Behind Enemy Lines by Ido Rozen

[Music] [Applause] [Music] [Applause] okay so nice to meet you all and today we're going to talk about something regarding the bot communities what are they talking about what are their struggles hard they are trying to evade those detection techniques and how they're trying to actually create tools for their fraudsters like tools for fraudsters by fraudsters and actually they're trying to utilize tools which are actually legit and making them become doing things that are not quite legit so let's try the clicker okay it's a bit slow but we can do it so we're gonna go over like four things uh the first thing we're gonna talk about is threat intelligence this is actually regarding those communities

what they're talking about what's happening behind the scenes of their communities and and then we're going to show a quick demo of what's a reverse engineering tool because we know that they know we're looking at them so it means that they have tools where they're using in order to find the things that we're trying to track they're trying to detect even the challenges we're making on them and eventually we're gonna have a quick like runner-up on some attack tool and the exploratory view of what's happening over there and what are they looking at and yeah so yeah okay so uh let's just begin with the the first thing threat intelligence is again what's happening and the frauds

community today so we're gonna show uh what's happening in those communities regarding what are they looking at what are the security vendor what is the mechanism behind the target's defense what are the sdks which are protecting those actual targets and again struggles and what's going on behind the scene in terms of chatter so the first thing i want to show you which is quite interesting to understand we can make it yes we'll make it so the the first and most important thing they're looking at it's not actually the target which is they're attacking they are not attacking tick tock they are not attacking chase back they're not attacking wells fargo they're actually attacking the security

vendor which is protecting those targets that means that they're not asking what do i need to do in order to bypass wells fargo defenses they are asking who is protecting wells fargo and how do i overcome it so we have a few examples actually of what's happening over there we can see an example of one big vendor another big vendor over here we can see that they're not just looking at the vendor which is uh really defending those targets they're actually looking at the version of the sdk which is running in the back side of this vendor which is protecting those targets it means that they are aware that if this target if that site is running

1.6 maybe it's different than 1.75 and i need to behave myself i need to overcome a different features in those different sdks so it's really important to understand that they are quite aware of what's happening behind the scene and i'm going to show you another uh fun example of what's actually happening if you can see over here they're actually looking at our release cycles they're just actually watching they're they have their own mechanism to see if you know if we're looking at uh we're just updating our sdk over one site and we're like 1.7 and now we want to go over to 1.8 and we skipped 1.75 then maybe even have a laugh about that and

we'll talk about our release cycle our production behind the scene so this is nice to see that some of them are actually looking at that and if you can see over at the bottom you can see that some things are actually interesting to them in terms of release cycles because does anybody know which one runs only 1.7 because i can't deal with 1.75 so this is actually important from their end another thing which is quite interesting to have a look at is what they're trying to look in terms of the actual scripts is running in the background of the target site they're not just looking in terms of what things are running there and what

is being collected on them and they're trying to have a go and maybe it works maybe it doesn't they're actually trying to do reverse engineering uh on the actual scripts because i don't know if you are familiar with defense scripts or running and background of sight i don't know if any of you tried to scrape try to do uh login credential stuffing maybe like sometimes in the past i don't know i know i tried and it's quite hard to understand what scripts are running over there and it's quite hard to understand what is being collected on all over you so over here you can see that they're actually giving grades to obfuscation levels of different vendors

it means that i know that i can go over to one vendor and i know it's easier than the other vendor maybe it's as hard as this vendor but the hardest one is this one so maybe you need to take a look at the the very easy one and maybe try to do it first or maybe try to solve the very hard one and maybe sell it to the highest bidder so it's really good to understand that they're not just looking at what's being collected on them they're actually trying to de-obfuscate those scripts they want to know what fields are being collected on them what challenges are being made to their browsers because it's really hard to

know what's happening behind the scene without understanding those calls and without seeing what's happening actually in terms of the security defender this is a quite interesting look at what's happening in those forums again all those pictures are taken from quite legit places over discord servers i heard that you talked about list code just earlier so this is the same thing and as we can see here those are three examples of scripts being de-obfuscated by those processors by those pratt actors and as you can see here those uh quite few interesting fields which is interesting to see as you can see the first one is a plugins and mime types that's maybe vague for some people but for those who

try to evade those detection are really aware of them and they know that those fields might suggest that something fishy is happening behind the scenes and the second example we can see that they're looking specifically at phantom web driver dom automation those are like fields that flag specifically that's happening automation behind the scene those are really good to know for the beginner fraudster for the beginning bought attacker but that's nice to see nice to show that something is happening behind the scene and the last script it's actually quite nice i don't know if you can read it but that's being taken from an sdk of a security vendor and i don't know if you can see

it's saying you can't hide so it's quite funny because you can't hide was supposed to be obfuscated and no one should read it but now we can so i don't know if you can hide this is the right sentence for that it's quite arrogant okay let's talk about their struggles so i want to have a quick like maybe summarization of what do you think is a struggle which is a bot attacker is suffering from from you if you have any okay i'm going to give it maybe 10 more seconds cool so as we mentioned earlier what yeah i can see authentication problems so what do you mean by authentication problems

yeah so maybe the first step is actually yeah the authentication they're having an account and they're trying to do those actual steps in order to see what's happening what's the right flow of things which are happening and this is a good point because in order to scale up the operation they want to do the first thing the first try and then take it and do it like multiple times we're not talking about tens of times we're not talking about thousands we're talking about millions and maybe more so i'm going to show maybe a nice picture of struggles which are happening in over there this is a good example of someone who is trying to bypass another security

vendor and he's talking about the techniques that he used what was working for him what wasn't working for him how many time of how many times he were able to bypass those security methods and people are are making conversation over this they're talking about maybe you tried this one maybe you tried the other one maybe you should think about doing that or the other way around and this is quite interesting to see that in those societies in those communities this is really a good part of sharing knowledge they want to know they want to teach each other and maybe we'll mention it in the end but they actually have a nice way of knowing that some of us the security researchers

are actually lurking there and sometimes they uh share a few snippets for us but maybe you know one day they will switch sides or the other way around and we don't know so another example of uh something that's happening over there is someone again is trying to do amazon sign up details they're trying to do it in a scaled way they want to do it like in very massive and he's getting four or four he doesn't know why everybody is trying to suggest maybe the reasons and i don't know if you mentioned the last one that's probably it there isn't maybe you're just using a bright mode color of ide i don't know maybe that's the reason why

you can't actually pass it that was a joke i know um so let's just have a last talk of what's going behind the scenes of the attack we're trying to talk about some technical stuff uh just before we deep dig deep into the demo itself so we're talking about uh detection techniques what people are looking at what is happening in terms of us the security vendors and what they are aware of what they know is happening so they know they they know that people are tracking mouse speeds and free presses they know that we have good web driver detection and someone even says that when you have a web driver and if you can't hide it

that's an immediate block so in order to bypass those things you need to be aware of them you need to know how to mimic it you need to know what's happening what features you need to mimic you need to have a good understanding of what's looking like a good user what's looking like a human and what doesn't so up until now we had a bit of discussions what's going on in those communities right now i'm going to show a quick demo of tools that were used for fraudsters by fraud series that's a good example of the good sharing uh spirit of those fraudsters and this is quite interesting to see i'm gonna just go to my laptop

okay

yeah so we're going to have a quick two shows of two tools which are used by fraudsters for fraudsters the first one is called antibot test and just a quick understanding of what's happened and this uh in this tool this is an actual script that was built by fraudsters in order to do a understanding of the targets and what's happening behind the scenes of the target regarding the security vendors who is protecting it what tools are they using what scripts are they using what they are collecting and the second one api sniffer i think will be much more understood after i should the first one so if we go to antibot test this is again

a discord and i know if you have tried it in the past and you've seen it and how it looked like so as you can see over here this is filled with uh commands and we can see here that i'm trying writing antibots and just a normal site doesn't matter actually what and if we run it right now we see that is trying to analyze the site itself it's uh going over all the javascript which is running in the background and then eventually is putting out an output of who is protecting this site what is the security vendors which is protecting this site and not just who are they you can actually see the addresses which

are directing to the specific places where the scripts are located at it means that if you are a technical person you can go and take those scripts and then go and de-obfuscate them understand what type of features being collected at you what type of challenges are being made against the browser itself and this is quite interesting to see again what's happening someone is writing hi over there it's interesting okay the second one which is a bit more technical uh is quite different than the other one which is very product-wise very ready for to be used because you understand this one is being defended by this vendor or not that vendor and this is really easy to

