Fighting Fraud in the Trenches

good afternoon everyone we're gonna talk about fighting fraud in the trenches and I'll explain the metaphor of why it's trenches very quickly my name is Amir shaked I'm the VP R&D at parametric's where we do web security personally I like to think like the bad guy that's what I do best and this talk is also about giving you some ideas about how to do it yourself in your own organization in order to improve your own security that's the idea behind it and we got we will start so let's start with with the incentive we do why we are talking about fraud and fraud in the trenches we are talking about the fact that websites are

in fact the new bank if you would like they hold all kinds of virtual currencies from actually from real funds like marketplaces we do buy and sell two coupons loyalty programs and all of those things now the thing to remember that unlike banks which are heavily regulated we had a lot of policies around them on how you can use them and as a bank most of the retail websites are not regulated in that way in any sense and in a minute I'll also explain why even if they were later it wouldn't be helpful for the business and this makes them the the relevant target or the most sought-after target today in the fraud ecosystem and I'll by the way if you do

have any questions in the middle feel very free to raise your hand and stop me and ask don't wait to the end I'd like to be interactive so the problem with this is it's the consumers or consumer demand you have a lot of these websites competing on the consumers they all want the same items they want minimum friction in their experience they're working with a website they want they're lazy in terms of their reusing passwords and credentials between websites and a fact that's a given fact and you can say let's change it you can say let's educate them but that will not work with your business driven metrics where customers will just leave your website

and go to a different systems so anything from two-factor authentication but even putting your reCAPTCHA on your websites you have retailer saying it drives down their ROI they don't want a user they're looking for different solutions but that's what's the consumer want and for us as security researchers we need to understand that we cannot look the other way from what's the business we need to take it into account and then work with it we cannot ignore it and just say well we have solutions better passwords to farticles authentication no password login etc it's cute but it will not work with most of the users that are actually paying for the service that you're offering so

with that in mind let's go briefly and talk about the underlying economy the drives this fraud ecosystem I'm sure most of you know parts of this so I'll go over it briefly but it's a broken down system of of people buying and selling merchandise on you would say dark web but not everything here is dark web somebody's playing out out in in the field we start with some groups that are very sophisticated doing a PT's stealing databases or username and password databases from websites last week I think something was published like 200,000 from some fan websites just as an example where they didn't even distribute differentiate between the they stored on the same table the

passwords and the hash so no security there but you have a bunch of examples going up all the time and these are relatively sold at around $10 per 100,000 accounts that I've heard sayings interesting things that some of these are faked Lee some of these are not already sold I cannot prove it myself I have no interest in buying and selling those lists to prove it I don't want to contribute funds to those groups but the prices they talk about even it's even if it's like between fraudsters fraud these are around these sums and well the LinkedIn is a very famous one like I think it was for bitcoins for at the time for the 167 million accounts

and this brings us to the next stage these guys are doing the apt they're buying and selling those lists some of them are using them themselves to conduct the attacks but now comes the part where asses as working with retail or marketplaces that were we suffer somebody else was hacked and now we have a problem and this part is mostly automated and this is why I'm also talking about the automatic fraud as an issue because we build our websites or mobile apps to be easily tested and completely automatic in all the world and in the entire CI process and we simply make it easy to be automated for anybody else so what we do is they start

to the different vendor that vendor then reuses those and run an automatic attack which I will see an example of how simple it is to make we've seen all kinds of success rates anywhere between half a percent or quarter of percent success rate in the ATO usually makes them with a positive ROI as an attacking group but we've seen all the way up to 8 percent success rate which is enormous amount of accounts being breached everybody know what's an ATO they need to explain this great and then those accounts are actually used for the fraud now this is the important aspect of it the trenches is here it's on the first step where they trying to gain accounts to do any kind

of fraud within the system now if it's a marketplace the fraud would be to siphon funds if it's most retail websites have like virtual currency or cashback they can use that to buy things for free and many users won't even notice because the cashback is like for 72 hours you have 72 hours to use somebody else's cash back and and that's the fraud and the front part is usually conducted very slowly and very meticulously because there are a lot of fraud detection systems and you want to bypass those as well but that's usually the second step in the process and let's talk about what we can do with the first step so what are they impersonating those guys

running those attacks we see them impersonating both the website and the mobile app they will take a mobile app or the website it's pretty simple to do open the inspection on Chrome see the post request see the initial request before to see the CSRF token and you can pretty much copy paste and iterate the entire process not running anything for real and if there is some complication in the web in the site itself that tries to defend you can run like a full-blown browser with puppeteer or something like that and have everything mimicked but what is interesting to see is a lot of shift to target mobile apps because even though they are native native code

