Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The State of Credential Stuffing and the Future of Account Takeovers.


Published on

This talk was given on September 27th, 2019 at OWASP's Global AppSec conference in Amsterdam.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The State of Credential Stuffing and the Future of Account Takeovers.

  1. 1. Jarrod Overson @ Shape Security Where do account takeovers go from here? THE STATE OF CREDENTIAL STUFFING
  2. 2. CREDENTIAL STUFFING STEP BY STEP GUIDE 1 Get Credentials 2 Automate Login 3 4 Defeat Automation Defenses Distribute Globally cre·den·'al stuff·ing /krəˈden(t)SHəl ˈstəfiNG/ The replay of breached username/password pairs across sites to find accounts where passwords have been reused.
  3. 3. 2 Billion The record number of attacks Shape has blocked in one day. Credential Stuffing by the numbers A problem that has exploded. 3 Billion The largest recorded attack campaign against one URL for one company in one week. 1 Billion New credentials spilled in 2018. Jarrod Overson
  4. 4. Agenda Attack Detail and Cost How credential stuffing has evolved Where ATOs go from here 1 2 3
  7. 7. MANUAL WORK AUTOMATION Sufficient when value is high Can’t scale when value is reduced Can’t scale when cost is increased Sufficient when value is low
  8. 8. If there are no defenses in place, the cost is nearly zero. valuecost Any attacker can use existing attack tools, strategies, and exploits. Jarrod Overson
  9. 9. Any defense increases the cost by forcing a generational shift. valuecost Generation 1 The cost of entry to each new generation is high at the start. Jarrod Overson
  10. 10. Enough defenses tip cost vs value in your favor valuecost Generation 1 Generation 2 Generation 3 This is where you want to be. Jarrod Overson
  11. 11. The cost of entry for each generation decreases over time. valuecost All technology gets cheaper as it becomes better understood. Jarrod Overson
  12. 12. While the value of successful attacks only goes up. valuecost Jarrod Overson
  13. 13. 1. Get Credentials CREDENTIAL STUFFING
  14. 14. 1. Get Credentials 2. Automate Login CREDENTIAL STUFFING
  15. 15. 1. Get Credentials 2. Automate Login CREDENTIAL STUFFING
  16. 16. 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
  17. 17. 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
  18. 18. 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
  19. 19. 1. Get Credentials 2. Automate Login 3. Defeat Defenses 4. Distribute CREDENTIAL STUFFING
  20. 20. $0 2.3 billion credentials $0-50 For tool configuration $0-139 For 100,000 solved CAPTCHAs $0-10 For 1,000 global IPs 100,000 ATO attempts can be tried for less than $200 USD <$0.002 per ATO attempt. Jarrod Overson
  21. 21. $2 - $150+ Typical range of account values. Identifying our rate of return 0.2% - 2% Success rate of a typical credential stuffing attack. The rate of return on a credential stuffing attack is 100% on the low end and 150,000%+ on the high end. $0.002 Cost per individual attempt.
  22. 22. Agenda Attack Detail and Cost How credential stuffing has evolved Where ATOs go from here 1 2 3
  23. 23. Generation 0: Basic HTTP requests with common tools
  24. 24. SentryMBA The classic. • Performs basic HTTP requests. • Extensible and highly configurable. • Tailored towards specific attack use cases.
  25. 25. Early defense: IP Rate limiting. 0k 50k 100k Iteration 1 : Rotate through proxies
  26. 26. Defense: Text-based CAPTCHAs Iteration 2: Attacks using CAPTCHA Solvers.
  27. 27. Defense: Dynamic sites and JavaScript heavy defenses. Iteration 3: Scriptable WebViews
  28. 28. GET / HTTP/1.1 Host: localhost:1337 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/ *;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537. (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Accept-Encoding: gzip, deflate, sdch GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/534.34 (KHT like Gecko) PhantomJS/1.9.8 Safari/534.34 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Connection: Keep-Alive Accept-Encoding: gzip Accept-Language: en-US,* Host: localhost:1337 Defense: Header Fingerprinting & Environment Checks
  29. 29. Iteration 4: Scriptable Consumer Browsers Defense: Browser Fingerprinting Like Selenium and Puppeteer
  30. 30. Iteration 5: Randomizing Fingerprint Data Sources FraudFox & AntiDetect FraudFox is a VM-Based anti-fingerprinting solution. AntiDetect randomizes the data sources that are commonly used to fingerprint modern browsers.
  31. 31. Behavior Analysis Naive bots give themselves away by ignoring normal human behavior. Humans don't always click in the upper left hand corner and don't type out words all at once. Capturing basic behavior can make naive automation easy to knock down. Defense: Behavior Analysis for Negative Traits
