How Credential Stuffing is Evolving - PasswordsCon 2019
0 likes309 views
Jarrod Overson discusses the evolution of credential stuffing, highlighting that it thrives on a combination of low costs and the increasing value of successful attacks. The document outlines how defenses are also evolving in response, becoming more sophisticated while attackers utilize advanced techniques like automation and human behavior emulation. Finally, Overson warns that without addressing the economic incentives behind these attacks, defenses are likely to fail regardless of advancement.
How Credential Stuffing is Evolving - PasswordsCon 2019
- 1. Jarrod Overson Director of Engineering at Shape Security HOW CREDENTIAL STUFFING IS EVOLVING And where do we go from here?
- 2. cre·den·'al stuff·ing /krəˈden(t)SHəl ˈstəfiNG/ The tes'ng of previously breached username and password pairs across sites to find accounts where passwords have been reused. CREDENTIAL STUFFING Photo by Nine Köpfer on Unsplash
- 3. Who am I? And should you trust me? • Director of Engineering at Shape Security • Google Developer Expert. • Old school video game hacker. • @jsoverson everywhere
- 4. Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here? 1 2 3
- 5. Jarrod Overson Why credential stuffing is evolving1 The same reason anything evolves. Incentive + adversity.
- 6. If there are no defenses in place, the cost is nearly zero. valuecost Jarrod Overson
- 7. Any defense increases the cost by forcing a generational shift. valuecost Generation 1 Jarrod Overson
- 8. Enough defenses will tip cost/value in your favor valuecost Generation 1 Generation 2 Generation 3 Jarrod Overson
- 9. The cost of entry for all technology decreases over time. valuecost All technology gets cheaper as it becomes better understood and more generalized. Jarrod Overson
- 10. While the value of successful attacks only goes up. valuecost Jarrod Overson
- 11. MANUAL WORK AUTOMATION Sufficient when value is high Can’t scale when value is reduced Can’t scale when cost is increased Sufficient when value is low
- 12. CREDENTIAL STUFFING: A HOW-TO GUIDE 1 Get Credentials 2 Automate Login 3 4 Defeat Existing Defenses Distribute Globally
- 14. 1. Get Credentials 2. Automate Login CREDENTIAL STUFFING
- 15. 1. Get Credentials 2. Automate Login CREDENTIAL STUFFING
- 16. 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
- 17. 1. Get Credentials 2. Automate Login 3. Defeat Defenses CREDENTIAL STUFFING
- 18. 1. Get Credentials 2. Automate Login 3. Defeat Defenses 4. Distribute CREDENTIAL STUFFING
- 19. $0 2.3 billion credentials $0-50 For tool configuration $0-139 For 100,000 solved CAPTCHAs $0-10 For 1,000 global IPs 100,000 ATO attempts can be tried for less than $200 USD <$0.002 per ATO attempt. Jarrod Overson
- 20. $2 - $150+ Typical range of account values. The rate of return is between 100% and 150,000%+ 0.2% - 2% Success rate of a typical credential stuffing attack. $0.002 Cost per individual attempt. Value * Success Rate Cost – 100% = Rate of Return
- 21. 1 2 3 Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here?
- 23. Generation 0: Basic HTTP requests with common tools
- 24. SentryMBA • Performs basic HTTP requests. • Extensible and highly configurable. • Tailored towards specific attack use cases.
- 25. Early defense: IP Rate limiting. 0k 50k 100k Iteration 1 : Rotate through proxies
- 28. Defense: Text-based CAPTCHAs Iteration 2: Use CAPTCHA Solvers.
- 29. Defense: Dynamic sites and JavaScript heavy defenses. Iteration 3: Scriptable WebViews
- 30. GET / HTTP/1.1 Host: localhost:1337 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/ *;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537. (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Accept-Encoding: gzip, deflate, sdch GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/534.34 (KHT like Gecko) PhantomJS/1.9.8 Safari/534.34 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Connection: Keep-Alive Accept-Encoding: gzip Accept-Language: en-US,* Host: localhost:1337 Defense: Header Fingerprinting & Environment Checks
- 31. Modern Era
- 32. Iteration 4: Scriptable Consumer Browsers Selenium & Puppeteer Selenium is a free, open source testing tool that scripts popular browsers. Puppeteer is a Google project that automates Firefox and Chromium based browsers.
- 33. Browser Fingerprinting High-entropy data points are collected to produce an acceptably unique fingerprint. Data points like screen size, fonts, plugins, hardware profiles, et al. This identifies the source of traffic even when tunneling through proxies. Defense: Browser Fingerprinting
- 34. Iteration 5: Randomizing Fingerprint Data Sources FraudFox & AntiDetect FraudFox is a VM-Based anti-fingerprinting solution. AntiDetect randomizes the data sources that are commonly used to fingerprint modern browsers.
- 35. Behavior Analysis Naive bots give themselves away by ignoring normal human behavior. Humans don't always click in the upper left hand corner and don't type out words all at once. Capturing basic behavior can make naive automation easy to knock down. Defense: Behavior Analysis for Negative Traits
- 36. Iteration 6: Human Behavior Emulation Browser Automation Studio BAS is an automation tool that combines CAPTCHA solving, proxy rotation, and emulated human behavior.
- 37. Validating Fingerprint Data Good Users don't lie much. Attackers lie a lot. They use a handful of clients but need to look like they are coming from thousands. Those lies add up. Defense: Browser Consistency Checks
- 38. Iteration 7: Use real device data Using Real Values Bablosoft's Fingerprint Switcher allows a user to cycle through a real browser's fingerprintable data points, reducing the number of lies present in the data.
- 39. This keeps going but the direction is clear. We're calling these Imitation Attacks Imitation attacks indicate sophisticated fraud from dedicated adversaries. The aim is to blend in and bypass risk & automation defenses. Not all automation is an imitation attack, not all imitation attacks are automated. The end goal is perfect emulation of humans and their environments.
- 40. 1 2 3 Why credential stuffing is evolving How credential stuffing has evolved Where do we go from here?
- 41. The value in our accounts is not going away. As we raise the cost of credential stuffing there is greater incentive to diversify attacks. Valid Accounts Credential Stuffing ???
- 42. Genesis is an early example of what's next. Malware that resides on the victim to scrape account and environment details.
- 43. Thousands of infections and growing.
- 44. Advertises the high profile accounts the bot has already scraped.
- 45. Regularly updates its records with newly acquired accounts.
- 46. Each bot and its data is sold as one unit $
- 48. Bots have hundreds of scraped resources and accounts.
- 49. Genesis can generate the fingerprints of your exact target. This bypasses many risk-scoring mechanisms that look for activity from new devices.
- 50. Select the fingerprint you are looking for
- 51. And load it into the Genesis Security Plugin Voila! You are now your target. 93970994-EC4E-447B-B2BD-DE2F4215A44E
- 52. Malware that scrapes, learns, imitates, and proxies through its victim is next We've started seeing the signs in ad fraud.
- 53. This is a human problem, not a technical problem. Advanced credential stuffing is sophisticated fraud. It is more than simple automation. Fraud teams aren't staffed for this, they need help. Imitation attacks are designed to blend in. Look deeply even if you think you don't have a problem. Attackers are economically driven. We need to attack the economics. Every defense will fail if the value is still there. There are no silver bullet solutions against humans. (Except literal silver bullets, but...)
- 54. THANK YOU Jarrod Overson @jsoverson on twitter, medium, and github.