Botnets are the engine of cybercrime. And persons with malicious intent have recently begun to deploy botnets in novel ways that should scare the pants off ordinary citizens.

First, some context. A " bot'" is a computer that stands ready to receive instructions remotely and surreptitiously from a controller. Gather together 10,000 or 100,000 bots and you have a botnet, a network of computers awaiting commands.

A classic bot is simply an infected computer. It could be your PC or mine. And then there is a newer type of bot that exists as an instance of a virtual machine. This type of virtual bot can be created easily and cheaply in the Internet cloud, via services from Google, Amazon and Microsoft. In the past couple of years, cyber criminals have begun to spin up these cloud-based virtual bots by the millions.

The larger point is this: badness on the Internet continues to escalate because persons with malicious intent have access to an endless supply of bots. Botnets do the heavy lifting of cybercrime. They distribute email spam and phishing attacks, probe websites for weaknesses and carry out denial of service attacks.

But now botnets are being put to work in some profoundly disturbing ways that threaten the fabric of society. They include:

Poll hoaxes.

It's a simple matter directing bots to vote in online polls. In 2009, bots skewed the online voting in Time magazine's Time 100 poll. The No.1 vote getter turned out to be Christopher Poole, aka moot, a 21-year-old founder of a bulletin board for hackers.

Fast forward to 2016 and the polling frenzy surrounding the U.S. presidential race. Several media outlets reported how botnet activity factored into wildly conflicting polling results, including some polls incredulously showing Trump soundly beating Clinton in their two televised debates.

"The 2016 election marked a surge in the use of bots," says Rami Essaid, founder and CEO of Distil Networks, a website security vendor that monitors botnet traffic. "The fact is, it's surprisingly easy to create scripts to manipulate online polls and sway public opinion."

Social media trickery.

Bots are perfect for clicking on social media buttons. They can even be programmed to assume a persona and behave as a "follower." Bots can be configured to comprehend tweets and respond with contextual rejoinders. Such ruses are useful in conducting a variety of scams, not the least of which relates back to the grab for political power.

Oxford University researchers, for instance, studied how bots played a "small but strategic role" in the social media discussion leading up to the Brexit vote last summer. Closer to home, bots were the source of much of the combative tweeting seen during the U.S. presidential race.

As measured by Twitter Audit last August, some 39 percent of then-presidential candidate Donald Trump's Twitter followers were faked. The most recent Twitter Audit, conducted in late January, showed President Trump with 22.7 million Twitter followers - 16.6 million real, and 6.1 million fabricated.

Faked Twitter followers, of course, is a well-known flaw, acknowledged by Twitter. Even so, I agree with Essaid when he says that "political bots shouldn't be taken lightly; they can be used to exaggerate a candidate's popularity and manipulate the public conversation."

Account takeovers.

Distil Networks has a bird's eye view of bad bot activity. Last year, the web application security company identified over 567 billion bot requests supporting malicious tasks. Most disturbingly, the company saw a notable spike in botnets being directed to make systematic attempts to break into online accounts.

Bots are perfectly suited to the "brute force" hacking routine of testing millions of stolen user name and password combinations on multiple websites.

"The bad guys are not going through these logons one by one," says Essaid. "They're loading them up in the bots and testing them out, at scale, to see what they can access for social media accounts, banking accounts, on e-commerce sites and at all kinds of different institutions. Account fraud is going through the roof."

This is not good, folks. You may have thought you were in the clear because no one appears to have acted upon your stolen information, whether it was taken from Yahoo, LinkedIn, Ashley Madison or the U.S. Office of Personnel Management.

But if your stolen logon credentials remain valid somewhere, a bot will eventually find it, and criminals will take full advantage. Do the basics. Refresh all of your passwords. Use strong passwords. Opt for two-factor authentication. And stay alert.

Published on: Feb 28, 2017