDriver currently supports automation with the following web browsers:
Chrome, Firefox, Safari, Edge, Internet Explorer
Selenium is very fun and easy to use, it has a well documented user guide that explains how to perform many automation actions using any of it’s supported browsers
I will show an example of using Selenium in Python:
The code above will open a chrome browser and navigate to the link.
We will reach the following webpage:
This website can be used to test mouse actions that are performed by the user.
Interacting with website elements:
Let’s make our bot click the left click button in the mouse testing website.
To perform clicks and keyboards typing with website elements, we must find the element we wish to interact with and then perform our action.
One of the easiest ways to find the element we wish to interact with is by right clicking on the element we wish to interact with and clicking on inspect.
This action will show will open the html element’s code
We will then select copy->copy xpath to copy the XPath of the element.
XPath is an xml expression that we can use to navigate through different elements on a given webpage
we can then search for this element with Selenium and click it:
It’s possible to chain together many actions on different website elements and create fully automated bot activities .
An example of a behaviour of a comment leaving bot on an E-Commerce website
that only allows members to leave comments:
1.Surf to E-Commerce registration page
2.Click on the registration text boxes to type a fake generated username and password
3.Click on the register button
4.Surf to a product webpage
5.Click on the comment text box and write a comment
Bypassing simple bot detection techniques
Many websites have an array of techniques that can be used to counter bot activity.
One of the easiest ways they can detect bots using Selenium is by looking for fingerprints left by the software.
One example of such fingerprint:
When a web browser is run by Selenium, a property named webdriver is added to the browser’s navigator variable and is set to true.
If we press F12 and write this property in a Selenium controlled browser we will see the following result:
If we preform the same action on a normal user controlled browser, the result will look like this:
An easy fix to counter this problem is to execute the following command which will set this webdriver property to undefined each time a new webpage is loaded.
This will cause the Selenuim controlled browser to appear like in any normal user controlled browser:
Websites might use additional techniques to detect bot detection.
- Tracking Mouse cursor movements - not moving the cursor on the website might be a red flag for the website
- Comparing Activity - comparing the bot’s activity to that of an average user
- Keystroke Speed - comparing keystroke speed to that of an average user
All of these techniques can be bypassed by programming our bot to act in certain ways that simulate real human behaviour.
We can make the keystrokes slower, add mistakes to our clicks and even just move the mouse around to click different tabs on the website to make it seem like a normal curious user.
With a bit of coding, your bot can become a real boy
Spotting ideal websites for bots
If you’re struggling to decide which next website your bot army should invade, it’s important to look out for these points in order to find the website that will allow you the most control over your’e bot users.
Normally, we will want our bots to be registered to our target website.
Registered user’s have additional features and each bot that successfully registered to the website equals more power in your hands over the website.
Secured websites usually have one or more of the following methods to eliminate/mitigate multiple user registrations from the same person. We will go over each method and discuss if and how we can overcome it
Method 1: Verifying Emails
Websites will often require you to enter an email address when registering with a new account, they will then send a verification mail to the same email address and activate your account only if you pressed the verification link.
This can be bypassed very easily by using one of the following temporary mail websites:
Each bot that wishes to register can go to one of the temporary mail websites, extract its own temporary mail address and register with it on the target website.
The bot can then go back to the mail website and click the verification link that was sent to mail address, by doing so the account will be registered and activated successfully
Method 2: Phone numbers
Websites registration sometimes requires a phone number to be entered.
Sometimes this field is only used by the website for ad purposes and entering a fake Mongolian number in the phone number field is enough to bypass this.
Other times, the website will require you to verify your account by entering a code that will be sent to that number.
This is a harder method to bypass as you will need to match a phone number for each bot you wish to register on the website.
It’s possible to use online websites that receive SMS codes and display them in order to automate the process of registering, reading the SMS code that was to the number and entering it on the website for verification.
The following websites are recommended for this purpose:
In the next section, we will go over a more advanced method that websites use as a direct countermeasure against bot activity and we will show different methods to combat it.
Captchas stand for - Completely Automated Public Turing test to tell Computers and Humans Apart.
Captchas are used by various websites to prevent bots from simply logging in or registering to a website easily, they require the user to perform a test that is difficult to predict it’s answer, the reasoning is that humans will pass this test and bots won’t and that will allow the website to protect itself from any bot activity.
Not all Captchas are created equal
Let’s take the a look at Geetest’s slider captcha,
A popular captcha used by many websites to prevent bots from taking over.
Using Selenium and python image processing, I was able to create a program that can correctly answer the slider captcha about 30% of the time.
30% isn’t perfect but considering that the page can be refreshed and the captcha can be retaken several times, it results in the bot eventually answering the captcha correctly normally under a minute.
Imagine tens of thousands of bots bypassing the slider captcha after 3-4 attempts and registering to a website successfully, this scenario shows how this captcha is not effective against a massive bot activity and can be easily bypassed by any bot master who wishes to flood a website with his bots.
What about ReCaptcha?
Google’s ReCaptchas is the most popular and well known captcha software,
It’s present on most websites today, it’s extremely difficult to solve and even humans have a hard time answering it sometimes.
A cheap and easy way of bypassing google’s ReCaptchas can be found not by attempting more complicated image processing but actually by harnessing the smartest thing we have besides that - the human brain.
There are multiple services which offer captcha solving solutions for very cheap prices,
Services like AntiCaptcha and 2Captcha have workers who are trained at solving the most difficult captchas at minimum speed,the pricing is between 1$ to 3$ for 1000 ReCaptchas
And it can be used by any bot master to enable his bot army to take over the most Captcha secured websites for a cheap amount…
Today we went over the basics to creating your first bot army,
We examined how old bot armies operated and we talked about the differences in how to operate bots today in modern websites.
We then reviewed and discussed different security measures websites might use upon registration to the website and how some can still be bypassed automatically by bots
Finally, we talked about the most advanced countermeasure against bots - Captchas.
We went over different techniques to overcome Captchas and learned along the way that not all captchas are created equal.
I hope you all enjoyed this article, i’d like to end with a quote from our friendly internet
quote generating bot.
“If you try, you can be the first to prove something that the rest of the world refuses to prove”
ReCaptcha Solving Websites