April 12, 2018
Fraud and account takeover threats continue to be a significant challenge for security and fraud teams. As security improvements are made at the point of sale, including EMV chip adoption, increased online sales are driving increases in fraud targeting online applications. With access to the security data exhaust of delivering 15-30 percent of the world’s web traffic, Akamai has confirmed this pattern, observing increases in credential stuffing and account takeover attacks. Because these complex attacks have a repeatable series of steps taken by the attacker, however, there are opportunities for fraud and security teams to disrupt these attacks at every phase.
Credential stuffing, a critical element in account takeover attacks, continues to be observed taking place on a massive scale. In November 2017, Akamai observed more than one trillion requests from bots—a figure that includes all manner of automation, including “good” bots like search engine crawlers and performance analytics tools. The company determined that more than one billion requests from bots during that month were part of credential stuffing attacks targeting retail, with nearly as many targeting the hospitality industry. This is one of the highest volumes of attacks on the Internet.
The Cyber Kill Chain:
Lockheed Martin famously defined the Cyber Kill Chain for intrusion in 2011. Derived from military models, this model provided a seven-step process used in intrusions. This model has helped defenders break down the common steps used by attackers and deploy specialized tools and personnel to each stage in the model. In general, most defenders realize that the earlier in the kill chain that an attacker can be stopped, the less damage they can inflict and the lower level of effort required by the defenders.
Image Source: www.eventtracker.com
OWASP (the Open Web Application Security Project) has labeled the 20 most common forms of automation in its OWASP Automated Threat assessment. The OAT is a broad set of automated threats that have been observed by victims of targeted web applications. Many can be applied to a chain that ends in account takeover fraud.
A kill chain for account takeover would likely start in the same manner as the majority of attacks—with reconnaissance. Attackers will map out endpoints that provide access to login, including web forms, mobile API’s used by native apps, or other exposed API’s. An attacker could leverage automation to help with this task by spidering the site looking for login endpoints to help with manual discovery processes. It is important that defenders also conduct recon of their own assets to ensure that all entry points are enumerated and protected. In our experience, organizations often believe they have protected all login entry points, only for an attacker to find an overlooked API or Web entry point from a less popular entry point.
Armed with the list of target entry points to the application, a list of credentials to be tested, and some automated tools to conduct the attacks, the attacker is ready to begin the credential stuffing (labeled by OWASP as OAT-008) phase of the attack. In this phase, the attacker will utilize an automated attack framework, either self-developed or leveraging available tools such as Sentry-MBA. The attacker may break down this phase by first attempting to enumerate valid usernames if the application leaks signal about the validity of submitted usernames.
Ultimately, the credential stuffing phase of the attack is all about attempting to find valid login credentials so the attacker can move on to the monetization phase. The defender’s focus for this phase of the attack is detecting automation and providing an appropriate response to the attacker. Defenders should consider the use of deception in creating responses to avoid or delay a realization on the part of the attacker that their attack has been detected.
The monetization of successful accounts can be automated. In such cases, OWASP tracks this as OAT-012 Cashing Out. This phase of the attack may be outsourced by the attacker that conducted the credential stuffing to another member of the criminal ecosystem.
The fraud team is typically responsible for attacks that make it to this stage. It is best to disrupt these attacks earlier in the process to minimize the volume of activity that must be managed by the fraud team on the backend. Additional benefits of stopping these attacks earlier in the kill chain would be the reduced impact to infrastructure- we have observed aggressive credential stuffing generating denial-of-service conditions.
Much like the cyber kill chain helped to break down attacks and allow defenders to disrupt attackers in the earliest phases of the attack, we believe defenders will find it helpful to consider the ATO kill chain as a model. Disrupting the attack at the earliest phase of the ATO kill chain is ideal as this minimizes the impact to the victim organization and prevents loading of authentication services and expensive backend calls.