  32. 32. Iteration 6: Behavior Emulation Browser Automation Studio BAS is an automation tool that combines CAPTCHA solving, proxy rotation, and loads of other features with emulated human behavior all driving a real Chrome browser.
  33. 33. Validating Fingerprint Data Good Users don't lie much. Attackers lie a lot. They use a handful of clients but need to look like they are coming from thousands. Those lies add up. Defense: Browser Consistency Checks
  34. 34. Iteration 7: Use real device fingerprints Using Real Fingerprints Fingerprint Switcher allows a user to cycle through real browser's fingerprints, reducing the number of lies present in the data.
  35. 35. The direction these attacks are moving in is clear. The end game is flawless emulation of human behavior and real devices on home networks. We call these "Imitation Attacks" Imitation attacks indicate sophisticated fraud from persistent attackers. Imitation attacks go back and forth between attacker and defender trying to drive the attack traffic to be indistinguishable from legitimate user traffic. Not all automation is an imitation attack, not all imitation attacks are automated.
  36. 36. Agenda Attack Detail and Cost How credential stuffing has evolved Where ATOs go from here 1 2 3
  37. 37. First, let's clear something up. 2FA does not stop credential stuffing. The point of credential stuffing is to find valid accounts. Credential stuffing, even with 2FA, still results in valid accounts. 2FA stops automated account takeovers.
  38. 38. ************** Submit Username Password How can an attacker bypass 2FA? Don't overthink it. Easy attacks are cheap and get good results. Jarrod Overson
  39. 39. ******* Submit Username Password Barry, an everyday user, logs in as normal.
  40. 40. Logging in Barry experiences a login delay but he is used to that.
  41. 41. Logging in Add Payee This time an injected script or malicious extension kicks in.
  42. 42. Logging in **************** Add Payee The script tries to add a new payee...
  43. 43. Logging in ...which is successful because why wouldn't it be?
  44. 44. Logging in Send Funds The script then attempts to transfer funds.
  45. 45. Logging in Send Funds 2500 Usually a flat number or percentage, whichever is lower.
  46. 46. Logging in Enter 2FA Token This time the risk score is too high. Time for additional auth.
  47. 47. Enter 2FA Token Enter 2FA Token 072344 But Barry's used to this flow and doesn't see a problem.
  48. 48. Enter 2FA Token Enter 2FA Token 072344 072344 The script grabs the token and funds are transferred.
  49. 49. Photo Extensions looking for new owners are easy to come by. It started with ad fraud, moved to cryptomining, and now includes ATOs.
  50. 50. Photo Not good enough? Build your malware directly into the target app. Popular open source package exploited to inject malicious code into mobile app directly.
  51. 51. What's beyond credential stuffing?
  52. 52. The value in our accounts is not going away. As we raise the cost of credential stuffing there is greater incentive to diversify attacks. Valid Accounts Credential Stuffing ???
  53. 53. Genesis is an early example of the next generation. Malware that resides at the host to scrape account and environment details.
  54. 54. Thousands of infections and growing.
  55. 55. Advertises the high profile accounts the bot has already scraped.
  56. 56. Regularly updates its records with newly acquired accounts.
  57. 57. Each infected computer and its data is sold as one unit $
  58. 58. Photo Each bot gives the purchaser exclusive access to its data. One buyer per bot.
  59. 59. Bots can have hundreds of scraped resources and accounts. The bots will collect everything it can, even if it isn't sure what it is yet.
  60. 60. Genesis can generate the fingerprints of your exact target. This bypasses many risk-scoring mechanisms that look for activity from new devices.
  61. 61. Select the fingerprint you are looking for Configure which parts you want to emulate
  62. 62. And load it into your current session via the Genesis Security Plugin Voila! Now you are your target. 93970994-EC4E-447B-B2BD-DE2F4215A44E
  63. 63. It follows the rules of shady actors in the CIS.
  64. 64. Malware that scrapes, learns, and imitates its host users is what's next. We've started seeing the signs in ad fraud.
  65. 65. Fraud is a human problem, not a technical problem. Advanced credential stuffing is sophisticated fraud. Treat it as more than simple automation. Talk to your fraud teams and work from the scams backward. Imitation attacks are designed to blend in. If you don't think you have a problem, look deeper until you know you don't have a problem. Attackers are economically driven, we need to attack the economics. Simple solutions are only temporary. Every defense will fail if the value is still there. There are no silver bullet solutions against humans.
  66. 66. THANK YOU - Jarrod Overson @jsoverson on twitter, medium, and github.