Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

AppSecCali - How Credential Stuffing is Evolving

234 views

Published on

This talk was given at AppSec California, January 2020.

Credential stuffing and other automated attacks are evolving passed every defense thrown in their way. CAPTCHAs don't work, Fingerprints don't work, Magical AI-whatevers don't work. The value is just too great.

Published in: Internet
  • Be the first to comment

AppSecCali - How Credential Stuffing is Evolving

  1. 1. Jarrod Overson Director of Engineering at Shape Security HOW CREDENTIAL STUFFING IS EVOLVING And where do we go from here?
  2. 2. Who am I? And should you trust me? • Director of Engineering at Shape Security • Google Developer Expert. • Old school video game hacker. • @jsoverson everywhere
  3. 3. Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here? 1 2 3
  4. 4. Jarrod Overson Why credential stuffing is evolving1 The same reason anything evolves. Incentive + adversity.
  5. 5. If there are no defenses in place, the cost is nearly zero. valuecost Jarrod Overson
  6. 6. Any defense increases the cost by forcing a generational shift. valuecost Generation 1 Jarrod Overson
  7. 7. Enough defenses will tip cost/value in your favor valuecost Generation 1 Generation 2 Generation 3 Jarrod Overson
  8. 8. The cost of entry for all technology decreases over time. valuecost All technology gets cheaper as it becomes better understood and more generalized. Jarrod Overson
  9. 9. While the value of successful attacks only goes up. valuecost Jarrod Overson
  10. 10. CREDENTIAL STUFFING: A HOW-TO GUIDE 1 Get Credentials 2 Automate Login 3 4 Defeat Existing Defenses Distribute Globally
  11. 11. 1. Get Credentials CREDENTIAL STUFFING
  12. 12. 1. Get Credentials 2. Automate Login CREDENTIAL STUFFING
  13. 13. 1. Get Credentials 2. Automate Login CREDENTIAL STUFFING
  14. 14. 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
  15. 15. 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
  16. 16. 1. Get Credentials 2. Automate Login 3. Defeat Defenses 4. Distribute CREDENTIAL STUFFING
  17. 17. $0 2.3 billion credentials $0-50 For tool configuration $0-139 For 100,000 solved CAPTCHAs $0-10 For 1,000 global IPs 100,000 ATO attempts can be tried for less than $200 USD <$0.002 per ATO attempt. Jarrod Overson
  18. 18. $2 - $150+ Typical range of account values. The rate of return is between 100% and 150,000%+ 0.2% - 2% Success rate of a typical credential stuffing attack. $0.002 Cost per individual attempt. Value * Success Rate Cost – 100% = Rate of Return
  19. 19. 1 2 3 Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here?
  20. 20. Before Modern Era
  21. 21. Generation 0: Basic HTTP requests with common tools
  22. 22. SentryMBA • Performs basic HTTP requests. • Extensible and highly configurable. • Tailored towards specific attack use cases.
  23. 23. Early defense: IP Rate limiting. 0k 50k 100k 150k Iteration 1 : Rotate through proxies
  24. 24. Defense: Text-based CAPTCHAs Iteration 2: Use CAPTCHA Solvers.
  25. 25. Defense: Dynamic sites and JavaScript heavy defenses. Iteration 3: Scriptable WebViews
  26. 26. Defense: Header Fingerprinting & Environment Checks
  27. 27. Modern Era
  28. 28. Iteration 4: Scriptable Consumer Browsers Started with developer libraries like Puppeteer and Selenium. Now attack tools drive the browsers directly.
  29. 29. Browser Fingerprinting Data like screen size, fonts, plugins, & hardware combine to produce a unique value. Defense: Browser Fingerprinting
  30. 30. Iteration 5: Randomizing Fingerprint Data Sources
  31. 31. Defense: Behavior Analysis for Negative Traits
  32. 32. Iteration 6: Human Behavior Emulation
  33. 33. Defense: Browser Consistency Checks
  34. 34. Iteration 7: Use real device data
  35. 35. This keeps going but the direction is clear. We're calling these Imitation Attacks Imitation attacks indicate sophisticated fraud from dedicated adversaries. The aim is to blend in and bypass risk & automation defenses. Not all automation is an imitation attack, not all imitation attacks are automated. The end goal is perfect emulation of humans and their environments.
  36. 36. 1 2 3 Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here?
  37. 37. Valid Accounts The value in our accounts is not going away. As we raise the cost of credential stuffing there is greater incentive to diversify attacks. Credential Stuffing ???
  38. 38. Genesis is an early example of what's next. Malware that resides on the victim to scrape account and environment details.
  39. 39. Photo Bot detail page
  40. 40. Genesis can generate the fingerprints of your exact target. This bypasses many risk-scoring mechanisms that look for activity from new devices.
  41. 41. Select the fingerprint you are looking for
  42. 42. And load it into the Genesis Security Plugin Voila! You are now your target. 93970994-EC4E-447B-B2BD-DE2F4215A44E
  43. 43. This is a human problem, not a technical problem. Advanced credential stuffing is sophisticated fraud. It is more than simple automation. Fraud teams aren't staffed for this, they need help. Imitation attacks are designed to blend in. Look deeply even if you think you don't have a problem. Attackers are economically driven. We need to attack the economics. Every defense will fail if the value is still there.
  44. 44. THANK YOU Jarrod Overson @jsoverson on twitter, medium, and github.

×