BSidesSF 2026 - The Phantoms of the Fraudpera: An Overview of Anti-Detection Tooling (Bobbie Chen)

Good morning, ladies and gentlemen. Uh we're going to start. Hope you guys are caffeinated well enough. Awesome. And thank you for my amazing team speaker. So, I will not take much of the time. Over to you. So, all right, folks, kicking thing off strong with a title that already sounds like a cybersecurity opera. So, we got Bobby Chen is speaking on the Phantom of the Fraud-pera. Uh just an announcement, drop your question into slido.do. Make sure you're into Twitter for Uh just That's how we're going to take Q&A. Over to you, Chen. Thank you. Hey everyone. Uh I'm Bobby. This is Phantom of the Operas. Uh it's an overview of anti-detection tooling. Um and I do want to say thank you to the

program team for slotting me into the first slot so you can hear Phantom of the Opera for the first time because there's like 10 different talks themed around Phantom of the Opera. Um So, uh what are you Who am I? What are we going to talk about today? My name's Bobby. I'm a product manager at Stitch by Twilio. I work on bot detection and fraud prevention. Uh and today we're going to learn about any detection tooling, what it is, why it exists, who's using it, but also why it's important. Um as far as what that means for the agenda, we're going to talk about this in four big pieces. That fraud is a business. Uh we're going to talk through a

motivating scenario, which will help anchor together the examples that I'll be talking through. Uh I'll talk about specifically what are those four categories of evasion and anti-detect tooling. And then to the conclusion of breaking the attackers ROI or return on investment. Um so, this is a 30-minute session. Uh I hope I've planned this well enough that we'll have time for questions. Um but if if not, you can always find me afterwards. So, let's get into it. Fraud is a business. And I think it is easy as defenders for us to think uh that fraud is something that is shady. It's underworld dealings that are happening. And I think a lot of that comes from the

popular portrayals about both fraud as well as uh hacking as being these shady activities. You know, every hacking looks like it s- looks like uh there's a guy in a hoodie in a dark room typing on a laptop. Right? Or there's some kind of shady back alley dealing. But actually, a lot of fraud operates as a business. It is a profit It's a money-making enterprise that people do. Uh they do it because they like to. Because it makes them money. Uh and that leads to patterns that we see that we would more often associate with our day-to-day lives, our day jobs working for businesses. And so, a lot of fraud is like our day jobs. Um

these are photos that come from Wired and Andy Greenberg's reporting on fraud centers in Southeast Asia. Um and here we see, okay, here's the office whiteboard. This is where we write everyone's names and there's recent successful fraud attempts. Um you can see on the right side, there is literally a gong in their office. When they close a great deal or defraud someone of a very large amount of money, they get the honor of being able to hit the gong. So, everyone in the office knows that they have successfully committed fraud. And so, when we talk about fraud, I think it's important to remember that this is not some individual person who's doing this out for fun. It's not uh

someone who is doing this because they are uniquely situated and they have all the skills and they're putting together all the pieces in order to steal money from your organization, but rather that these are dedicated organizations. They have SOPs, they have runbooks, they have standard ways of doing things and they iterate on those over time in order to be better at what they do. And so today, we are here in San Francisco. In San Francisco, every single billboard looks like this. It is a B2B SaaS advertisement. It's about compliance that doesn't suck too much, or it's about feature flags for your business, or it's about some niche provider of some niche service that your business needs to do in order to go make

money off of what your main business is. And so um just by a quick show of hands, how many of you in this room use some kind of B2B SaaS vendor as part of your day job? That is just about everyone. And that's because there are too many things to be done, and most of those things don't have anything to do with your actual business. The value that you deliver to customers uh doesn't require you to be an expert on everything that comes down to ultimately things like the electricity that you use to run your servers, or operating the data centers that run your services, or charging payments. All of those things are usually handled by B2B

