WHAT IS MALICIOUS AUTOMATION? Definition and detection of a new pervasive online attack
INTRODUCTION WHAT IS I n this whitepaper, we will define the problem of malicious automation and examine some of the common tools used to exploit the vulnerability of modern web properties. Furthermore, we will examine why malicious automation is so difficult to detect and mitigate, and explore common targets of these attacks. Finally, we will highlight the significant economic benefits to reducing malicious automation on your web properties. automation has morphed into a highly sophisticated and modern form of attack. Widely available attack tools and custom formatted attacks can learn and automate the entire flow of a given application, allowing criminals to move efficiently towards their target, while hiding in plain sight amongst legitimate human users. Automation occurs in many forms such as scripts, sophisticated attack tools, or real browser automation tools. All these are commonly MALICIOUS What is Malicious Automation? Malicious automation attacks are web/api/ Mobile requests sent with malicious intent, that evade traditional detection methods. The intent of actors using malicious automation attacks can be: * Validate a set of leaked user credentials * Automated password reset * Bulk fake account creation * Account scraping, peeking * Site scraping * PII theft * Theft of money, goods and services AUTOMATION? Malicious automation thrives on the foundation of recent advancements in cloud and mobile computing. The attackers can easily build campaigns that are highly scalable, extraordinarily efficient, and difficult to detect & trace origins/actors. This transition has fundamentally transformed the underlying dark-economy of cyber attackers, causing malicious automated attacks to become ubiquitous across virtually any web-facing functionality in an enterprise. Contrary to traditional viewpoints, malicious used to launch malicious automation attacks. The Web/API/Mobile requests generated by these attack tools are syntactically correct, meaning they do not exploit any vulnerability in the application stack, and do not trip any alerts in traditional security solutions like IDS/IPS or web application firewalls. Current solutions for API s are ineffective, consequently attackers exploit them. Criminals notoriously pursue the attack channel with the least friction, leaving API s just as vulnerable to malicious automation as traditional web targets. <<< 1
MALICIOUS AUTOMATION TOOLS T here are a large number of malicious automation tools available on the black market. Most of these are free, although a few are sold for relatively small sums of money, typically via bitcoin. Sentry MBA is one of the commonly available and widely used black market tools. It s also interesting to note that while the tool itself is free, there is an active black market in the config files that are specific to a particular target site. Typically, these config files sell for 50 (give or take). These config files allow the tool to navigate the unique characteristics of the target URL. When paired with proxy list files and combo lists of stolen credentials all widely available in underground marketplaces and public sites like Pastebin Sentry MBA efficiently performs sophisticated malicious automation attacks, while requiring little expertise on behalf of the user. <<< SentryMBA AccessDiver MALICIOUS AUTOMATION TOOLS INCLUDE: Browser automation tools like Selenium Hitman AIO Checker Vertex Perl scripts 2
THE PROBLEM WHY IS D ue to major advancements in cloud computing power and mobile computing, malicious automation is a chronic problem for most enterprises. Earlier, mostly homegrown solutions have proved ineffective in the face of well-established black market tools and advanced criminal organizations. All of the above techniques create significant, revenue-reducing user friction and create a false sense of security due to lack accurate detection of malicious automation attacks. They negatively affect user experience, introduce latency, and are generally ineffective when scaling up to the enterprise Web. <<< MALICIOUS AUTOMATION Examples of solutions that are incapable of effectively detecting or mitigating such attacks include: Web Application Firewalls SO HARD TO STOP? According to customer data, these can be defeated by OCR more than 85% of the time and introduce significant user friction and subsequent revenue reduction Simple mitigation techniques - IP blocking & Rate limiting Easily fooled by most tools and techniques, either by rotating IPs, attacking via low & slow method, and using trusted cloud sources. WAFs won t alert on syntactically correct actions. Since malicious automation is a syntactically correct attack, WAFs provide no detection ability. IDS & IPS These scan a variety of protocols and need to make decisions extremely fast; inevitably missing sophisticated malicious automation attacks. Lack of historical look-back capability prohibits behavioral analysis and deep learning, which are essential for advanced detection. 3
ANATOMY OF AN ACCOUNT TAKEOVER ATTACK LOGIN ACCOUNTS Email Password LOGIN Stolen/Leaked Credentials Evasion Techniques Rotate Timing Value Extraction Rotate Users & Devices Rotate User Agents & IP s Use cloud providers & open proxies 4
