BSidesMCR 2019: I Like Big Bots - James Maude

hello how we doing I'm already flee after party yeah we've survived nearly a full day besides well done so my talk today I like big box we're gonna talk about automated threats against web applications specifically those looking for attacks against business logic what interested me when I was looking at what to present the b-sides was I did a a webinar with Scott helm who thank you for not going to see is talk about the way it's very kind of you his ego is big enough already but I did a joint webinar with him and we got talking about the box threats and he was saying oh yeah but you know we solve this with capture or we do this with

rate-limiting and we started in this conversation I actually realized that there's a lot of people who make assumptions about the way that these automated threats attack website and build web applications a certain way and they don't always think about it in terms of the risks the business that these different types of attack pose so as a full disclosure I work for a company called Metis here based in Manchester and we use a combination of weblog analysis and machine learning to look for automated behavior and help retailers gambling sites came in companies travel agencies prevent these automated attacks things like credential stuffing against their websites so this is a bit of a sort of tour of some of

the weird and wonderful things that I've come across in my research over the past few months and just really a bit of a thought piece around how you can think about these type of attacks if you are building web applications if you have a business that runs online and you know you've maybe seen some fraud or weird behavior going on there and trying to work out what's going on maybe some of the things you can look for and some of the common stumbling blocks where people will try and put in some sort of mitigation to stop an attack and actually depending on what information the attacker is after and how Volleyball the information within your site is to

them they might then just work around that in a in a novel way so we'll start off with what is a bot what do people think about there is well definition there it's an automated program autonomous program on a network some people think about chat BOTS about gaming BOTS and all that kind of thing but this is specifically just some sort of automated interaction with the website usually simulating the behavior of a real user so my research findings which are obviously skewed because I work for a bot management company so the people we talk to generally have some form of bot problem so your mileage may vary but the websites that I've been looking at around 53 percent of the

traffic hitting that website that API that mobile API whatever it is is a bot good that gray indifferent doesn't matter it is evolved and when we start to work with the clients of those around 61% of that 53 if you can do the maths feel free are unwanted they don't want them on there they're just using resource they're trying to break into things they're trying to view systems they're trying to conduct nefarious activities and it's not always just some evil cyber criminal if we think about the world of retail it could be a competitor trying to get pricing there's all sorts of different weird and wonderful things that go on with BOTS and what's really quite frightening is

when we look at in retail and travel specifically when we look at the attempts to log into their sites 9 out of 10 login attempts of the sites that I've been looking at from March to July have been from automated credential stuffing or account takeover systems so huge amount of traffic huge amount of results going in there to feed things to give things information back that potentially you don't want that's not a real customer that's someone else trying to trick a system so in simple terms what do we have we have a normal user they have a browser they make a request to website fairly simple but what we can do of course is we add some script to

that we had some automation there are various frameworks for doing this you can use the tools that many of you may have come across to do testing on websites if you do QA internally and house if you build web apps you probably automate a lot of your testing tools like selenium all these kind of different things that are out there so you I didn't a bit of script and suddenly you can make lots of requests very fast that's the basic bot that's out there has anyone had any issues with boss has anyone come across them so what kind of box do you see that anyone take it in yeah so that's a great example the ticketing industry

gets a lot of flack for box and it's interesting for them because they're you know people want to buy tickets to see the new Act but then ticket touts want to be able to buy this very quickly there's often secondary sites where you can resell those and the ticketing market is interesting because even the online tickets the QR code things that you try and do there's even the people who sell tools for trying to snipe those tickets and buy them up very quickly also sell tools often for amending the QR codes that the detail looks different so you know these things I says you've got to bring idea this is you name an address people will sell you for a few

hundred quid a tool that can repurpose those and print out an exactly legitimate looking one for maybe like the o2 in London and here is your ticket and we've put them whatever name and address you want whatever ID and was tampered with a QR code to make it look real so there's some interesting ones with that any good box that people have on their websites no Google price scrapers aggregators you had you end up was that a bad one in your paper click yeah so yeah absolutely so you know you get all sorts of bad fraud things I'm gonna go start going through a few of these yeah so you get search engines you get things like uptime checker so you

know these services you subscribe to to say is my website or visit performing you might have some security scanning tools that fire off to your website and scan it and check if there's any known vulnerabilities sequel injection from web systems he might have part the services you might work with third parties or business partners who need to get information from your site to resell your goods or services so they might be using automated tools to go and query an API or even just scrape in your wegs website aggregators price comparison you know a lot of these things when we go on and we want to see what's the cheapest price we can get for something they're

constantly scraping sites looking for this information so there's a retailer you might want to be on these you might not so this is the interesting thing with box that you can't always just say this is a list of the ones I want this is a list of the ones that are good and bad because what's good to one business might be bad to another and then on the bad box side of things things like spinner BOTS and these are kind of interesting this is at the idea of inventory hoarding and if you're interested in this a link and do some things around rages attacks and the interesting things that can happen but things like spinner

BOTS are interesting because an attacker builds a bot while say an attacker a lot of this stuff is a gray area a lot of this stuff is legal because you for this great websites you can do things but if you've registered for this event today he went through Eventbrite you put a ticket in a basket you have to wait about 20 minutes you know with it you have to check it out within about 20 minutes the reason you have to put 20 minute wait times on is someone will see an event or they will see a product or they will see a ticket for a flight they will put it in a basket hold it there keep it in the basket

whilst they're trying to resell it on another site they'll only go through the checkout process once they've resold it on the other site for a profit that could be quite a small margin they could be making a pound per transaction but this causes you a problem because you're trying to sell an airline ticket and it looks like all your inventory is exhausted because it's in people's baskets you can't have 10 people checkout the same seat on a flight at the same time so you have to hold it for a period of time but these bots are constantly trying to recycle this same with ticketing you might add a ticket for an event you know there's a flash

sale you managed to get 100 of them in the queue with different IP addresses or something you hold them there you sell them on a third party site since you've sold them you check them out so from your point of view there's no risk because you're only buying it once you've sold it for a profit and of course you can scale that you know with the cloud with all these different resources that out there very quickly but as the person trying to sell tickets or trying to sell airline tickets or whatever is your inventory can become exhausted so with shopping and retailing you know there have been cases where retailers have actually used this against the competition to make it look

like the competition of certain hot items in stock because they're sticking them all in baskets making them very hard for you as a customer to go and buy them legitimately so BOTS make the internet really unfair for real people at the time and of course this is you stick up a website you start seeing BOTS whether you want them or not they're just constantly scraping the Internet a lot the time content harvesting that don't if anyone's come across this but this is a big one if you write quality content a blog and newspaper or something like that quite often people will come along there's a big set up in China for this where they will scrape

sites they'll put them up on a very similar-looking news site and they'll just have adverts on the sides and they're making money off presenting your content perhaps gated content they might buy one accountant and stick it up there so if you're a newspaper with premium content steal your articles stick them up as soon as someone's searching for a hot topic he's throwing money on me someone's searching for a hot topic it comes up you've gone there they're getting money off the advertising revenue so it's your intellectual properties your stuff that's been scraped and put on somewhere else take your thing bots we just can't talk about account takeover is probably the one that most people have seen in the news

of late this idea of controls online people constantly reuse usernames and passwords so we'll take those we'll stick them against different sites and use them to access goods services personal information I'll go into there's a little bit more in a second but there are so many different variants of account takeover boxes it's just crazy some are broad-brush tagged in lots of different sites some are built specifically for high-value goods and services scraping just getting pricing information sneaker bots so until I started at net to see it I'd never come across these so now I'm come across sneaker bots yeah you see here a stylish kind of guy you've got the Hat you've got the glasses this is the thing with

sneaker box people have these high volume trainers that they go after these limited releases or these kind of different things that go on this is a world that I've never come across before but this huge amounts of money to be made in people trade them like commodities on the stock exchange so there's a huge amount of tools all of which seem to be developing c-sharp for some reason you no idea why I don't know is about Don they're developers and trainers but you see all these things and they're going after so if you're a website selling some trainers and you're gonna you know make a few quid on selling then that's great you obviously want them to be sold out the problem is

a few teenagers in their bedrooms are basically firing a bot now you to try and buy them before anyone else so instead of a few customers refreshing a page you have one fifteen-year-old in a bedroom with a tulip or firing thousands and thousands of requests you're under DDoS attack if you're on some sort of shared hosting or platform which a lot of retailers are you know Shopify and things like that you can cause a major problem to them than other retailers so although it's great that they sell out of things quickly just because a teenager wants a pair trainers and I'm saying teenagers it could be anyone to be fair but they are phenomenally ugly trainers some of these

things they're going after them such a great rate there's there's a volume of traffic hitting your site and how do you tell what's real and what's not and there are various checks people try and put in place but especially in retail you don't want to do anything that slows down that user journey that makes it harder for someone to check out because they'll just go somewhere else a lot of the time account creators so again this is often related to sneaker box but a lot of websites offer limited releases or they'll offer raffles or they'll offer something like that where by creating more accounts you have an advantage so again people automate this and if you look there's lots of things

online like better nightbot and all these other services and software that's out there that is designed for automating this process if creating lots of fake accounts to maximize your chance of copying some new kicks I use the air quotes because I don't feel comfortable saying though carving is another interesting one still in credit-card details you have a small website and you're selling some legitimate small goods you're crafting some things nicer paintings or something like that but you have their page where someone can enter card details attackers search the internet for these so as a retailer if you have a way that people can get to a add a new card to their account page very easily people use this to verify

dumps of stolen credit card data or even worse for you is when they don't know the full credit card details so they know the number they know the expiry date but they don't know the cv2 code on the back well it's three digits let's have a bot cracked up for us fire it when it comes up with valid card details great that one works so that's a huge problem to you because not only is your website being ddosed but your card payment provider might get very annoyed that you're being used as part of fraudulent transactions that they can link you to or maybe you're a retailer and when they validate that the card is real there then I use that to buy gift

cards or something else and then you get charged back so fraud your card payment provider gets very annoyed they find you and when you come to a new suddenly your cost of processing card transactions skyrockets so just because you've added the basic functionality in the modern major being able to buy something online using a credit card you're being attacked and if we look at the businesses that are out there they've hit the news in the past year or so around this there's a real weird mix of companies out here this isn't just banks which people often assume this isn't just high-volume assets Dunkin Donuts has been hit twice in the past year ready for it

even as the donut company the culture look Oh clapping OH [Music] swing-and-a-miss OkCupid turbo taps delivering all sorts of weird and wonderful companies out there if you've seen delivery justy there's been a lot of things where people have been using credentials to log into someone's account then saying this food was terrible I want a refund getting the refund then using that to do nada or if they've got credit card details stored maybe ordering food there's been all these things where someone was buying there's a great one where someone was complaining that someone has broken into my account and they had the all they could do was buy cigarettes and beer from me source and they were on one of

these delivery services and they were complaining the attacker of no taste whatsoever but it's weird and wonderful things like this and again you know as a security professional we might just be set here screaming going to factor authentication or something like that off capture or things like that but again these people operate in a very competitive marketplace and if they do that district user journey means that they'll go to briefs or someone apps becomes quite difficult HSBC is obviously Nest was a funny one you see these companies have hit the news saying they've been hacked and you often see this carding hack cutting it out all these things account takeover there's often word hack involved in breach and

these companies who effectively have suffered the wrath of a user using password 1-2-3 and the same email thief used for everything are suddenly being introduced into the news into media as being breached and attacked and you kind of think well maybe that's a bit unfair but his huge PR damage nest was an interesting one there was a case where someone who claimed that nest had clearly been hacked and breached and actually this lady had just hears her normal his name password that's used for everything else and some person had thought it was very funny to log into her account and start yelling after through the cameras that there was a missile strike coming into San Francisco

and she panicked and threatened to sue nest and all this kind of wonderful stuff happens reputational damage just because they've used a rubbish password spot if I really call example streaming services all these kind of things they're an interesting one because they're kind of a two-prong problem one part of the problem is that these accounts hold value especially anyone got a spotify family account yeah one person to pick a few people I bet you don't use all of the allotted slots is it six here I think there's a Spotify family account so usually people have empty slots if you've used the same password for anything else have a look when you get home and log in and see if

those have been sold usually we can find at least one person who's had that happen to them sometimes several times true story friend of mine and had it happened then they got their other accounts in their Spotify family thing sold on some attacker then got greedy and actually sold on their master account that the main account was associated with it smart speakers play music and even if you're on a remote device you can take over control of playlists stare at homelessness and music suddenly cradle the fills comes on if you've not heard of if the bank Cradle of Filth do not google it but then you end up in this weird DJ battle with someone trying to

listen things someone I work with currently she found out her account had been hacked for a streaming service because every time she logged in the language had been changed to Spanish and someone was watching streaming videos using her account so you know weird and wonderful things like that the second problem and this was covered at Def Con this year and it's really interesting is what happens when you ring up the bank and start doing the security verification one of the questions they tend to ask you is what's a recent charge that's gone out of your account so if you can take someone's username password that the use for everything find a few accounts that they use get

access to them you don't need to do anything with them other than say I know 999 goes out on the 26th of a month so when I ring up the bank could pretend to be them I can give you this list of all these services all these payments that are going out you know you can see the last four digits the account it was associated with you can start to use these as basically free intelligent source so you can build up a picture of someone taking starting just with a compromised username and password through a lot of online services something's bound to stick and then you can start to get their home address their date of birth recent financial

transactions all this kind of thing some of the examples up there Transport for London took down their services earlier on to think it was it was very recently yeah dates on the 8th of August because they were suffering credential stuffing attack and they got a lot of grief for this people saying well if you can't handle this and all this kind of thing but these attacks can be massively volumetric then you know they're just throwing throwing day trays so every time there's a new source of needed dump of credentials out there you can make them a problem for you and things like software licenses you know if you've ever been on these websites or you go an

eBay and someone selling a cheap office license sometimes these things can come because an attacker has bought some that they can catch out very quickly you know they'll break into gaming accounts to get you know the loot boxes or whatever it is you've built up in your collection you know online gaming is a very popular competitive thing there a lot and I'm not going to blend teenagers again because that's just mean but there's a lot of teenagers who are just going online and they want to steal things for other people's accounts a lot of the time you can't trace where these things have gone to in games so you steal all their swords and possessions and magic

wands transfer them to your account jobs a Goodman and cheese this is all the weirdest fraud stories I ever heard where someone found there's a cheese wholesaler who was having fake card details process through the carding system so basically people were using it to validate stolen card details then when they found that was the valid they tried to order cheese for same-day collection and if you think about a lot of those things that are out there where you can order something can go collect it from a physical store if you can use a stolen credit card or account go and pick up a TV or large lump of cheese round we're talking like four restaurants here walk out sell it for

cash value and then you've made a profit from a username and password you found on the internet so you know there's only weird things that happen by people trying to cash out and initially when I started noticing I started looking into this I thought we've all heard of this you know it's all on the dark web and these secret market places now infiltrate them or now do all this cool research and then I found just by googling you can find shops like bread shoppers this isn't on the dark web this is a normal website where you can buy and sell stolen accounts technically they'll say it's accounts you don't really need to use or account you don't have where you know

you want to just sell on but if we start to dig into break up and look at what they're selling oh look don't condone this wonder why they've had to credential stuffing attacks resulted in account breaches and again you can go and buy loyalty point schemes for Starbucks subway UK and Ireland subway so you know this isn't them an American problem necessary but for a fraction of the retail value so you go on you can buy some still on accounts or some points can be transferred to you you can go in and buy physical goods in the store a fraction of the price because they give you a login username and password that's valid the other thing is these aren't just

like fly-by-nights these are people who've built a business model around this they offer support they will say if it's doesn't work for you we'll give you a replacement within so many doubt you know you've got 24 hours to use it if it's not valid when you're sorted out for you and you won't been on holiday this year anyone knows yeah I was it sorry Florida lovely so you could have gone there at a fraction of the price thirty percent of retail and again this is break into point schemes using combinations of usernames and passwords and then reselling those on and what they do is they hoard point schemes from hundreds of thousands of accounts so

they have a bank of them and this has really taken uptick since all the Bitcoin instability where people used to hold things like Bitcoin so quite often now holding loyalty points because they can do this so they can buy a flight at the very last minute for you or a hotel or a travel package by the time you've got on the flight gone off or you've stayed in the hotel that night by the time the fraud team picks it up and two three weeks later they realized something's gone on and being told I'm off-camera sorry by the time they realize something's gone on you've disappeared so what happens well someone has to pay for it so the Blue Point

scheme has to pay off the hotel and then they have to refund the customer whose account Smith whose account has been stolen and they get hit twice with it so it's a really expensive thing to happen if you're running one of these schemes and there are actually huge amounts of now dark web travel agents so when we start looking to it they are fantastic branding so this is one of my favorites I always liked finding weird art websites they used to be one for a run somewhere strain that we tracked in our malware labs for a long time and they had a pumpkin with a Ferrari logo on it like a pumpkin carriage with a Ferrari

logo wonderful anyway so patriarchy travel here who obviously you know with the Russian Orthodox Church and Mercedes and luxury jets and visit all parts of the world but you start to dig into these things and they're offering all these things it's 30% off you see people talking about you know the reputation within this scene and here we have someone selling multi-point schemes and actually what we've noticed is there's more and more entrance to this market and actually driving the price down so these people are selling accounts 5% of retail value points cubes so they're just you know just giving them away basically so you can get access these loyalty point schemes that you can then use to do all sorts of

other things they'll tell you they have five thousand you know feedback reputations they will give you the crunches if they don't work they'll sort you some others out they will guarantee things for you they are certified you know these are people with good reputations on these online services so it's really quite interesting when it starts to dig into this and they specifically call out that you know they're worried about the fluctuations and volatility Bitcoin when you're paying for these and it can it drive something sneaker box which we talked about briefly so sites like stock X now stock X is interesting legitimate site selling goods and services but you can see they're tracking people's different

users market volumes so that you have trainers and watches and designer things there's a company called supreme who in my research I discovered they sell a brick a household brick was the supreme word supreme down it and it sells for a hundred pounds so normally on incense maybe who knows maybe I just don't understand these things but you can go on these and they have like stock market checkers so the price of a rare brand of trainers goes up and down and you know there's advice on what you should buy but then the software that you can actually buy for a few hundred pounds usually it's kind of interesting that you can use this to automate attacks

against as I say tax automating buying against different shops you put in the size that the trainer year one or that sort of thing and it sits there constantly holding the site as soon as they're available it tries to buy them and it can you give it card details so it will go through the full checkout process automatically for you again these are built in dotnet and what's interesting is these people who build their software for doing the Box in the higher end of the sneaker bot market do the same tricks that the sneaker retailers do they try and drive scarcity so they do limited releases of their software and say this software is sold out now you

know someone who's worked in the software industry I've never come across software selling out before but they will tell you on their site this particular one is one of the more popular ones cyber AIO it is sold out this this particular software were looking at sells for nearly $3,000 I've seen people advertising out because they're that desperate to be able to automate these processes and interestingly enough there's also cloud services designed to support these so they're doing the same tricks that people doing real time trading are doing so they're talking about millisecond advantages they will tell you their data centers are closest to the data centers of the retailers that you're looking to buy from so they're talking up a

millisecond advantages and then they're running on a Windows OS but against them cuz dotnet and Windows so it guarantees that all sneaker bots are supported because for some reason they're all built for Windows but then what happens is the retailers fight back and they try and do weird things to throw the box off so they will put fake listings of that say hey real human whatever you do don't buy these trainers this isn't real this is just the left shoe we're selling now the box don't know this so they will buy just the left shoe there's a great thing on Twitter where there's one retailer who got fed up of these box just buying up and all the customers complaining

they could never buy these limited releases of trainers so he put up a pair of trainers 9999 dollars and guess what a bot checked it out straightaway he actually just put this up as a player and said don't buy this this is the real link here interestingly as well if you look at some of the ways that the sneaker retailers have tried to get around this obviously they want to sell sneakers but they want to kind of make it fair for people and they'll put in things like hearing system so you are held in a position and some of the Bach tools will offer to bypass that keifa they know how to put in basically the right PHP or whatever

web code to add it straight to a basket and check it straight out so there's all sorts of clever bypasses that they've started building in and there's one interview with someone who is in the sneaker bot industry and you know these are large organizations now and these are groups of people and they have basically they do group buys and clip together to cop things that retail and all this sort of stuff and they said we're at war with that kamae that was his view he saw it as a war with the vendor who was trying to do the CDN and the waffle solution to stop them buying trains as easily so let's do a little

bit of an exercise here and how am i doing for time we're doing okay so when I talk to people about how would you become one of these pop herders effectively how would you start to do this and you know when I talk to people I intersect it's often like well I'd start by you know building my own mirai bottner and then I'd write this code here and then I'd be like doing this phishing campaign to gather email it gets very complicated very quickly so a lot of the time people think there's a really huge barrier to entry that it couldn't just be anyone launching this attack this is sophisticated attackers so let's have a look at that so we'll

start off by trying to find ourselves some credentials to use online we're going to very carefully make sure we haven't selected Google Image Search and we're going to Google check my dog how we're going to find this nice little Twitter bot here which just trolls pastebin looking for dumps of green shows so often attackers will put on samples of larger sets to prove they have good valid details that you can use online so we're just clicking through here and we're seeing huge amounts of accounts hundreds and thousands of accounts just being kicked out there online so we now have a list of credentials that we could start to use and of course the big retailers the

banks people will always be testing that but if you can think of a niche service or something that's a little bit off the beaten track you could try them against that and maybe that's your sweet spot for account takers and if we google combo lists the first thing that comes up is a YouTube tutorial on how to get great combo lists how to sort them out how to do these things so you know just with a little bit of googling we're suddenly getting taught how to start in the world of cyber and account takeovers now of course we don't want to do this from our own IP address we need some sort of proxy to

traffic out through so if we were on for instance century MBA which is one of the common account takeover tools we've maybe go on their forums and there's people there again offering you know free proxies there just to try out their proxy Network they have sometimes these are built from malware infected devices Internet of Things devices mikrotik Reuters if I come across another mikrotik richer I might cry because they're all seem to be infected with something or we just find these are the proxy lists that are online so there's plenty of ways for us to very cheaply this case freely become anonymous and have a list of credentials now how do we automate this how do we put this

together well I mentioned century and B either that's one of the tools that was very popular one Long's I'm finding more interesting moment is sniper again we're not on the dart lab for any of us so far we're just on the plane internet we're going here we found that there's this account recovery made simple a toolkit that specifically says it's for using a technique known as credential stuffing it has a modern UI it has Joe's favorite angularjs it has all these you know instant customer service they're always online it cost $20 in Amazon gift vouchers you can from $20 of Hung's and gift vouchers you get this tool or you go on the Pirate Bay and find a crack

version for free if you're doing that use a VM loads of them about toured with ransomware nozzles or all the nasty stuff but what's really interesting with these tools is they come pre-configured with templates for popular websites they also have a community program where if you want to upload your own template for a particular website you found you can put that on there and what that does is it basically Maps out the input fields in the output so it works out wire it needs to stuff the credentials in and then if they can't validate what information needs to pull back out of there so we see a lot of prominent retailers a lot of prominent

websites on there that we can look out so we'll go through them all but it's interesting because some of them you see marked up with things like a silent fail or silent ban so these are retailers who are trying to stop the counts you've been able to see whether you've been successful with your credential stuffing they're kind of wise to this already in using different techniques what you'll notice is if you look through the different configure the main website increasingly live reverse-engineer mobile apps and api's to go after those so people have put in all these CAPTCHAs and user behavior stuff on websites and forgetting that they've got a mobile app that talks to an API and the attackers are just

spoofing that user agent and pulling the data out there while dating credentials over there when no one's looking and if you look at the trends that are out there PSD to open banking we're seeing more and more API is being opened up where we see in our perimeter extend up to third parties he'll be taking those credentials and validating them and it's really interesting so if you take this up we're going to do a video recording of this but you basically put in your proxy network you put in your list of username passwords tick the services you want to try and attack there you know a lot of those were UK sites UK retailers in this case its room it's

looks at the video streaming service it's checked 168 crowns was per minute using a thousand out of 1,400 proxy is had two hits and you're seeing where it says capture at the top is telling you what those accounts have access to say or tell your points balance if it's a loyalty point scheme or a bank balance or if it's a streaming service it'll tell you do they have access to the 4k streams or the regular streams are all this kind of thing so very quickly you have a list of all the accounts that compromise that you can then go on and sell and there's this kind of evolution you know this is the stuff that you can find freely and