there are a lot more strict in the way they are constructed and what they're doing when they're interacting with the back end and it's a lot easier to mimic what they're doing and impersonate the API so if you can see the cars I'm colorblind I have no idea what color I chose but this one I think it's blue that's the browser being mimicked in the text over time and the other one orange no green okay so the other one it's the mobile app and you can see it's actually interesting that there is a lot more mobile apps being impersonated in attacks than the website and something you need to remember when we talk about how to

defend or detect those kinds of attacks is the fact that they are using different methods and impersonating different things we can use that when we trying to at least identify them or block them as researchers another one which doesn't show very nice here so I'll have to point what we see here gives a bit more perspective into these kinds of attacks the bar or the height of the of the circles is how distributed is the effect the lower it is the less the more distributed it is meaning the average number of attempts per single IP address so attackers will get a large amount of IP addresses when they're conducting those attacks we will see in

examples of how we can get those very simply and what just was there a question so what you see if you're looking at time series of this these things we start with a site not protecting yourself from these things and it's mostly being targeted with large-scale attacks using very few IP addresses targeting their website because an attacker built his entire system around it and is then running a botnet against those endpoints once that website started protecting itself from these attacks in a relatively simple manners like enforcing volumetric rules on how many attempts per endpoints you see them if you can see the other color shifting from the website to trying the mobile and points of that retail and once that

was not working for them again for the same reason simple volumetric rules you can put on any web they drop down and to still large-scale attacks but a lot more distributed I think I have it here yeah this is just one example to show you how distributed it is over a time period less than 10 requests per IP over several hours that will bypass any volumetric system that will try and look at it because it's quite reasonable to have more than 10 different users and passwords attempted per IP over several hours so going back to here what we see is once they were the attackers and were stopped on the website on the web endpoints they mostly targeted the

mobile and we'll see why they targeted the mobile on another example but even though they're completely identified on block in these examples you can see they're a keep trying now the reason they keep trying is the endpoints are evolving you're adding features you're upgrading your systems you're adding more capabilities they're keep testing and trying the system and if they succeed you can see a large-scale attack commencing very very suddenly mostly coming from like rent a botnet sort of thing you have going back to the ecosystem of of this economy you have groups setting up botnets also not a very complicated thing to do but they're sending up a bottle and they're simply renting it out for people to use for all

kinds of things could be DDoS but we see a lot of them being used constantly for a count a cover and such it's just one example we picked like a few endpoints and start pinging them to see what we have but we see a lot of how IT devices mikrotik routers d-link routers printers dead servers in the system that were never patched and alters also interesting to see is if you get to hear about how ransomware malware's work with these endpoints they usually not ransomware sorry I'm like crypto Marvel's they usually try to be the only one in the system because they want all the resources so they kick everybody off these ones don't they don't care they're

sharing those endpoints so we have multiple botnet groups sitting on the same endpoints operating at the same time using the network and this is just to give a context of the data and how is the fact that these attacks are constantly being happening and from here what I want to talk with you about is I would call it the weaken test anybody here works as a security or even just as an engineer on a retail or marketplace a few of you okay have you tried pen testing your own system to conduct such attacks okay how simple was it the smile gives it off so then we can test take your system sit on the Sunday

morning take your weekend and say let's see if I can conduct such an attack with the tools I have with the means on I have and succeed if I succeed I'm a very possible target for these groups because these guys are not apt groups they're very opportunistic they're trying to break a system if they will succeed with euro web website they will keep on doing it if they fail most likely will they will just move on so in the sense you need to be good enough or better than the next time you don't need to have the best security and the best solution out there you just need to be better than most unless obviously you were Walmart or

Netflix they will target you specifically but if you're not you just need to be good enough and they will skip you so let's do the weekend test I planned it as a real demo and then after a bit of talks here with a few other lecturers I decided to just show you the slides of how its conducted without doing the live demo I know they're not to expose myself to rules you have here in the States so we will go through how it is conducted with with the examples but I won't do it as live as live demo anybody wants can come and ask me afterwards I'll show you so I took a weekend test

I don't know that like five apps from the Play Store that are quite popular both where I'm stationed in Israel here in the States and I said let's see how simple it is to build such an attack on all five apps it took me less than an hour for each one so the flow is as it says here that's what these guys are doing if it's a website they're going to the website they're finding the URL of the target login end point if there is a CSRF token and I'm saying if because frankly I don't understand why some websites don't have it but they're out there is still like very basic measures they mimic that as well it's very simple

to do and then you need to set up your proxy list you can see we'll see how we can set up a proxy list very simply you need to get the passwords you know you want to try and then what we've seen almost all of them do and this is something you can use when you're looking into your system is into your data this is what you're doing this is how they're operating this is how you can try and identify them they will work late user agents within the botnet like if you look at the thousand IPS or 2000 ApS you would see a number of user agents being rotated between them so instead of looking by the IP try looking

by the user agent and it will seal them on consolidating into different groups they're injecting fake headers it was very common practice in WAAFs and hadn't edge security systems is like taking all their headers doing your hash of the of the keys so they're injecting fake headers or manipulating them slightly and breaking those kinds of signature mechanisms and they're doing a very low volume per IP very very very simple to do if you look at the native app and I'm focusing on native apps this is not like a mobile browser you need to get the app you need to proxy it if your again think of it as opportunistic solutioning don't need to work very very hard to do it so

you proxy the app we'll see how if there is a certificate pinning we'll explain what it is it is the bypass it if there is a CSRF token mechanism we can fake that as well and the rest is pretty much the same question so far okay so just remember this is not an apt they're opportunistic if they succeed or if you succeed when doing it on your own system with these steps then you are a target for groups that are doing it as well so can you see the code now right

so what we're doing here is quite simple we're going to show them we're searching for let's say products quit getting a list of IPs iterating over the pages from children and on the examples we get and then what we do is test if that's quit if that proxy is open for use for anybody some of their are authenticated some of them are more secure but a lot of them are not and it's good enough for our example so we just trying one by one going through those proxies and going into our own system I'm seeing if we get the response and by and getting a legitimate proxy just to give you a sense of numbers squid's when you look

at show then you get a few hundred thousand requests per squid or proxy a lot of available items but all of them are actually working so when I ran the script last night and I got I think a few hundred I don't remember exactly the number I think I think they disconnected me from the Wi-Fi at the hotel but a few hundred servers were operating and relevant for use and because these are servers they're still out there so I can still use the same proxy list today and this is important because we are doing the weekend test we don't want to break into system to get the botnet we don't want to rant about nut and if we'll use

like a cloud provider to set it up we will lie to ourselves because a lot of system just filter that out but this is a good way to get such IPS and and run the test on your own so we get the IP list it's a long list and now we want to do and get the login request from the app so we load up with a VD we load up you know what's a VD I need to explain this no good yeah cool so we load up an emulator we use in this example I use the latest burp but you can also use it with Charles Whitman proxy fiddler it's all the same one

thing you need to remember to do it takes about five minutes just do it and don't forget you need to take the certificate of the proxy and put it on the emulator as a trusted Authority or nothing will work no SSL connection will actually work within the proxy so it takes a minute of work to do it and then you just run the emulator proxy everything through the four right for our local proxy and we get the request and we see if the app has any kind of security mechanisms in this specific example none there is a login screen in the app we opened the app I'm trying to do login I open the legitimate account

just to see the results and then I'm trying to do the login and it just works copy is curl run the commands from a command line and it works copy is care and then run it through a proxy works in that sense I've won I'm done because I now have 800 IPS of a botnet free botnet that can just run through them even at a low pace I can run a few hundred thousand username and password through the system relatively easy because nothing actually checking any kind of mechanism that you have if you've done the test on your own system and this step succeeded i really suggest you put up some security measures okay now

something that would be very common okay so i'm going a big a bit back to the weekend test try to think of it as a black box don't use knowledge you have on your own system because it would be don't make any shortcuts because a they are not going to do shortcuts b if you use the knowledge that you have on your own system you will most likely make the wrong assumptions and if you try to do the shortcuts as an attacker it will both a good education how to operate but also you will do what they do and try and bypass in your own system you will not fall into the assumptions that something is actually

secure working I can ignore it so with these two commands we very simply bypass certificate pinning certificate pinning is when you do an SSL connection from a mobile app you want to make sure that you're talking read the right server or specifically somebody is not doing exactly what we have now so you're checking the with a certificate authority you're checking the like the subject or something like that within the TLS and making sure that you're talking with the right endpoint now there are several ways to bypass that I'm going to talk about two of them but it's a very good simple solution only today it's very common within the internet on how to bypass certificate

pinning but it helps with most kinds of simple men in the middle it will secure you from like a Wi-Fi in the middle and such which is why it's usually good to use it so in this specific example the app had the certificate pinning it was a different app so I didn't want to go and do the whole routine of patching the app and bypassing the pinning I said let's just load it up apktool you open the app you see all the files with JD GUI if you know it you can just go and open the Java code and see the job of the application and just search full again let's just search for again with India

that this was presumably a secure app there was certificate pinning later when I inspected it more there was a long steps of checking that the it's a legitimate device the CSRF talking exchange and everything and then came the login part but the login part was on itself so I didn't take any assumptions I just looked at the code and what I saw is a functions called get log on URL okay interesting let's say they get log on URL and what we see is they have a few items that they request encrypted user ID username password so obviously we know what it is I get the base URL and from that I constructed the the login request but I

wasn't sure what's encrypted user ID and I wanted to be greedy in my attempts so I decide just to remove everything that I'm not sure let's see if it works and sadly it does all the security measures going up to that stage in the app or irrelevant because eventually when I'm doing the login request it works on its own nothing is actually pushed to the server to test if it's legitimate device if there is any kind of token if the app was real actually I didn't even change the user agent when I did it it was with the curl user agent and it still worked so this is a very bad example of how you

build an app you think your security and if you go by the specs of what was done everything is by the book they've done everything properly but they didn't do any kind of security on the login request itself essentially exposing themselves completely to anyone doing it it took me less than an hour to do it some of you here will do it within 5 minutes ok a different approach so I said ok let's take it a step further let's not assume it's so simple let's take a different app that was more secure they had more measures around it and ok I haven't done this in a while so when I set in the weekend to prepare the

demo I said ok we from trying to catch the binary and bypass all even the certificate spinning let's see if anything new is outer and luckily sadly I found it even that thing is automated completely you have tools like Frida and objection for Android researchers where all you need to do is with one command which is object objections patch apk and it does everything that you need it patches the app so that you can load it with it in debugger and skip the certificate pinning completely steps that would take a security researcher that knows what it's doing a few hours maybe took less than three minutes because everything is completely automated the entire process and it worked beautifully I loaded up

the app the modified app into the mobile device installed it ran it and get the same step that I was before everything is working everything is running I can see the looking requests I can copy it to the curl I can run it and no security mechanisms around it and eventually connecting everything together you iterate a few user agents you iterate the headers makes a new iterate IPS which helps you skip any kind of security a security mechanism and from that you have essentially own the system in what you can do on an ATO now there are several things that you can do to protect yourself and there are more tricks on what the app can do in order

to prevent it but something that we need to remember and this is very important it cannot be client-side only the client eventually is in our hands it is untrusted so if your entire security concept is based on client side only mechanisms you will definitely succeed within a weakened test you break your own system it has to be combined with something on the servers so let's take measures let's see what we can do in order to improve our own security on everything here so first thing first we need to secure the app certificate pinning even though it's so simple to bypass still something that's worth it still add some kind of layer you don't want to make it available for

everyone some things that are really important to do and are really not done and the reason they're not done is because as engineers we build a system convenient to us but when you try and break the system you see it's also convenient to everybody else so separating the end points separate them as much as you can by the way between the web and the mobile separator if it's Android and iOS you should separate them if you're building an app for their American customers and they will use mostly iOS and you expect very low volume of Android that kind of separation will help you investigate better what you see on the different end points who really uses your app because

notice I breached the Android app and there is a reason for that because it's really really simple to do if I would have taken the iOS app it was a lot a lot more work still doable but more work and this is also something that we can use when you're trying to secure the system take that into account who is going to use our system obviously CSRF lock-ins install IDs and such a few nice things that I've seen on some of the apps that were a bit more secure is that you're taking an install ID as part of the tokens that are passing around and if I'm using the emulator I need to keep on resetting the device in order to get

new install IDs valid install IDs if I want to be connected to the store making my life a lot harder to do a large-scale attack limits the number of endpoints and can use and something that I really recommend you do is check if credentials that are tested against your system whether they're legitimate or not are actually having have been either breached or reused Troi hand has an API on his website you can use I really recommend if you don't know have I been pawned website I really recommend you go and read up on it it's a great resource don't contribute to the problem please even after everything I said about the consumers offer those us