understand because if i know how to bypass a specific vendor i know that if this vendor is defending this target i can use it but if i don't know i can just go on and have my next target so this script is a bit more fluffier in terms of it just returns the specific api calls which are getting collected from all the javascripts on the site it doesn't actually does the actual classification of which script is related to which security vendor because some scripts are not trying to detect bots some scripts are just trying to understand the current flow of what's happening in your site some scripts are actually being used by the site owners themselves and not

related to security at all so here you can see that this uh actual tool is doing wait this is not anti-butt we need to do a different api sniffer because this is the tool i just want

what no so

okay okay i'm gonna show you uh just uh maybe an output of something else because it's quite difficult to make to write it on the other screen so i'm going to show you something which is interesting to see maybe on some other target which is interesting to see so maybe if we go and look on foot locker this one is a script i actually ran yesterday and we're looking at the actual uh output of this tool and what's happening in on the background and we can see here the specific api requests that were asked by all the scripts that were running on that site itself so if we go and have uh maybe a bit of

wandering around we can eventually we look at the scripts where they are coming from something that happened to be a security vendor uh i will show one which is like cloudfront and this is actually interesting to see that what's happening behind the scene in terms of what type of fields are being collected what api calls are being made from the security vendor this is interesting to understand because you don't need to de-obfuscate the script itself in order to see what api calls are being collected by the script itself so it's actually a work in progress in together in order to understand uh better what's being collected on you the threat actor who is trying to mimic the

uh human interaction so let's do another quick demo which is again gonna be uh so the next one is about attack tools exploration and i'm gonna call it the tactiles i don't i don't know if any one of you are familiar with puppeteer as an attack tool or not but puppeteer in general is a good automation tool which is meant usually for developers in order to automate things in order to understand how their site acts in terms of sometime from atlas sometimes just use your chrome and just for developer purposes and this is a legit tool but as we know when someone making a good legit tool which is helping you automate things fraudsters and fat actors can utilize

this tool and try to take it and scale it up and make it as an attack tool so as we can see here the puppeteer actually is saying is flagging i'm an automation tool and as you can see or you can figure that if you are flagging that you're an automation tool it's not very good for the fat actors so you need a way to overcome this you need a way to evade those things so i'm going to show you just a quick wandering around this tool again from the process community so this is puppeteer extra i don't know if you are aware of this repo but it has 4 000 stars has many many contributors and it's

really really being maintained almost daily as you can see uh some of the last pr's were like ten eight days ago so this is really uh cool to see and if we go specifically into the tools that i was mentioning because as i mentioned earlier we want to make a plugin for this tool that will make it evade the bot detection the one the tool that won't flag you as an automation tool so as you can see here this is the puppeteer x itself they are uh bragging and going into a specific site which is supposed to recognize uh bots and you're seeing you're not chrome headless and if we go a little bit further they're talking about the

specific evasions they added maybe we'll go into that a bit later test results without puppeteer so we're seeing bed is very bad and then we're going with puppeteer and we're seeing they're all green again this is very common knowledge for the bot detection community uh maybe if you want to get into that deeper i will uh gladly share a bit about this and another thing here is a recaptcha v3 i don't know if any of you have tried the captcha but the latest recaptcha which is supposed to be seamless if you you have a score which is usually lower than 0.5 it means that you are a bot without using a puppeteer extra stealth you getting 0.1 with using uh

all the stealth evasion techniques you are getting 0.7 which is actually kind of good and it's being usually considered a human or maybe some network fault so before we uh go and have a little bit look about the evasions here we can have a clear look on what's being considered as evasions so maybe remember earlier from when i talked about specific plugins or web driver or other properties of the browser itself which are mentioning that you are using automation at the moment as you can see here we have all kinds of evasions which are meant to actually remove those features and if we can go into the for example webdriver we're looking here activation which is actually passing the

webdriver test this will delete the navigator.webdriver property it will take the navigator dot web driver and we'll delete it and which means eventually we you will look as a human as a normal browser so uh to sum it all up

sum it all up we're gonna go

okay so we have the best practices i'm gonna just do a quick uh all of them so threat intelligence as you can now uh we need to have an ongoing presence in the right places you need to understand what tools are being used in order to evade your bot detection you need to have hands-on the tools being used this is in order to trace them out of your traffic in in order to find them and the latest one you need to always try to bypass your own systems and this is of course i know you are aware of if you're trying to bypass your own systems you will probably discover interesting findings or loopholes that were

happening in the mid this is it thank you [Music] [Applause] [Music] [Applause] you