SaaS providers. And so with that in mind, I'm going to take you through a quick show of landing pages of tools that are commonly used by fraudsters and other attackers. Here's one. Um and I want to call your attention to a couple things. We've got the huge uh banner of what the tagline is. Manage unlimited social accounts without device limits. You can see on uh right in the center, you've got a great big call to action button, get started. In the upper right, you've got try for some very cheap trial price. You've even got in the middle ratings from different sources that are rating different vendors of of kinds. And what that means is that this looks exactly like any B2B

SaaS that you might be using today. You even got like this blue and purple vibe coded color scheme that is super common. Let's take a look at this one. Here is a two-sided marketplace in which you can pay to have people solve CAPTCHAs for you, or you can be on the flip side and you can be entering CAPTCHAs in order to make money on the side. This is not some kind of demonstrative thing that I hacked together. This is a real site. I know that people use this site. And it is used to bypass CAPTCHAs every single day. So, these are industrialized tools that are used at scale. Here's another one. Another great dark blue. You've got the

big tagline. You've got a couple of call to actions, whether you have the self-serve option, you have the talk to the expert option. You have a bunch of your your values that come across the bottom here. This looks like a B2B SaaS. And finally, here's one more. We've even got different pricing tiers. You've got the cheap tier, you've got the middle tier, you've got the professional, and you've got the popular option, as well as the enterprise contact us for sales. These are real operations, and I'm going to beat this into your a little more. Last one on this topic. Here, they have great documentation. They have documentation at the reference level, they have tutorials, they've got them

internationalized into every single language. You know, these are things that I would want for my own documentation site. And often times, these vendors who are providing this kind of tooling have really good setups because they're good at what they do, and they want to help other people do that in order to make money. And And that is really the the center of this entire economy. And I've been saying B2B SaaS, uh what I mean is is oftentimes bad actor to bad actor. So, I'm giving this talk. The reason why I gave this talk is that I've had a lot of conversations in the last year or two that uh involve one of these or other

anti-detection tools. And it's surprising to me how many people are on the defending side, they're on fraud teams or they're on security teams, and they don't really know about the extent of what tools are available to the other side. And I think we hear about things like in cybersecurity, we hear about things like, "Oh, here's Mimikatz." Or here's some other open-source tooling that is commonly available. But this goes beyond open source, and this goes beyond vibe coding, that there are just straight-up commercial uh B2B vendors out there who are being used for this purpose. And so, I think if you're a defender and you're not even aware of this kind of tooling, that puts you at a big

disadvantage. It's like you're playing chess blindfolded. And it's like, yes, there are grandmasters who can play chess blindfolded, and they do very well. I don't think any of us want to make our own lives more difficult. I would rather take off the blindfold. And that takes us into our motivating scenario. So, uh this is a scenario that I've seen a lot. It might apply to you or someone that you know. You've got a SaaS company. You've got some kind of free trial offering. And so, uh in this environment, and I think with uh the the rise of AI coding, uh and generally, I think a worship of entrepreneurship, we're seeing a a more of these spin up

every single day. And what that means is that it's it's very difficult for new businesses like this to get started. So, they want to grow faster. They want to give people the chance to try for free. And so, one day they see the chart that they've always been hoping for. It's a chart that looks something like this. The beloved hockey stick of growth. And this is where the hunt begins. Because when you're giving away something that's valuable, when you're giving it away for free, there's always an incentive for someone to take that. And to take it not only once for themselves, but to take it over and over and over again in order to make money from it directly,

to resell to other people, or to use it as a building block of another thing that they're doing. And so, let's go into the category The first category of tooling I'm going to be talking about today is proxy providers. Um so, proxies are a way for people to send their traffic through different sources. Ultimately, from the defender side, it looks like the IP address of the originating traffic is coming from somewhere where it isn't. And so, I'll be clear right now. Banning IPs does work. And it works a good amount of the time. A lot of the time when attackers are trying to hit your infrastructure either to break in or to abuse it, they're only using a single IP address.

