In Attack Vectors Part One we looked at the ‘happy go lucky’ bot attacks that come in various shapes and sizes to target any and all websites that lack adequate bot protection; often at significant cost to the victim.
In Part Two we’re looking at the evolving threat patterns observed across our customers’ websites, that are often deliberately concealed by the attacker and difficult to identify.
What is business logic & why are attackers exploiting it?
Business logic is the ruleset developed by a business to enable customer interaction on their website. Sites with perfectly sensible and widely implemented business logic around user authentication, checkout and credit card validation can be (and frequently are) exploited to carry out a range of automated traffic attacks, including:
- Credential stuffing
- Account takeover (ATO)
- Validation of stolen credit cards
- Inventory hoarding/exhaustion
- Sneaker bots
- Price scraping
Attackers are looking for a return on the investment they make in both time and costs associated to maintaining a volumetric bot attack. Where the attacker is confident of maintaining the profitability of the attack they will refresh, or re-tool, the scripting and delivery of the attack to mask their traffic amongst the background noise of a busy website.
In the example below, which was a follow up to the ‘Happy-Go-Lucky Chancer’ attack we discussed in part one, we saw the following behaviours:
Hiding in the noise – attacks during peak trading
If an attacker wants to sneak in under the radar, what better opportunity than a sales event?
Sales events are typically busy times for operations, security and marketing teams. In global organisations who will strategically plan campaigns that ‘follow the sun’ from the Far East through the Gulf and into Europe and the US to maximise conversion rates and seek out every penny of marketing spend.
Follow the sun attack patterns
In our customer’s attack, we identified and mitigated a rolling user credential and card stuffing attack that shifted with marketing activity; as illustrated in fig. 1.
Starting early in the morning (midnight UK time) using data centres in China, the attacker timed the attack to coincide with the delivery of emails and push notifications informing customers of the sale in China. As the day progressed the attack changed vector to use data centres in countries where customers would be receiving marketing emails.
The attacker clearly wanted to hide their activity amongst the expected uplift of traffic on the site. They presumed that this technique would by-pass traditional mitigations such as WAF rules and IP blocking at country or data centre level, and they’d have plenty of opportunities to validate millions of credentials and tens of thousands of credit cards on the target site.
Instead, Netacea’s behavioural approach to bot management meant that the attacks were identified and blocked immediately.
Tooling and re-tooling
So how are these attacks carried out? Well, it’s all quite easy when the tools of the bot attacker’s trade are readily available on the open internet.
Sites such as Snipr and STORM allow attackers to download pre-configured script packs that can be run against a target site through pre-defined proxies, often compromised machines forming part of a BotNet.
These tools and scripts, over time, begin to display ‘tells’ that make the web traffic they create stand out from the background noise of a busy website.
In fig. 2 we can see the attacker using a very old version of Firefox as the User-Agent (UA). This is an immediate call to action for a WAF rule or similar blocking at the UA level.
In the subsequent example [fig. 3] the attacker has re-tooled their scripted attack and is rotating UAs across their requests, using more common and up-to-date UAs. This strategy is used to disrupt the investigation and mitigation of their attack by making it appear as if their requests are coming from multiple real-world clients.
We saw this behaviour during the ‘follow the sun’ attack described above.
Netacea’s behavioural approach allows us to look at the intent of all web traffic and group attacks into actionable collections that can be mitigated against on-mass and in real-time.
In part three of this series, we’ll look at what happens when the attack vector switches from website to API.
Detect and prevent hidden attacks in their tracks
Netacea takes a smarter approach to bot management. Intent Analytics powered by machine learning quickly and accurately distinguishes bots from humans to protect websites, mobile apps and APIs from automated threats while prioritising genuine users. Actionable intelligence with data-rich visualisations empowers you to make informed decisions about your traffic. Talk to our team today or discover more about the Attack Vector threats of account takeover to your business.
Access the full series: