Credentials so good you'd use them again

so today's discussion is on credential replay attacks it's also known as cred stuffing and we're going to go through some technical deal there's two perspectives to this talk one is from the end-user perspective where you know how can you understand what's going on with a credit replay attack and the others from a service provider perspective which is I'm being hit with one how do I actually see it what are the countermeasures I can actually deploy against it so this is our agenda you can tell I work for DoD at one point in time yet so this is obviously not just my presentation I want to work with a group of fantastic professionals and let's see three of them are up there

warm ones in the room this is me I started out 2006 doing security as my full-time job did it for 10 years in the DoD another a year and a half in the intelligence community kind of intelligence community and then the last two and a half years in a global financial responsible for detection and response for cyber and fraud and that's where we first observed this particular activity so what is it it's the exploitation of credential pairs usernames and passwords recovered from breaches and they're aggregated then they're fired against other platforms and they take advantage of the fact that end users myself included are lazy we reuse usernames we reuse passwords on multiple sites those sites

get breached and once they're breached they're harvested they're loaded into tools and they're shot against any internet facing portal to see whether or not that username and password pair was used again so hackers account for 90% of the login attempts at online retailers interesting stat 91% ecommerce 60% airline so most of the login traffic that is going across the internet is fraud or attempted fraud where's it coming from again it's coming from breaches 1.5 billion credits came out of Yahoo Adult Friend Finder is responsible for another half billion myspace every time you see one of these breaches that occurs where username and password pairs are compromised those username and password pairs are being reused for credential replay attacks why

does it work well our account defense is primarily to stop brute-force right I tried same username password three times and that password locks out with this type of attack you use that you use the credential one time it either works or it doesn't and you move on so one IP address can test as many credentials as it likes until you either shut down that IP or do something with the traffic and fundamentally again it's an attack on your authentication system not your actual product the credentials are tested and the response is what's being recorded so these guys aren't rolling into the product they are simply using your authentication system to bounce creds off of and they're monitoring what

the response looks like we're gonna see us some examples here shortly okay so this is the most common this is a failure and what you see here as you see a login attempt in the request URL you see a 302 found redirect and then on the bottom you see it's going to a bad password so this is the case where a credential was presented it was not the proper match so it sends you to hey did you forget your password you want to try it you know do you want to try forget flow so that is the most likely response this is us other kind of response this is the credential was valid but the

accounts not so in here again you see the 302 redirect going back down to site minor and sending him somewhere but this is the problem so this is again goes to login but on the bottom you'll see that they're going right to the portal so in this case this credential is valid it's good for an employee or for whatever the accounts good for and it's going to be recorded and then it is going to be reused later to commit whatever kind of fraud can be done with that portal let us being tested against so what do they get out of it how is it done if you are a business that's front facing on the Internet you're selling

something you're giving away miles for for travel you're giving away points for hotels you've got a game company that's got you know some kind of gold or whatever in the game you've got something of value that you are selling or accessing on the Internet and what they are doing is they're taking over the accounts of your users and then either exploiting them basically they're either using them to generate month for money redirect money they're using them to take points using them to take miles and it's it's very straightforward easy there's a couple of end-user stories here this happened to me last year woke up in the morning my phone tells me welcome to Comcast Wireless what the

hell happened I didn't order comcast Wireless my new iPhones on the way though so I called and I got it all stopped next day comes wake up welcome to Comcast Wireless call the fraud department talk to him again this time the guy tells me they're using the comp your Comcast email account I never used a Comcast email account but I got one when I signed up for Comcast Internet and I had to log into it once and I set a password for it and I used one that was exposed actually in the LinkedIn breach so what they did is they threw creds against from the LinkedIn breach against the Comcast portal username password pair matched and they

used that account to order service they also used a fraud a stolen credit card to pay for it so it wasn't all that bad not for me so okay that's how it looks as an individual level but how do you really do this right how do you really take this and take it to the next level and exploit it for a lot of money you know what if I go after a bank I don't how do I do that well I do that with if you ever go to Walmart and you see those visa master cards that are hanging the j-hook set the exit you know when you go through the register so those things can be activated and they can be

actually accessed in the automatic transaction Network of the banking system so once I have that card I activate it with a stolen identity because why not then that card has an ABA DDI pair to it at any place I go to if I take over an account I can change any financial any money that's being moved to go to my fraud card and that is the way that's the way we see a lot of fraud being done in the space it works it works at scale so what can you do how do you limit the effectiveness of this particular technique how do you stop it now as a service provider so the first thing you have to look at your logins

you have to look at login failures creds stuffing is easy to spot if you're looking at your traffic 99% fail anybody who's logging in from an IP address hundreds and thousands of times just I have to do it to make any kind of a again they're gonna be ninety-nine percent failure from that IP address so they're gonna stand out if you're looking second thing know your customers are coming from if they're coming from coalos virtual privates hosting of arrangements cloud servers that's not where most people come from that's where service providers live but it is where criminals and fraud networks come from that service they can easily buy and when it gets knocked down they don't

care they just move on to the next second metrics matter know what right looks like in your platform understand and when you start seeing changes when you see your your failed login go from you know twenty thousand an hour to a hundred and fifty thousand an hour ask questions and baseline your transactions um look at your login services let me see I think I've got a picture next yeah I do so this is kind of hard to see it's a lot easier on the laptop apologies but um if you look down on the right side the failure rates 0.99 eight point nine nine six point nine nine six this is all credit stuffing this is all replay

this is not real this is somebody trying to take over accounts they're running almost 2500 accounts for four good logins alright so this actually is very easy to spot if you're looking for it and you can't hide behind eyepiece because the actual behavior is what you're looking at so we're gonna talk a little bit about tools that automate a lot of this but on the receiving side if you're paying attention it's still easy to spot all right mitigation if I have a 99.9 percent failure rate the only way I can accomplish something that I can generate revenue off of is automation so the way to defeat this type of attack is to defeat defeat automation as it presents

itself to your login portal okay it's not a human behind the keyboard it's a script so if you can do that then you can and disconnect those sessions not even let them start that mitigates it Akamai does that shape does that we actually ran a homegrown solution for awhile which was a it was a work of art it was not my work it was sylvia's work and what we did is we watched for login accepts where somebody actually got a password into the portal and then process that account immediately for a password reset the guy was doing me a favor okay I had breach credentials that were out there everyone that was breached was getting a password reset

thanks to him so you can't actually use them as a service on the end user side take a look at have I been pwned or any of the other sites that actually track credential exposure in the wild if you see that you've been popped and if you've been around this place for a little while the answer is going to be yeah you've been popped you know some of your account information has gotten out there don't use that password again ever anywhere and make sure that if you're tying a username and password to something that has financial information behind it it's different from any of the other passwords you use so that's the easiest way to avoid it it's the easiest

way from an end-user perspective to not expose yourself to that problem one of the easiest tools on the Internet to do this type of attack is something called sentry MBA and if you can't configure itself don't worry that dark web will help you this is what it looks like so what it basically will do is it will go out it will go to the website you want to cred stuff and then it will set up the pro it'll read it and it will set you up set up some options for you then you can take a look at what the the request header looks like and you can select your user agents this is an

attempt to make it hard to see because the user agents are gonna vary because it's only the same four user agents it works you can still see them very easily this is a for sale this came off on the came off the dark web with credentials that were a credential configuration preset to go out of institution they all you do is pay your money and they send you the they sent they send it to you use your own creds lather rinse repeat you're in business so my takeaways for you look at your logins if you have less than 1% success from an IP address its a replay attack to stop it to feed automation there are

commercial products you can do it inside but this is actually a big deal account takeover is a significant problem in any anywhere that you're relying on a username and password to defend somebody's account for your users obviously don't reuse especially when you have money at risk and if a password is discovered in a breach please don't use it again and now comes the fun part of the briefing your questions ma'am yes so when this attack works they login as you so the question really is what can you do on this portal so let's say they got my Amazon account and my Amazon account has a Visa card that's already associated with it well they can go

shopping at ship you know whatever they want to do if they get into my bank they're in there as me they can change where my direct deposit information goes so anything that you can do on that internet internet facing portal they can do because they actually appear as you in the in the portal sure yes sir

so all those methods work sir and what the the problem that you run into is as you put in mitigations the better actors are going to retool and they're gonna come at you with something else so it's not something that you just you you you you solve it and it goes away so they retool they come back at you you change your strategy sometimes the capture works just well sometimes putting Akamai in front works just fine sometimes you go with shape sometimes a homegrown solution but until you see that failure rate that bulk failure rate go down that means you've now made your your your portal is now more difficult to use than the guy down the street and that in the

end of the day that's all we can do is we can move them down the street to try to go after somebody else

so I didn't talk about that but uh there's an entire fraud Network that's dedicated to moving product moving technology and moving money so once you have access to somebody's account you need to monetize that access so how you take product out how you take money out where you send it to and then how you get it to the second third destination so that recovery is difficult or impossible is all part of the fraud you have from from their side you will see everything from idiots to sophisticated nation-state criminals you know organized crime the more dedicated people will be added for months if not years so I can tell you that we use shape it works very well it's a

JavaScript injection the idea is simply to make sure that it's a human beside behind the keyboard but even that is something that's it's not a one-time fix it's something that we work with continuously because there's money at stake there's money at risk and the actor if they've been successful at some point in time they know if they adjust a little bit they can make it successful again so they're constantly coming at you yes sir

I'm sorry sorry I I am I am not off top of my head I apologize I have some I have some giveaways up here too so whoever asked the we got questions so if anybody has any other questions we'll combine it with a giveaway that way we get rid of books and stuff sir

so that's a really interesting point it's a great question so if you know where your customers are you can understand where geographically you would expect to see them and where you would not expect to see them that being said there's a lot of VPN services out there so you could easily be in elbonia or some other some other location on the globe and appear to be coming from New Jersey sir

they are unique to a credit stuffing tool they can be legitimate when you see century MBA you'll see the same four six browser browser user agents repeated over and over again but if it's a you know if it's a smart actor it'll be legit so you sir have your choice of I got the blue team incident response sock and sim I've got a lockpick set and then looks like a nice wide range wireless adapter wireless adapter for the win yes sir your choice of the ballas blue team which one I got incident response and sim there we go yes sir yes sir there's no visibility of this at all in fact they find out when they get the

bill they find out when their money is missing they find out when they get upset six months 30 days depends on the nature of the breach the problem is that the crime sometimes it's too small in scope to get many people involved from it's like if I can steal $20 from a hundred thousand people I'm happy but how hard is that to build a case against and that we see a lot of your choices of lockpicks or absolutely good for you yes ma'am

right

mm-hm Windows is actually doing that now there if it has a if it's made its credential you know bad credential list it does more that could you pass the please thank you but it's hard to to work from that end of the business the best answer is to factor the best answer is some other way to break that that communication for the for the actor and we are we are at time so if you have to leave or want to leave that's absolutely fine if you want to hang out that's fine as well [Applause]