That means it's easy for you to ban the IP. And then they just go away. That, unfortunately, is not very effective, especially in a free trial scenario. Because you're giving away something of value, there is a very large incentive for attackers to go figure out cheap ways around what you're doing. And so, I think we're all aware of There there are a number of like commercial typical VPN or proxy providers. It's not very difficult to go to some hosting provider and spin up your own VPN host that's running on someone else's server. But I think the most interesting type of proxy tooling is actually residential proxies. And so, in a residential proxy, you have the ability to send traffic through

through a residential IP. And that means that this IP has been assigned to some carrier, some internet service provider that is actually selling internet access to people like you and me. So, these are IP addresses like the ones that you'd get if you're using it from home. And that's important because these IPs are different. Right? They are not flagged as being part of data center hosting or as part of a commercial VPN service. And often times in our detection systems, that means they're considered to be more trustworthy. But here, and I'm going to look at pricing again cuz I think pricing is super important here, that this is a company that advertises I'll read it from the top,

150 million plus rotating residential IPs in 195 countries. And you have the ability to even geo-target what IPs you're buying at the country, state, city, or zip code level. And you can do this for prices as low as 250, $2.50 per gigabyte of traffic that you're sending through. Now, this is a problem. And it's a problem not only because these IPs may have better reputations than other IPs that are easier to get. It's also a problem because residential proxies are pretty much by definition shared with other residents. So, what happens when you buy access to a residential proxy here is that you are gaining access to someone else's machine or router essentially. This is sometimes done consensually. You

can today, if you wanted to, you can install an app that will pay you something like $5, $10 a month in order for the right to route some traffic through your home internet connection. And that's where a lot of these services come from. Sometimes they also come from malware networks or botnets. And that's something that is a little more in the cybersecurity realm. Either way, this is important because in carrier-grade NAT, and this is an image from Cloudflare, carrier-grade NAT or network address traversal is a system in which ultimately you could have thousands of users that are sharing the same IP address. And so, when we go back to our original system, you know, why when we go back to

our original system, when we see bad activity on a single IP address, let's ban that IP address and make sure they go away. This suddenly becomes something which is very, very imprecise. And that means the blast radius of banning a single IP, if it's a residential IP, has the potential to ban thousands of your real users at the same time. And when you do an IP ban, often times it's very hard for people to respond or even realize that they're being blocked. So, you may not even know the impact of what happens here. So, there is residential proxies. That is something that is very common today that's used in bot attacks as well as scraping infrastructure.

But that is just one of the four tools that we're going to talk about. The next one, I'm going to well, I'm going to talk about CAPTCHAs and then we'll talk about CAPTCHA solvers. So, by an estimate here, and I don't actually have the video here, but by an estimate, how many traffic lights have you clicked on in your life? How many cars have you clicked on in your life that have just been wasting your time? The CAPTCHA is a is is one of the rare words that is like actually a backronym. It comes from the completely automated public Turing test to tell computers and humans apart. And you can tell it's the one of

these backronym things because they've also dropped a bunch of the words in the middle to make the word CAPTCHA. So, CAPTCHAs were originally designed in order to present a task that is difficult for uh a computer to do, but is easy for a human. And so, uh a lot of what we talk about in terms of CAPTCHA is saying, "If I put this CAPTCHA on my site, I know I'm going to annoy some real humans, but the good news it's going to make it a lot harder for bots to get through." And that is the common way that people think about CAPTCHAs. And that's why so many businesses are surprised when they start to offer free trial or something

and find actually I'm getting blasted by bots. These bots are making it through my CAPTCHAs. How does that happen? One of the ways that it happens is through CAPTCHA solving services. And so, this is again a pricing chart of one of the common popular uh anti-CAPTCHA solving services. So, I'll talk about CAPTCHA solving services traditionally, um especially at the beginning were kind of two-sided marketplace Mechanical Turk things in which you as a human could sign up, you could make small amounts of money by solving CAPTCHAs, and on the other end um there is someone who is paying in order to go and exchange um CAPTCHA challenges for valid solved CAPTCHAs and then continue on with their

automation task. And I think it's really important to look at the prices for these because uh these are prices not per CAPTCHA. I know the text is small here, but these are prices per 1,000 CAPTCHA solves. So, for $1 you can solve 1,000 CAPTCHAs. For $3 you can solve 1,000 CAPTCHAs of certain kinds. And these prices vary depending on the provider. I think increasingly these are no longer two-sided marketplaces where there's humans on the other end, but these are actually just dedicated uh custom tooling which is targeted towards defeating CAPTCHAs. Um but the fact is the capability is out there for just a couple dollars, it is possible for me to buy thousands and thousands of CAPTCHA solves. And that

has significant impact for the way that you think as a defender. Um, this is one provider. Here's a different providers CAPTCHA fees. Again, this is a competitive market. So, you see that there are multiple anti-CAPTCHA providers out there. And their prices are converging towards the same like one to two dollars per thousand CAPTCHA solves. Um, that means that this is this is really like a commoditized offering that anyone can buy into. This isn't something that requires skill or special ability or coding ability or even the ability to vibe code the right things. This is just straight up a thing where you can go whip out your wallet and have it solved for you today. Um, and just one more pricing here.

So, uh, a lot of these things around, uh CAPTCHAs as well as sort of more advanced techniques getting into the realm of, uh, device fingerprinting. Uh, I know later in this conference there is going to be a workshop on building out TLS fingerprinting. I think these are all really interesting topics. So, once we move beyond CAPTCHA or actually being able to solve a challenge that's supposed to be hard for a computer but easy for a human, then we start getting into more interesting indicators. A lot of these CAPTCHA solvers are actually detectable um, by basically comparing attributes of the device that you solve the CAPTCHA on versus attributes of the device that submits the CAPTCHA. So, these this is all

information that can be collected at the browser level. Uh, and that means that if you can detect this discrepancy, then you can detect the CAPTCHA solver and you can block things. And that's great for us as defenders. Um, but there exists another category of tooling. Um, and these ones we call anti-detect browsers. An anti-detect browser is a special browser, so this isn't like the Chrome or the Safari or the Firefox that you might use today. Um, it's a custom browser. It's often times a fork of the open-source Chromium browser that has been modified in ways that uh, intended to make sure that all of its fingerprints, like the different attributes that you could collect out of

the browser, look exactly like a regular browser. Um but it has new capabilities. And so, here is one example of an anti-detect browser's um, capabilities and their pricing. So, here we see that, okay. Let's say you want to have a browser, but you want to actually fake that you're using some kind of mobile device consistently for certain kinds of accounts. Um, but maybe you want to switch profiles for other kinds of accounts. This enables you to evade uh, ways of correlating your traffic between different accounts, which is often used to prevent multi-accounting or to prevent free trial abuse. And for just the price of 5.85 euros per month, you can buy access to uh, 10, 50, 100

different profiles that all look like reasonable browsers that people might actually really be using. Uh, these vendors put in a lot of effort in order to make sure that their browser looks a lot like a real browser. But now it comes with different uh, features. And here, I know the text might be a little small to see here, uh, you have the ability to do quick cloning or bulk operations. There's often automation software that's built directly into the browser in order to scale up in like a robotic process automation way. Um, attackers can scale up their fraud behavior. Um, and finally, um, this is a another one. Something that's really interesting to talk about in the anti-detect browser space is that

um here's a LinkedIn post from someone who does research on these. What really shocks him is that some of the most well-known and highest price solutions performed among the worst. Price has almost no correlation with stealth quality. And so that's just like, you know, that's those are just like the vendors that we use every single day. Some of those vendors are really pricey and actually perform worse in these kinds of adversarial scenarios. And finally, I don't have a lot to say about this, but just to let you know, device farms are a real thing that exists. And this is uh one of the hardest things to deal with. These are racks of real devices. Um in this case,

