Fighting Fraud in the Trenches
The famed bank robber Willie Sutton once said “I rob banks because that’s where the money is.” These days, botnet operators would say the same thing about retail sites and marketplaces. The nexus of fraud activity has shifted away from financial services targets to focus heavily on the retail ecosystem. That’s because retail and marketplace sites are far more like banks than they used to be, with multiple ways for criminals to cash out.
These attacks are very common. According to PerimeterX’s own analysis, on average 40 percent of all login attempts are malicious in nature. That can go up to 80 percent of all log-in attempts during significant account takeover (ATO) attacks. This mix more and more includes mobile apps and mobile APIs as a key target. Out of the 3 billion malicious login attempts PerimeterX blocked in the last few months during ATOs, 40 percent of the bots tried to disguise themselves as mobile apps.
From simply hijacking a stolen account to making fraudulent purchases to siphoning off loyalty points, ATO attacks against retailers offer many ways to extract cash quickly and easily. Not surprisingly, the scale of attacks has massively grown to meet the target environment.
So, what’s changed to make this possible? The first question might actually be: what has not changed?
People still tend to heavily reuse passwords across multiple sites. This is despite years of calls for people to use password wallet software or password management systems in browsers.
Many financial institutions have mandated two-factor authentication. But retail operators are afraid to take this step out of fear of chasing off valid users and real customers through introduction of unnecessary steps in the purchasing and login process. Banks can demand 2FA because financial accounts are inherently sticky. But retailers must fight to convince even repeat customers not to abandon shopping carts.
As a result, comparatively, retail has become a “softer” target that has drawn more and more attention and encouraged improvements.
The improvements in data quality have arisen, as the marketplace for stolen credentials has grown more sophisticated and the people operating it more professional. We are now seeing massive online databases with billions of username/password pairs running online reliably with very low latencies for large queries.
This is a fundamentally different animal than dumping a few hundred accounts on Pastebin and offering to sell the rest for $20 on some obscure Dark Web site.
Improvements in QA tooling for browsers and apps have also helped botnet operators who mimic many aspects of a QA process during their attacks. This has had the perverse impact of providing ready-made open-source tools to deliver botnet attacks.
The shift to mobile apps has arguably made retail an even softer target because botnet operators are attacking an API rather than a website. This provides less information to security teams for detection and filtering as attackers are not trying to move about a website but are only querying an API.
Then there is the explosion of connected devices. Gartner has predicted that there will be 20 billion connected devices by 2020, as we move to a world where nearly everything is Internet enabled. The malware targeting poorly secured IoT systems has become far more sophisticated; the Mirai botnet software, for example, continues to evolve and improve.
This gives botnet operators a fast-growing body of easy yet sufficiently useful delivery agents for attacks or malware payloads.
The reality is, if you are not seeing these attacks, you are not looking hard enough. They are certainly happening on your website. Some basic steps to identify these attacks include:
- Look for old versions of your mobile app spiking in traffic
- Look for user agent clusters that are only doing login attempts
- Look for conspicuously outdate user agents
Retail websites and secondary marketplace operators victimized by these attacks will generally learn what’s happening only when customer complaints start to roll in. By then, it’s too late, and the damage has been done, financially and to the brand’s reputation.
I’ll be presenting a talk on this topic at BSidesLV and walking through a technical demo of how to build an ATO attack from scratch targeting a real mobile application. We will also cover some approaches to protect both the business and the consumer from such attacks.
Originally published at https://www.tripwire.com on July 30, 2018.