easily on the normal internet from you know basic services that you can just buy but as we go through it attackers get more and more sophisticated so that's kind of the lower tier of the market that's out there and like I said there's the attack service that you've got of when we think about risk and this is what I'd encourage people to think about we too often focus on the website you know what can we do around our website and then we've got a mobile app or a third-party built in mobile app that talks to an API of ours and we forget that suddenly we can't put our own you know user behavioural SDK on

there or something else complicated and then we have an API that some other service talks to or then we have some business partners or third parties who talk to our API so suddenly you know you've got a loyalty points key applies out to lots of different businesses they're all subscribing to the same thing you're kind of the central point but one of those can be used to control stuff against you what are they doing to protect the data that you're supposed to be keeping you know that don't need to tell you this but there's a phenomenal optic in a guy's usage out there so when we look at defenses blocking limiting this is what a lot of people think about

doing they think about rate limiting or blocking but user agents the problem with this is most of the information that people rely on is client-side information as the user agent you know what capabilities it has it can be spoofed it can be faked if you rate limit I can distribute through a property network so I can start to slide onto your rate limiting if you want to but the capture captures are good in specific scenarios where you're protecting like a login or some piece of information like that but there are capture farms up there like to capture their fifty cents gets you a thousand capture solved by a real human being takes about twenty to thirty

seconds for them to see you send the mountain image and they send you the text back in that you do tools this is built-in and automated so you're automatically cracking captures there you know there's the joke that someone's put up about congratulations you've got your page load time down to 100 milliseconds that's 100 milliseconds and then you've sought to capture challenge on there or something like that which takes even 30 seconds to solve so it becomes a problem for you and then there's that the clever stuff the user behavior the javascript in the browser so it's checking your mouth trails it's checking whether it's a real browser is it a headless system all this kind of

thing problem is again your home kind of haven't send that to an attacker they're processing it reverse engineering and spoofing the response back to you or they're doing a Mechanical Turk getting real people to move the mouse around you get a real user valid cookie set for the session and then they will just automate the rest so there's lots of ways around this and you know when we've worked with organizations one of the things that we've come up against is here we've done all these things and we're still seeing huge volumes of traffic that we don't understand well let's have a look at your system well we've got this list of stuff that we definitely want white

listed so we white list is Googlebot you know we were advised to do this by this analytics package that said you know we wanted to maintain our search engine ranking they'll look all right down there yeah if you're looking at logs you can see that it's a valid user agents if you google those that is a valid Googlebot user agent if you do her who is look up on the organization's beyond those it's not Google so this was a particular website you're looking at recently and they had a huge amount of traffic coming from competitors who were all pretending to be Google BOTS because everything coming from Googlebot was a whitelisted they didn't one-stop google trolling their site said do it by

user agent which can be spoofed verifying Googlebot if you don't have to do that you have to do a reverse DNS lookup and see whether that's actually coming from google.com or google.com because the really clever attackers will actually try and use Google data centers to send spoof things out so when you do that who is look up it says this is definitely still Google but it's not actually Googlebot it's something using a Googlebot user agent from the Google cloud data center to appear like Googlebot so it becomes very very strange very quickly and a lot of the tools we have in place when we're thinking about this in terms of IP is the user agent that's not a very good

way for us to think about it when we're looking at business logic attacks like this nice example of someone who thought they'd stopped an attack from Russia they basically hit a rate limit and they started blocking these Russian data centers so this spike on the Left this big green one this was some datacenters in Russia this was a few different IPS and they basically hit a ceiling and they start blocking off this Russian datacenter and thought the attack was over but look what happened after they thought they bought the attack the attack has basically had worked out where the ceiling of their rate-limiting was from single eyed peas and then just distributed the attack from multiple

Gio's all sliding behind an invisible line just to stay on to that rate-limiting so they were missing big chunk of attack because it suddenly went distributed on them how do they do tricks like this well one of the cool things that probably not a lot of people have come across is these residential proxy networks so this one here one our free tests whitelisted proxies they guarantee not to be on any threat intelligence reputation your feeds they guaranteed to be mobile operators domestic IPS for some mysterious reason that they are anonymous without usage logs wonder why I'm guaranteed to be a hundred percent white listed so you think what where are they gathering all these things problem

well if we start to look at mobile app stores you can monetize apps you can stick adverts on them you can charge people do them we can add an SDK like monkey stocks note here which allows you to monetize your app by sharing a small amount of the users bandwidth when their battery is above 70% they are not using their device and they have a decent stable connection so you have to warner use it with a little bit in that long terms and conditions which we all read in great detail and put a little notice on the Play Store but then suddenly your friends and relatives who downloaded a free app thinking this is a cool game

this is or whatever a part of a botnet that allows an attacker to come out from their home might be so if the IP gets blocked that's going to be a problem because if you're trying to shop and you know attackers use not to attack the cyclotron a shop won how do you tell who's good and who's bad it becomes really tricky and then we come across over VPN before peer-to-peer free VPN service I think they claimed 191 million people worldwide and there's an interesting case with with all the VPN obviously people I think well what's good to know the VP only gonna get one exit at a time but it's free for a reason they have a

