How to create your own Russian bot army

How to create your own Russian bot army

Today, everywhere we look we hear talks about Russian bots taking over the internet.

From tampering with the US Election to spreading fake news and Pro Russian views on Facebook and Twitter.

I even found out they have their own Wikipidea page!

This got me really interested in the subject of bots and after many fun experiments i can finally share with you how with little effort, you too can have your own bot army!

What i will go over in this post:

How create a bot that performs actions on a given website

Detecting if a website is vulnerable to bot actions

Bypassing Captchas and Login Security measurements

Recommended Prerequisites:

  • Basic understanding of HTML and Javascript
  • Basic understanding of HTTP
  • Basic development in python

Disclaimer

I condemn the use of any information in this article for malicious bot activity,

The information in this article is to be used for learning purposes only


The good old bot days

In the good old bot creating days, it was enough to write a simple script that sends HTTP POST and GET requests a website in order to imitate the behavior of a standard user on the website.

Today things are much more complicated, websites use many Javascript scripts on their pages, these scripts are then loaded and executed on the Browser of the user using the website and are used to traverse and communicate with the website properly .

The simple HTTP GET and POST bot scripts wonโ€™t work in the current websites because the Javascript code needs to run on a proper browser or else it wonโ€™t be executed , this can cause many errors and malfunctions that cripples any bot activity that operates in the old method.

The easy way to counter this problem is to switch from automating HTTP GET and POST requests to automating the browser in itself.

Selenium: your partner in crime

What is Selenium?

Selenium is a framework for testing web applications.

Selenium allows us to automate actions on browsers with a feature called Selenium WebDriver.

This driver accepts commands from the user and sends them to the browser to be executed.

These commands include:

  • Typing keys in text boxes
  • Clicking objects and buttons on a webpage
  • Surfing to a webpage
  • simulating mouse cursor movement and dragging objects
  • Many moreโ€ฆ

Selenium WebDriver currently supports automation with the following web browsers:

Chrome, Firefox, Safari, Edge, Internet Explorer

Using Selenium

Selenium is very fun and easy to use, it has a well documented user guide that explains how to perform many automation actions using any of itโ€™s supported browsers

I will show an example of using Selenium in Python:

The code above will open a chrome browser and navigate to the link.

We will reach the following webpage:

This website can be used to test mouse actions that are performed by the user.

Interacting with website elements:

Letโ€™s make our bot click the left click button in the mouse testing website.

To perform clicks and keyboards typing with website elements, we must find the element we wish to interact with and then perform our action.

One of the easiest ways to find the element we wish to interact with is by right clicking on the element we wish to interact with and clicking on inspect.

This action will show will open the html elementโ€™s code

We will then select copy->copy xpath to copy the XPath of the element.

XPath is an xml expression that we can use to navigate through different elements on a given webpage

we can then search for this element with Selenium and click it:

Itโ€™s possible to chain together many actions on different website elements and create fully automated bot activities .

An example of a behaviour of a comment leaving bot on an E-Commerce website

that only allows members to leave comments:

1.Surf to E-Commerce registration page

2.Click on the registration text boxes to type a fake generated username and password

3.Click on the register button

4.Surf to a product webpage

5.Click on the comment text box and write a comment

Bypassing simple bot detection techniques

Many websites have an array of techniques that can be used to counter bot activity.

One of the easiest ways they can detect bots using Selenium is by looking for fingerprints left by the software.

One example of such fingerprint:

When a web browser is run by Selenium, a property named webdriver is added to the browserโ€™s navigator variable and is set to true.

If we press F12 and write this property in a Selenium controlled browser we will see the following result:

If we preform the same action on a normal user controlled browser, the result will look like this:

Websiteโ€™s can easily detect this value using Javascript code and realize that the user using the website is in fact a Selenium bot, this might cause the website to limit the user from pefroming certain actions and it might even cause his account to be blocked account entirely in extreme cases .

An easy fix to counter this problem is to execute the following command which will set this webdriver property to undefined each time a new webpage is loaded.
This will cause the Selenuim controlled browser to appear like in any normal user controlled browser:

Websites might use additional techniques to detect bot detection.

These include:

  • Tracking Mouse cursor movements - not moving the cursor on the website might be a red flag for the website
  • Comparing Activity - comparing the botโ€™s activity to that of an average user
  • Keystroke Speed - comparing keystroke speed to that of an average user

All of these techniques can be bypassed by programming our bot to act in certain ways that simulate real human behaviour.

We can make the keystrokes slower, add mistakes to our clicks and even just move the mouse around to click different tabs on the website to make it seem like a normal curious user.