that want to be more secure the ways to be more secure two-factor authentication etc don't be those on the bad policies tumblr should check it out all the limits on the like six characters eight characters that are very bad security anyone that understands the cryptography will tell you that's very bad as a whole and you for yourself use password manager anybody here we uses passwords between systems you're ashamed to raise your hands good okay so to monitor correctly I said it before if you separate the endpoints you have a much better approach in looking into what you have and what's happening on your system interesting things you can look for the versions itself you published an Android

app it was the version 1.4 and you since then understood you have your security risk you improved your system you upgraded the versions you see the trend of users upgrading and then you have you see a spike in version 1.4 and it's not long longer in the market most likely the way we build our system separate team separate people looking at it it will work because you're doing backwards compatible and when you upgrade it you wanted to make sure users can still use your system so as an attacker I will just use version 1.4 it was simpler I downloaded the latest app but if it's harder for me I can just download older and older versions if

they still go to the same end point if it's still supported I will bypass the system okay so this is something that's also very important to remember of course monitor for logins and spikes I think goes without saying one thing that was very interesting to see is I said they're iterating user agents these are not necessarily the smartest attackers the most sophisticated attackers there you go online and download list of user agents so just look it up look it up on github look it up in the internet you will see all kinds of interesting things you will find the scripts targeting your own system on pastebin because two people shared it between them and and it will

teach you a lot about your own system this is just one example this microbots something that's already like I think two years old but it originally had like one user agent and you kept seeing it's coming up and we traded back to the open source project that it's built entirely around running a botnet very similar to century MVA if you know only without the JavaScript only like a simple HTTP request and a few things you can do to detect these guys while they're doing it not after effect is make sure one of the two things make sure they're running JavaScript you've seen how I conducted the attack the most important factor that was that I was not being a real

browser or was not being a full-blown browser I was being just like what we call like a primitive bot doing on HTTP request or a GPS request not doing the entire web site so same thing goes for the mobile app use the latest version make sure only the latest version is being used track usage on all the versions like I said but you can validate it add all kinds of tricks into your system and could be any kind of hash calculations that will let you know that it is really is the latest version being used on your app very nice open source JavaScript library you can use to do like fingerprinting the similar things to mobile and

one thing that's especially from mobile really is a great great way to protect yourself is the legitimate flow sense an app is constructed in constant flow of paths you can use that to understand if somebody trying to do a login is a legitimate user or not if it didn't do the device in it for example if you have in your app or something like that this is not a real app being used against your system if it did too many requests or any kind of deviation from your own system and you built it you should know what's happening you can use and they are fortunate ik remember they don't necessarily go through the entire flow

they don't understand if a token was returned that said do the init 3 times and only if it was done 3 times you can make sure it's a system so these kind of things you can do in order to understand if this is a real mobile app or not and the last thing it's also the last light before I'm wrapping up we need to do mitigation so two things I want you to remember from this one if you're blogging by the IP remember they are using residential IPs so if you block IPS you're blocking eventually you're blocking potential consumers on your system so if it if you do it don't look indefinitely and they also sense it's residential IPs

because it's IOT devices being used these will be replaced so you need to have your rules with like a TTL on them and and and clear them and we and and refresh them and the second one is more of a conceptual thing which is really important when you do security don't give the attackers the feedback loop and help them understand that you stop them if for a legitimate login request with the wrong password you say incorrect password but for something you decided like the IP that was blocked because you decided Nate here we said for a one for example you're giving them a feedback loop they know they understand it's very simple to improve your system when you

have something to run against so the simplest solution I would say is every every time we log in fails no matter what the reason se invalid password they don't know if it's just because the success rate would be a quarter of percent so even everything they expect most login attempts to fail so if they don't know if everything failed because of that or because you identify them and block them they're in the dark they will not improve you can have better security on your system and something it it we need to keep reminding yourself not to give them a feedback loop on what's happening true in all accounts not only in this case but in this case we have

seen that the more feedback loop you give to the attackers the faster they can improve what they're doing and try and look for ways to bypass a system last life for questions let's wrap up of what I said some of the examples I will load on my github if it interests you you can ping me on my Twitter handle and if there are questions now is a good time hi would you curious if you have seen anyone use or if you think there's validity to using things like TLS fingerprinting or like tar pitting the answer is yes and yes you can just like with the headers like what I said about the headers TLS fingerprinting is valid

curl for example has a very specific TLS fingerprinting but you do need to look at the entire information being collected not only the selected TLS because it hides a lot of features behind it but definitely though there will be a potential false positives there so it can't be used on its own you need to combine it with other features but yes any more questions okay I don't see anything hands up please give a warm round of applause thank you