sister company called Illuminati who then use those and sell those for legitimate legal scraping services so you can choose a city you can choose a mobile network you can choose a great level of detail and you can use that as your proxy network so suddenly the things stuck in your website aren't coming from some evil Russian datacenter or if you've ever dealt with this before things like digitalocean and common offenders you've got residential domestic connections mobile networks that people can use it becomes very hard to stop those attacks again I must stress in Illuminati do say the terms and conditions it's for legal purposes for scraping for competitive intelligence things like that so you know I'm not saying that they're doing

bad things but it's interesting that these networks exist and people often aren't aware of them the JavaScript so again this is someone said oh we've got this behavioral fingerprinting but we're still seeing BOTS came through and that's a mob obfuscated java code on their system but it's kind of trivial to start putting that into something and reverse engineering it so we start looking at the code going okay it's checking whether I have real fonts available what fonts do I have available is this a real browser is this real user of course once you've worked out what the tells are you spoof those and send a response back or you actually just automate with a real

browser so this is another one Mike you can't generate at all so this is part of the sneak about things for generating accounts and you look in the description of it they're talking about the ways that they're using to bypass different systems so they're doing things like they've discovered by changing the TLS version to 1.1 it bypasses the thing that was blocking them before and they'll reverse engineer things and they'll do all sorts of different bits and pieces if you actually look at the changelog they had a takedown request in this case from Akamai on the grounds of they reverse-engineer the JavaScript so they could see in the source code so it wasn't another technical thing it was

done on the fact that they didn't fringed Akamai's copyright by reverse engineering this JavaScript that validated whether you're a real user or not and they put that in their tool so you can see Akamai's script in their source code you know this is all online available for people to see and it's not just Akamai of course you know things like CloudFlare there's a library here and there's a few scraping services out there that recommend you use this if you're going after site protected by clover and they do various different techniques to bypass clouds flares anti-bot pages so it's this constant cat and mouse game every time someone brings up a new thing - new way to detect

whether it's a bot or a human these people constantly looking to reverse-engineer it I'll just wrap up with a couple of other examples that are interesting so when people think about these kind of account taker from these kind of attacks that are out there they often think about just the web blogs and what's going on there but actually the synergy can pull in your back-end systems your account systems this was an interesting one where website had been blind to the system where if you had five invalid login attempts they booted you for five minutes based on your IP another five the booted here for 24 hours and then they found the attackers you know brief for a brief period of

time kind of backing off but then they came back and they were try and work out what was going on and then they looked at the number of new accounts being created because it's free to create a new account and what the fakirs had done is you can almost work out what time zone they're in by the hours that they're doing this but they're running scripts to create new accounts so they were try and credential stuff for different combinations of username and password and then use one that they've created so they know it's valid that gets you past the hurdle so you're not going to be blocked another for one that you know is valid so you're never going to hit that

five limit because you're always sticking in every fifth one a valid user account so again this is exploiting business object this isn't some clever remote code exploit thing this isn't some unpatched vulnerable system this is you've got a business logic process that goes like this and they've worked around it another one to you can look for tells from unusual geo locations and things as well this was kind of an interesting one this is a quite a large carding attack so they were testing stolen card details the big light blue line is the American data centers the attack was being launched out of what was interesting was this one was this particular attacker we got to kind of know quite well because

they always used their home connection in Turkey to test the attack and you can see the little spots here so at the top they're doing they're sort of basically working out the configuration for their attack what they need to do the valid login page that what the card successful login page look like what the card failed login page looks like configuring it the static going from the large American data center and every so often you can see the little blip when they log in to check whether you know on there and that the configuration is still valid that is still they need to tweak anything but again there's little things like that we can start to build a

picture of certain attackers and look for other signals in there so it's not always about looking at the big body of traffic is did we have a sudden spike in an unusual geo was there something else that we've never seen before appear and this is why they're coming I work for tends to use a lot of machine learning techniques because you can start to tease out some of these patterns relatively easily so it's still a right for time cool so summary at the end bots require a bit of a different mindset we often think of security in terms of remote code execution have way perhaps this have we got these ports open you know are we vulnerable to

sequel injection or actually with these kind of attacks they require a bit of a different mindset that you need to be thinking in terms of your business logic processes and actually working at your risk you know I've talked about some quite scary tactical a lot of these are against retailers or things with high values behind the multi-point scheme streaming services things like that so if your company has a web app or service think about you know you might not be as at risk you might be might be perfectly level for you to do some great limit ins and capturing some filtering of user agents but just be aware of if you suddenly have some other value there

that the attacker might want to get to that might evolve very quickly and building defenses in fear is actually better so you see some of the things that people fighting Zika parts are doing it's actually better to make an attacker think they've logged in successfully when they haven't because the problem is if you start playing block by IP or user agent with these guys or girls then you end up in a game whack-a-mole and what you can end up is almost ddossing yourself because they can just keep scaling whereas if you feed them false information if you read that written to a page with some junk information if you build it in like a honeypot system if you automatically