With a bit of coding, your bot can become a real boy :slight_smile:


Spotting ideal websites for bots

If youโ€™re struggling to decide which next website your bot army should invade, itโ€™s important to look out for these points in order to find the website that will allow you the most control over yourโ€™e bot users.

User Registration

Normally, we will want our bots to be registered to our target website.

Registered userโ€™s have additional features and each bot that successfully registered to the website equals more power in your hands over the website.

Secured websites usually have one or more of the following methods to eliminate/mitigate multiple user registrations from the same person. We will go over each method and discuss if and how we can overcome it

Method 1: Verifying Emails

Websites will often require you to enter an email address when registering with a new account, they will then send a verification mail to the same email address and activate your account only if you pressed the verification link.

This can be bypassed very easily by using one of the following temporary mail websites:

https://temp-mail.org/

Each bot that wishes to register can go to one of the temporary mail websites, extract its own temporary mail address and register with it on the target website.

The bot can then go back to the mail website and click the verification link that was sent to mail address, by doing so the account will be registered and activated successfully

Method 2: Phone numbers

Websites registration sometimes requires a phone number to be entered.

Sometimes this field is only used by the website for ad purposes and entering a fake Mongolian number in the phone number field is enough to bypass this.

Other times, the website will require you to verify your account by entering a code that will be sent to that number.

This is a harder method to bypass as you will need to match a phone number for each bot you wish to register on the website.

Itโ€™s possible to use online websites that receive SMS codes and display them in order to automate the process of registering, reading the SMS code that was to the number and entering it on the website for verification.

The following websites are recommended for this purpose:

In the next section, we will go over a more advanced method that websites use as a direct countermeasure against bot activity and we will show different methods to combat it.


Bypassing Captchas

Captchas stand for - Completely Automated Public Turing test to tell Computers and Humans Apart.

Captchas are used by various websites to prevent bots from simply logging in or registering to a website easily, they require the user to perform a test that is difficult to predict itโ€™s answer, the reasoning is that humans will pass this test and bots wonโ€™t and that will allow the website to protect itself from any bot activity.

Not all Captchas are created equal

Letโ€™s take the a look at Geetestโ€™s slider captcha,

A popular captcha used by many websites to prevent bots from taking over.

Using Selenium and python image processing, I was able to create a program that can correctly answer the slider captcha about 30% of the time.

30% isnโ€™t perfect but considering that the page can be refreshed and the captcha can be retaken several times, it results in the bot eventually answering the captcha correctly normally under a minute.

Imagine tens of thousands of bots bypassing the slider captcha after 3-4 attempts and registering to a website successfully, this scenario shows how this captcha is not effective against a massive bot activity and can be easily bypassed by any bot master who wishes to flood a website with his bots.

What about ReCaptcha?

Googleโ€™s ReCaptchas is the most popular and well known captcha software,

Itโ€™s present on most websites today, itโ€™s extremely difficult to solve and even humans have a hard time answering it sometimes.

A cheap and easy way of bypassing googleโ€™s ReCaptchas can be found not by attempting more complicated image processing but actually by harnessing the smartest thing we have besides that - the human brain.

There are multiple services which offer captcha solving solutions for very cheap prices,

Services like AntiCaptcha and 2Captcha have workers who are trained at solving the most difficult captchas at minimum speed,the pricing is between 1$ to 3$ for 1000 ReCaptchas

And it can be used by any bot master to enable his bot army to take over the most Captcha secured websites for a cheap amountโ€ฆ


Conclusions

Today we went over the basics to creating your first bot army,

We examined how old bot armies operated and we talked about the differences in how to operate bots today in modern websites.

We then reviewed and discussed different security measures websites might use upon registration to the website and how some can still be bypassed automatically by bots

Finally, we talked about the most advanced countermeasure against bots - Captchas.

We went over different techniques to overcome Captchas and learned along the way that not all captchas are created equal.

I hope you all enjoyed this article, iโ€™d like to end with a quote from our friendly internet
quote generating bot
.

โ€œIf you try, you can be the first to prove something that the rest of the world refuses to proveโ€

Sources:

ReCaptcha Solving Websites

Code:

14 Likes

Iโ€™ve always loved the idea of automating web processing technologies like ReCaptcha, login portals, and other similar things. I remember when trollforge was the bleeding edge in open research, among other things. Anyway great post.

*trollforge: itโ€™s an archive because the original url gnaa.fr doesnโ€™t exist anymore. The president weev was found to be a white supremiscist. I only am mentioning them here for the research value. They pioneered captcha research.

1 Like

Damn, i do like bots something , they did help me alot until now and now i m looking forward to make a relation between bots and machine learning that would be great and also great share mate.

Great article, thank you :slight_smile:

this is my first robot