THE PROBLEM WHO IS A TARGET OF A t Stealth Security, we believe that every major e-commerce company needs protection from malicious automation today, and every company transacting online will need it tomorrow. Let s break down a few of the key characteristics and industry verticals of the targets most vulnerable to malicious automation. CHARACTERISTICS OF A TARGET SITE: From the perspective of an attacker, the most common characteristics of a target site include: Value stored in accounts or on the site in the form of money, reward points, miles, game character value, etc. Large populations of user accounts, accessible through the web, and valuable data for scraping like retail item prices, sensitive personal data, ticket prices, and more... DATA WITH INTRINSIC VALUE INDUSTRY VERTICALS: Retail Banking/Finance Media Gaming SCRAPABLE DATA SaaS Healthcare Technology Travel MALICIOUS LOGIN Email Password LOGIN ACCOUNTS Bio ACCOUNT INFO Email Password Account Number Register DATA AUTOMATION? Register MANY USER ACCOUNTS WEB, MOBILE & API WEB JOHN DOE JOHN DOE MOBILE API 5
ANATOMY OF PII & DATA SCRAPING Bio ACCOUNT INFO Email PRICE DATA Password Account Number Register Register Evasion Techniques Data Extraction Rotate Timing Rotate Users & Devices Rotate User Agents & IP s Use cloud providers & open proxies 6
BUSINESS CASE ECONOMIC BENEFITS OF ELIMINATING MALICIOUS AUTOMATION T he direct economic costs to large enterprises of customer data breaches and abused accounts are well documented. According to a 2015 NuData report, incidents of account takeover jumped 112% in Q1 2015 year-over-year. Additionally, that same report cited fake account creation fraud increased by >100% in 2015. Consistent with prior reports commissioned by the Federal Reserve in 2013 and LexisNexis in 2014, the cost of account takeover attacks was over 4.7 billion in 2013 affecting >2% of global consumers, and rising rapidly with an increased volume of attacks. Stealth Security s leadership believes there are further benefits to detecting and mitigating malicious automation. Malicious automation can wind up constituting a significant percentage of traffic in certain application server pools up to 80% in some cases therefore Web and application infrastructure can be significantly overprovisioned. Economically, recapturing this excess capacity can be a worthwhile investment (potentially millions of dollars of infrastructure may be reclaimed for legitimate use). Furthermore, eliminating malicious automation without introducing revenue-reducing user friction points prevents damage to brand reputation, user experience, and the associated economic costs that come with a high user drop-off rate. Malicious automation constitutes a significant percentage of traffic in certain application server pools up to 80% in some cases and therefore the web and application infrastructure can be significantly overprovisioned. Economically, recapturing this excess capacity can be a worthwhile investment. Millions of dollars of infrastructure may be reclaimed for legitimate use. Likewise, the damage to brand reputation that results from a data breach in the form of malicious automation, is in many ways unquantifiable. For those companies whose core business depends upon the confidentiality, integrity, and availability of customer data, leaving any channel susceptible to attacks like account takeover, face account creation, or theft of value, and PII is simply an unacceptable level of risk. <<< 7
HIDDEN COSTS OF MALICIOUS AUTOMATION Example: Account Takeover Attack MALICIOUS AUTOMATION SUCCESSFUL ACCOUNT TAKEOVER ATTACKS Attack campaign typically results in a success rate of 3% - 8%. These compromised accounts amplify the costs of malicious automation through fraud activities. FRAUD Includes chargebacks, cancelled transactions, customer reconciliation efforts, and other attempts to recuperate loss. / Account Compromised...often consumes 10% - 30% or more of website resources REMAINING ATTACK TRAFFIC The vast majority of malicious traffic results in failed fraud attacks but do carry a guaranteed indirect operational cost, regardless of any possible account breaches. SUPPORT COSTS ATOs, fraud, and other account abuse greatly increases customer service contacts, security reviews, and operational changes / Support Case / BRAND DAMAGE Account abuse as well as media attention of large scale attacks creates low customer retainment and adoption. Lost Customer AGGREGATE OPERATIONAL COST The Aggregate Operational Cost of malicious automation to your enterprise is... Network Infrastructure Engineering + + = Operations Costs TOTAL INDIRECT COSTS OF MALICIOUS AUTOMATION OPERATIONS COSTS + SUPPORT + COSTS BRAND DAMAGE =,, POTENTIAL SAVINGS + FRAUD 8
CONCLUSION The economic argument for solving the malicious automation problem highlights the case of criminals using sophisticated and highly reproducible tools to attack the Web/API/Mobile properties of enterprises across all major industries. Because today s solutions are ineffective, criminals have devised many crafty exploits that go undetected by traditional security solutions. That s why Stealth Security is revolutionizing the fight against malicious automation. Learn more about Stealth Security, and our innovative solution Velocity Manager at: www.stealthsec.com Stealth Security, Inc. 2016