these are mobile phones. Um and this one actually comes from an A16Z backed startup. Uh no comment about their ethics here, but they're building phone farms in order to help marketers advertise and create fake content on TikTok. And they do this for the price of a few thousand dollars per month, you can rent access to real phones that are running on their devices um and be able to create all this different content in order to ship to their site. And so that is a problem. There's also different levels of this, just as you could buy the full end-to-end SaaS, you can buy different components of these uh kits. And all of this makes it so so

difficult for us uh as defenders uh to detect these attackers when they're coming. And so Now, I'm going to take a little aside here. Why am I so focused on bots? I think I've been talking about bots a lot. Don't real humans uh create uh commit fraud, too? I think bots are really important because the impact of an attack is really the about how much you lose in any particular instance of attack times the scale. And so in a free trial scenario, maybe you're only losing $2 per free trial that gets used. And that's like a marketing expense. That's a cost of doing business. But if an attacker is able to use bots to scale up

their attack, now you are scaling to do that 10,000 times per day. And this starts to add up to real money. This becomes something that you care about and you start spending all your time thinking about Uh and so it's important to think, what does the attacker really want here? And I think it's important to remember here, I've been talking B2B B2B Fraud is a business. And that means that businesses have ROI. I think in any kind of defense, you're the thing you're trying to do actually is to break the attacker's ROI or return on investment. And this is, you know, simplified MBA school type of calculation, but one way to look at ROI is that it's about

how much the attacker is getting paid out divided by how much time they spend to do that multiplied by the cost. And so if we want to decrease the ROI, we need to do one of these three things. We need to decrease their payout, we need to increase their time, or we need to increase their cost. And so all of these tools I was talking about, they do exist. They are really cheap, you know, $1 $2 per thousand requests, $5 per month. Those are not a lot of money. But at the same time, every layer that we add that add forces them to use this. So let's say, you know, you didn't have a CAPTCHA

before. Now you add a CAPTCHA. You've just added, you know, 1/10 of a cent in marginal cost for every time the attacker does that. And you've also added the effort that it takes for them to get through. And so, you know, in the Swiss cheese model, we think we don't need to have perfect layers of defense, but we need layers of defense that overlap each other, that aren't bypassed in the same way, and that add costs at each layer to bypass. The other ways that we do this uh are to reduce the value of a successful attack. Um you can do this by decreasing payout values. I've often seen teams that are under attack are

just going to slash the value of their free trial. They're going to significantly limit things, and that will free up the attacker attention while they fix up other areas of their defense. So, let's say, you know, you're an attacker, you have only so much time and attention per day. If you are going to make $10,000 a day by attacking one company versus only $1,000 a day attacking another one, you are just going to switch your uh attack. You're going to switch your attention, and you're going to do something that maximizes your ROI. In the same way, we can slow their time to value. And I think the most common way this plays out often times in fintech companies is to

delay payouts. Uh and that means that you there's some kind of mandatory waiting period before you can pull money out. Instead of having instant payments, now you have to uh go through some kind of additional KYC or waiting period. And all of these things also delay the attackers' ROI. Just because they can bypass it doesn't mean that they will. It's super important for us to say that we are going to make the attackers' ROI worse. That is going to demotivate them, and it's going to push them to go find a better use for their ROI. Uh and so that means that uh simply by adding these things, even though attackers can and do buy off-the-shelf

evasion tooling, that still adds to their cost. And that's something that they think about when they're deciding whether to double down on attacking you versus move on and try different things. So, yeah, in conclusion, uh as we wrap up here, I talked today about four different types of evasion tooling. There's residential proxies, capture solvers, anti-detect browsers, and device farms. And that means that attackers can easily buy off-the-shelf tooling to evade common defenses. Even so, if you can decrease their ROI by adding these defenses, they're it's cheap to bypass, but it's not free. And that really does make a difference in terms of the time and the effort that someone puts in to try and beat you. So,

if you can beat the attackers ROI, you are going to win in an attack. And that's super great. Fraud is a business, and that means that we can treat beating them in a business perspective as well. So, that is my talk. We've got a couple minutes here for questions. Awesome. Thank you. Let's have some Q&A. If some brave person want to ask something. If you have questions, I have a mic for you. Sorry, I should mention that. Thank you, Henry. >> reCAPTCHA farms, how do how does the CAPTCHA get passed on? Like if I have a SaaS app that has CAPTCHA, how do how do I have How does the get routed over to the CAPTCHA

solver person if they're trying to attack my SaaS app? Yeah, so you usually get some you'll like capture the the HTML or JavaScript environment of the page, and you'll send that over to wherever the CAPTCHA solver is. So, when you do that, so that's that's one way. The other way is that sometimes those checks are not as robust as you want. And on your back end, all you're doing is you're checking for that the token that you're passed from the reCAPTCHA token service actually verifies in that verify call. And so, that means that there are times when attackers don't need to use your website at all. They can actually just generate reCAPTCHA tokens of any kind,

and then send them over to your service to be solved in the back end. So, it kind of depends on the implementation. More questions? Yes.

Uh if these um fraudulent B2B SaaS apps are taking money, how come nobody goes after the financial infrastructure? Like who's processing payments for fraudsters? Yeah. Uh I think it's a good question. There are sometimes when these services they're they're what some people might call dual use. And so that means there are legitimate uh use cases for them that you might want to operate infrastructure. They have strong legal teams who are arguing that these are the things that should happen and although fraud sometimes occurs, you know, fraud hits hosting providers like AWS all the time as well. So there's uh providers who claim to do a certain level of KYC in order to do legal amounts of work. Um and you know,

it varies based on the vendor how hard they actually look in order to collect your money. One more question on the right hand side?

Uh thank you for the presentation. My question is around how you see agents kind of evolving account takeovers and particularly making it easier for, you know, solving these CAPTCHAs or or taking other automated steps. Yeah. Uh AI agents super interesting. As far as evading CAPTCHAs, I think it's very possible and there are like academic examples, which means there's certainly commercial examples of visual language models solving CAPTCHAs. Um so that's one piece. I'll say as far as an ROI perspective, these are really expensive. Like the the if you're paying pennies in order to have a VLM solve a reCAPTCHA, that's actually like 100 times the cost of uh paying a CAPTCHA solving service to do it for you.

Um so, on one hand it makes it easier, on the other hand, uh for now tokens are still expensive enough that I think as parts of realistic uh long-term attacks, that is not as big of a deal. And then on the other hand, AI agents coding agents make it a lot easier to write deterministic code that can do these kinds of bypasses as well. I think that's a much bigger threat, and that's why traditional bot detection and traditional um anti-bot stuff is still super important. Okay. And then the other bit, and I have a lots of opinions on this as you can tell. You We should talk afterwards, but um I think there's a lot of agentic work

that actually looks like ATO as a service. And that means that if you're using something like OpenClaw today, and you want to give it access to your Google account or something like that, a lot of the time the easiest way to give access to an account is actually to just straight-up give it your credentials. And from the external from the service provider side, that just looks like a bot attack. And so now service providers have to look at this and say, "Okay, do I want to allow agentic traffic that looks exactly like a bot that's trying to do an account takeover?" And what can I do in order to make sure my customers are giving the

right consent or giving the right scope down permissions in order to invest in things like OAuth consent scopes that they might not have done before. Awesome. Thank you so much. If you guys have any more question, feel free to email Bobby or put a DM on LinkedIn. I hope he will reply. I will reply. Yeah, thank you so much. I'm Bobby. This is how to reach me. Find me afterwards if you want to chat. Okay. One more round of applause for Bobby.