The Ugly Truth of Retail Fraud and Account Takeovers

Human nature can be very ugly to witness, especially when the resulting damage is self-inflicted. The reality behind the prevalence of account takeover is simple human nature: despite the availability of password managers that can generate strong passwords, store them, and enter them at time of login, consumers continue to reuse the same password across many different websites. Therein lies the Achilles Heel for any organization that relies on a web app as the gateway to products and services they provide: no matter how well the underlying application is designed and maintained, website authentication pages are the doors beckoning to attackers with the siren call: “Go ahead. Try to break through.”

Account takeover (ATO) continues to be a business challenge our customers repeatedly tell us they must defend against-and one that cuts across nearly every vertical. The second in a series of three entries, this blog focuses on key scenarios that organizations with a public-facing e-commerce or retail presence should monitor to defend against ATO. For a refresher on how utilizing a threshold-based approach enables organizations to identify irregular request patterns to spot fraudulent authentication and account activity, check out the first entry in this series on ATO.

Account Takeover Overview

Account takeover is also referred to as “credential stuffing”- here’s a breakdown of the process of automatically testing the validity of stolen credentials against various websites:

1. A third-party breach occurs and the username and password pairs are exfiltrated
2. The exfiltrated credentials are then posted to public paste sites, sold in bulk, or traded on Dark Web marketplaces
3. A threat actor acquires the leaked usernames and credentials
4. The attacker uses automated credential stuffing tools like Sentry MBA to test the stolen credentials against sites with user bases that store high-value data and personally identifiable information (PII).

The Verizon Data Breach Investigation Report for 2019 lists web apps as the top threat vector leading to data breaches.

The above happens very quickly because attackers know they are not alone in their attempt to leverage the same dump of stolen credentials for illicit gain.

Malicious actors have three primary goals with account takeovers:

• Sell validated login credential pairs on the Dark Web
• Gain access to account information such as stored credit card data and personally identifiable information (PII) and then sell it to other threat actors, usually for the purposes of identity theft, applying for credit in the victim’s name etc.
• Leverage the account for their own gain such as transfer money, purchase goods, spread an agenda, or abuse website functions

The value of stolen accounts is readily apparent, so it’s no surprise that Verizon’s latest Data Breach Investigation Report for 2019 lists web apps as the top threat vector leading to data breaches, especially when combined with stolen credentials. It’s easy to walk through a bank vault door when you already have the keys and the proper credentials.

Know Your Sites’ Expected Traffic Thresholds

When you know the expected baseline for web request traffic, you can monitor for high volume and “low and slow” spikes and anomalies for key transactions in an authentication flow.

Identifying malicious activity requires your organization to define an expected baseline level of web request activity for each of the key authentication events over a defined time frame: any web request traffic patterns outside of what is normally expected should be flagged as abnormal. Depending on how the attacker deploys their credential testing, there are two types of ATO types: “Volumetric” and “Low and Slow”:

Volumetric credential stuffing: the login requests are attempted in high volume bursts at easily identified spikes above the expected baseline

Low and Slow: these login requests are continual and consistent and run 24/7 at a slow pace that has no easy-to-discern start or stop and do not stand out readily from overall valid login requests.

Both ATO types are typically distributed from a wide range of IP addresses. Sophisticated account takeover attacks are very highly distributed with the attacker goal being to resubmit their requests from many different locations so as to appear legitimate. Think of this as obfuscation through dispersion.

Retail ATO and App Abuse Examples

If you work in an organization with an online retail presence or allow customers to transact with stored value units for real merchandise or services (example: loyalty programs, coupon “deal” sites), there are several forms of web app abuse to monitor and take action on. Below are examples of attacks specific to retail and e-commerce that Signal Sciences can detect and block.

Fraudulent purchases result when attackers use a combination of approaches with the immediate goal of completing fraudulent purchases:

• Stolen Credentials: after acquiring stolen username-password pairs, attackers will do the following to manipulate an account for their own gain:
• Change the address so they can have merchandise delivered to a different address
• Change email address so they can lock out the valid account owner and reset the account password if necessary (this is where out-of-band authentication becomes ineffective once an account is compromised)
• Brute force of CVV many retailers require valid CVV to complete purchases
• Creation fake accounts with the primary goal to test stolen credit cards with fraudulent transactions, no matter how small the value.

Gift Card Cracking occurs when attackers attempt to brute force the API that enables users to check their gift card balances with the end goal of determining the validity of gift card numbers. A higher than normal number of requests against the Gift Card API and failures from a single IP indicates a brute force attempt.

Signal Sciences can monitor and detect spikes in key retail transactions like order failures, address changes, add to cart and email address changes.

Product and Price Scraping is executed via automated bot requests:

• Bad Bots constantly visit product pages, performing searches and scrape data. These can be identified by known signatures including known bad IP ranges from various sources like SANS. Signal Sciences customers also get the benefit of our Network Learning Exchange (NLX) that identifies malicious traffic across our customer based. This collective data provides insight that can be leveraged to stop attacks happening to all customers.
• SearchBot Imposters advertise themselves as search engine bots but are actually fake. These can be identified based on a reverse DNS lookup of the bots’ source IP addresses.

Check out flow abuse:

The above is academic, so here’s a real-world example of detecting and stopping ATO: Glossier, an e-commerce beauty brand, uses the Signal Sciences Console for visibility into the origin source of malicious traffic. They can also see and block web requests originating from an entire geographic range of IP address that target specific endpoints and attempt to cycle through username and password combinations. In sum, Signal Sciences empowers Glossier to detect and block account takeover attempts, all without a dedicated security team.

Detect and Prevent Account Takeover with Signal Sciences

Signal Sciences provides real-time, automated visibility not only into login and account creation activity, but also the web request values and context behind those requests that can reveal fraud with easy configuration and no performance impact on the apps protected. Other solutions in the market add significant latency and can adversely impact customer experience and require significant ramp up time-and that’s time you could be using to defeat the adversary. With Signal Sciences, you get visibility when it counts, not later when it’s too late. See for yourself with a live demo or download and read more about our brute force and ATO prevention capabilities.

Originally published at https://labs.signalsciences.com.