just trigger a password reset if you think an account is being compromised then the attacker is in trouble because when they try and resell that account it's their reputation it's damaged and they'll just go after someone else there's plenty for the low-hanging fruit out there for them so it's not always about just playing block at the IP level block at the user-agent level block at the date since level something about building these processes into your account management systems client signals can and will always be spoofed so you can't rely on that they too can be useful for the less sophisticated facts you wouldn't believe a number of things where you look at the user agent

and it just says pison requests you know that's probably not a real user with a real browser is it you know that kind of level of detail and the other thing is often these risks fall between the cracks and organizations the marketing team seems that their marketing budget they have spent on that new email blast that's gone out you know to launch this new product isn't doing quite the things they want their analytics assumed that the ops team a complainer that the you know you've got all these hosting costs that you having to scale up all the time there's all these different things security missing accounts being breached a fraud team somewhere and complaining the customers accounts have been hacked

it can spread across an organization and there's no one clear defined owner and actually stopping automated threats is a benefit to the whole business so if you look at the things by forest or other people recently it's really important to start thinking about who owns this problem in your organization and doing that threat modeling if you haven't ever had a look at it a wasp through automated through a humbug have some really good starts as and how you can start to look at these threats validate whether you have them build a minty design process so that's you know really worth a look other than that that's everything from me thank him

first time it has anyone got any questions yes yes so yeah so the trick is a lot so that the question is can you do it if you would like encryption or something like that to make them receive a nice mathematical puzzle effective rhythms are solves that you could yeah so some vendors do do that and we actually do something like that our company occasionally he do like a proof-of-work to check whether they have valid JavaScript get it to you know do a calculation and come up with a number and again it's part of that technique of not blocking the attacker necessary but consuming their resources the problem is you tend to consume real users resources

as well a little bit and attackers if they're determined enough can just run those things and do them but yes it's not a bad deterrence and sort of privily you filter up the low-level stuff the headless stuff the car in JavaScript the things that can just do some basic simulation so you can do that if you look at some of the techniques that people have also used is people will look at the site for suites that are presented and see if they match up the user agent things like that so just why you mention encryption that you can do things like that some of the bigger CDN vendors often do that so when you do

that initial handshake does this details match up you know this user saying that they're on internet or above they're on an iPhone and things like that we come across that occasionally where people really don't understand user agent strings so yeah you can do things that it's generally about what you can do to consume them in fact as resources and kind of make them go away a little bit yeah so that is polishing see how question when we're talking about the Lansky came back together I appreciate that it's a bit of an amateur yes since Aziz as he cryptocurrencies most of the time was the answer it's a mix yes gift cards loyalty points that depends on who's doing it there's

also a different weird and wonderful payment schemes that they take even see some that basically like will do this for you and take a bits like a percentage thing with the sneaker box especially that they'll operate everything for you to do is a managed service effectively you get the sneakers but he pay them Thomson Commission and that's real money and all that kind of thing and yeah just seem to be in the past year or so a transition what it's like royalty point schemes and gift vouchers and things like that they can store and they hold that the more stable your crypto currencies a little bit you know there's there's some really weird wonderful things out there and you do

see actually if you start getting into the gaming sector and gambling people trying to do things with our betting if you're interested have a look at net to see our websites and bloggers on our betting one of our data scientist it and people will use this to basically try and launder money make it look like gambling winnings because they're trying to place bets they know they can win or this bookies has a free bet of this much and how can I offset that so I can't lose and all sorts of weird and wonderful things like that want people doing strange stuff to generate revenue or hide illegal games yeah multi-factor authentication just slow down there have

been a few highly sophisticated attacks where people have used things to try and crack phone systems to get codes and also to win one for supply it's very very rare the problem main problem is that security is this security usability thing you know I'm sure people are sick of talking about but it'd be great if everyone could just jump on board and we'll do it multi-factor authentication but in the world of like retail and gaming and things are you don't want to make users think before they buy the expensive they probably don't need so it's very hard to implement on some of those systems yeah yeah yeah yeah but the thing I always come back to is what

would my parents do if I presented them is one of those and I know it would be sell under a coffee cup somewhere so there is a there is change I agree that is getting better it's not as bad as he used to be they're a lot less intrusive ways to do these you know the biometrics you know you can authorize payments with a fingerprint and you know these are the wonderful things you trying to build fingerprint reads into cards and stuff like that but it's going to be a longtail problem there's always going to be people for the kind of thing so yeah I'd love to see more of that and then it becomes the challenge of sometimes with

you know if it's a API and it said mobile operates a third-party mobile app where does the boundary layer is responsible for that and it becomes a little more convoluted sometimes with those supply chain issues but yeah multi-factor authentication actually kills a lot of them for their account takeover for the scraping and you know other things inventory holding again it is specific solves a specific account based problem yeah okay I'm being given time here so we'll wrap up but I'll be sticking around for a little bit if anyone's got any more questions thank you very much for coming to see me