Ho ho ho, No! Identifying the Signals of a Festive Fraud Attack

Having a good Christmas is critical for many businesses. Transactions and revenue spike skyward, as do customer expectations and emotions, while there’s a lot of ‘end-of-a-long-year’ distractions internally too.

This is the first of four festive posts to help your business and keep Christmas merry. Over the next 2 weeks we’ll also cover customer experience, competitor scraping and how to deal with the issues today, not in 2020.

But let’s start at the beginning; how will you know if your website is being targeted by fraudsters?

Whilst the signals of a traditional attack are usually obvious (large spikes in request volumes or malicious payloads), fraud attacks are significantly harder to detect.

Unfortunately, many web security and analytics tools provide limited visibility of fraudulent activity. These attacks fall into a ‘grey area’ and too often businesses rely on backend retrospective metrics to report on attempted fraudulent activity.

During November’s Click Frenzy sales event, Kasada detected an advanced fraud-bot targeting one of the large e-commerce platforms. We detected a covert operation in which the bot combined normal human activity with malicious payment/card fraud requests. This bot is targeting a range of customers on the same platform with a similar modus operandi.

Fraudsters need to buy their loved ones Christmas presents as well and the online sales events, such as Click Frenzy or Black Friday, provide the perfect cover for them to generate extra income. These sales events radically change the traffic profile of your website. All the established baseline metrics can no longer be used to detect anomalies. This creates a low risk opportunity for the fraudsters to increase their activity without being detected.

Monitoring request volumes for customer X during Click-Frenzy:

It also changes the request patterns across the site, making it significantly harder to detect malicious activity.

Detecting fraudsters using traditional web security tooling

In the absence of an anti-fraud product, your best chance of detecting fraudsters lies in the analysis of signals within the logs.  This strategy will not allow you to be on the front foot, but it will at least allow you identify the activity.

Basic signals and analytics blind spots

Most attackers leave signals of their activity. Like a trail of breadcrumbs, these clues can allow you to detect malicious activity.

Your ability to detect signals depends on your overall visibility of the application traffic.  This is not as easy as it sounds as each layer of visibility has its own limitations:

• WAFs – typically only report on the requests they block so will not be very useful in this scenario
• Analytics (eg: Google Analytics) – these platforms only report on requests that execute JS, so they may not report on bot activity if it’s scripted, or if it blocks the analytics scripts from executing
• SIEM / Splunk – has the greatest visibility but can be expensive for large web apps and only allows for retrospective analysis

Basic signals to monitor

The following is a list of potential signals of an attack:

1. Sudden spikes in total request volume
2. Spikes in request volumes to specific URL paths (eg: payment, login, checkout)
3. Unusual activity associated from a single IP address
4. Suspiciously old user-agents
5. IP addresses that are rotating user-agents
6. User-agents associated with automation / script based tools
7. IP addresses from cloud provider ASNs
8. Requests that lack the required request headers

Whilst all of these signals can point to malicious activity, they are also prone to false positives which are costly for security analysts to investigate.

Increased traffic levels during the Christmas season makes log analysis and interpretation more challenging, especially during the main online sales events. This is a particularly challenging period for any retail business; the need to maximise revenue during peak season needs to be balanced with a platform that is capable of preventing fraud.

Hiding in plain sight

Bot operators use a variety of techniques to hide their actions. The level of complexity  differs significantly depending on the attackers sophistication, motivation and the resistance that you provide.

Unsophisticated bot operators will only make limited attempts to blend in with normal customer activity.  For example,  a low skilled credential abuse bot will simply repetitively replay the credential POST. This is very easy to spot as the attacker is not adhering to the normal request flow patterns.

Fraudsters tend to be significantly better at hiding their activity. The presence of a direct monetary reward provides the motivation to invest additional effort, time or money.  These bots will:

• Use advanced automation toolsets (fraud tools, headless browsers, etc)
• Use premium residential proxy networks
• Replicate request headers from the latest browser versions
• Generate request flows that mimic human behaviour. They will browse the product catalogue and add products to the cart before repetitively submitting payment requests (washing credit card numbers)
• Rapidly rotate IP and target host – generating small spikes of activity per IP/UA combo – mimicking human activity

The fraud bot maintains a list of hundreds of websites that use a common e-commerce platform. This allows them to standardise the attack flow and rapidly iterate across different websites. This also ensures that each website only sees a small % of the total attack.

Am I likely to be attacked?

Attack campaigns are clearly targeting the large e-commerce platforms such as Magento and Salesforce. This significantly increases the likelihood of a lesser known brand being attacked.

The commonality between websites allows fraudsters to increase the efficiency of their efforts:

• Reconnaissance phase: simple Google dorking the common URL paths to generate a list of targets
• Attack phase: a single configuration can be used to attack multiple targets

Distributing an attack across many customers allows the fraudster to significantly reduce the signals of the attack. Each individual customer only sees a small component of the attack and each component is designed to look similar to a typical customer engagement.

Attack Analysis

In the analysis below we assess the traffic of a single website to the ‘submit payment’ endpoint.

You can clearly see the attack rotation repeating against this website within a 48 hour period. The malicious requests constitute <5% of all payment submissions for this customer.

We saw this pattern of attack against a large number of websites. Each ‘attack session’ mimicked the human request pattern and then launched a short burst of malicious requests. In this attack, the malicious requests were stolen credit card numbers.

Without Kasada, this attack would result in requests reaching the payment gateway. The cost and inconvenience associated with this activity is significant for the website owner, the owner of the stolen credit card and their bank.

Using Kasada’s advanced cryptographic challenge in the mitigation of this attack has a secondary impact on the attacker – not only are the requests blocked, we are neutralising their attack toolset, consuming their compute resources and preventing additional attacks.

Getting ahead of the game

A modern, dynamic anti-fraud platform is the only way to confidently prevent such attacks.

The combination of Kasada’s advanced signal detection platform, our cryptographic challenge and our pattern analysis techniques allows us to detect, respond and neutralise these bots.

Our platform simultaneously increases the economics required to attack our customers whilst devastating the ROI.

A TODAY issue, not 2020

No business has time for weeks of integration anymore.

Kasada can onboard you in hours and stop the bots today.

Keep your shopping season on track and contact us here. To learn more about advanced bot detection, read our blog post covering the most important components of non-static bot protection. Read full post here.