AppSecCali - How Credential Stuffing is Evolving
Report
Jarrod OversonFollow
Jan. 23, 2020•0 likes•593 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
AppSecCali - How Credential Stuffing is Evolving
Jan. 23, 2020•0 likes•593 views
1 likes
Be the first to like this
Show More
views
Total views
0
On Slideshare
0
From embeds
0
Number of embeds
0
Download to read offline
Report
Internet
This talk was given at AppSec California, January 2020. Credential stuffing and other automated attacks are evolving passed every defense thrown in their way. CAPTCHAs don't work, Fingerprints don't work, Magical AI-whatevers don't work. The value is just too great.
Jarrod OversonFollow
Recommended
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
Web Application SecuritySiarhei Barysiuk
Pentester's Mindset! - Ravikumar PaghdalNSConclave
Identity theft: Developers are key - JFokus 2017Brian Vermeer
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Mobile binary code - Attack Tree and MitigationSunil Paudel
AppSecCali - How Credential Stuffing is Evolving
- Jarrod Overson Director of Engineering at Shape Security HOW CREDENTIAL STUFFING IS EVOLVING And where do we go from here?
- Who am I? And should you trust me? • Director of Engineering at Shape Security • Google Developer Expert. • Old school video game hacker. • @jsoverson everywhere
- Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here? 1 2 3
- Jarrod Overson Why credential stuffing is evolving1 The same reason anything evolves. Incentive + adversity.
- If there are no defenses in place, the cost is nearly zero. valuecost Jarrod Overson
- Any defense increases the cost by forcing a generational shift. valuecost Generation 1 Jarrod Overson
- Enough defenses will tip cost/value in your favor valuecost Generation 1 Generation 2 Generation 3 Jarrod Overson
- The cost of entry for all technology decreases over time. valuecost All technology gets cheaper as it becomes better understood and more generalized. Jarrod Overson
- While the value of successful attacks only goes up. valuecost Jarrod Overson
- CREDENTIAL STUFFING: A HOW-TO GUIDE 1 Get Credentials 2 Automate Login 3 4 Defeat Existing Defenses Distribute Globally
- 1. Get Credentials CREDENTIAL STUFFING
- 1. Get Credentials 2. Automate Login CREDENTIAL STUFFING
- 1. Get Credentials 2. Automate Login CREDENTIAL STUFFING
- 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
- 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
- 1. Get Credentials 2. Automate Login 3. Defeat Defenses 4. Distribute CREDENTIAL STUFFING
- $0 2.3 billion credentials $0-50 For tool configuration $0-139 For 100,000 solved CAPTCHAs $0-10 For 1,000 global IPs 100,000 ATO attempts can be tried for less than $200 USD <$0.002 per ATO attempt. Jarrod Overson
- $2 - $150+ Typical range of account values. The rate of return is between 100% and 150,000%+ 0.2% - 2% Success rate of a typical credential stuffing attack. $0.002 Cost per individual attempt. Value * Success Rate Cost – 100% = Rate of Return
- 1 2 3 Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here?
- Before Modern Era
- Generation 0: Basic HTTP requests with common tools
- SentryMBA • Performs basic HTTP requests. • Extensible and highly configurable. • Tailored towards specific attack use cases.
- Early defense: IP Rate limiting. 0k 50k 100k 150k Iteration 1 : Rotate through proxies
- Defense: Text-based CAPTCHAs Iteration 2: Use CAPTCHA Solvers.
- Defense: Dynamic sites and JavaScript heavy defenses. Iteration 3: Scriptable WebViews
- Defense: Header Fingerprinting & Environment Checks
- Modern Era
- Iteration 4: Scriptable Consumer Browsers Started with developer libraries like Puppeteer and Selenium. Now attack tools drive the browsers directly.
- Browser Fingerprinting Data like screen size, fonts, plugins, & hardware combine to produce a unique value. Defense: Browser Fingerprinting
- Iteration 5: Randomizing Fingerprint Data Sources
- Defense: Behavior Analysis for Negative Traits
- Iteration 6: Human Behavior Emulation
- Defense: Browser Consistency Checks
- Iteration 7: Use real device data
- This keeps going but the direction is clear. We're calling these Imitation Attacks Imitation attacks indicate sophisticated fraud from dedicated adversaries. The aim is to blend in and bypass risk & automation defenses. Not all automation is an imitation attack, not all imitation attacks are automated. The end goal is perfect emulation of humans and their environments.
- 1 2 3 Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here?
- Valid Accounts The value in our accounts is not going away. As we raise the cost of credential stuffing there is greater incentive to diversify attacks. Credential Stuffing ???
- Genesis is an early example of what's next. Malware that resides on the victim to scrape account and environment details.
- Photo Bot detail page
- Genesis can generate the fingerprints of your exact target. This bypasses many risk-scoring mechanisms that look for activity from new devices.
- Select the fingerprint you are looking for
- And load it into the Genesis Security Plugin Voila! You are now your target. 93970994-EC4E-447B-B2BD-DE2F4215A44E
- This is a human problem, not a technical problem. Advanced credential stuffing is sophisticated fraud. It is more than simple automation. Fraud teams aren't staffed for this, they need help. Imitation attacks are designed to blend in. Look deeply even if you think you don't have a problem. Attackers are economically driven. We need to attack the economics. Every defense will fail if the value is still there.
- THANK YOU Jarrod Overson @jsoverson on twitter, medium, and github.