by Avivah Litan
“Young hackers have picked them everyone.
Oh, when will they ever learn?
Oh, when will they ever learn?”
Not sure you remember this classic Peter Paul and Mary song but it is certainly appropros for the moment.
Last August, the New York Times reported that a Russian crime ring had amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses. The confidential data was discovered by Hold Security, and most market observers shrugged off this discovery, questioning Hold’s motives rather than confronting the gravity of this finding.
This wasn’t the only time we learned of hacked credentials and personal data. There have been numerous reports of them over the past year, as hackers broke into many household ecommerce brands and made off with this loot.
We’d be naïve to think that the hackers are just sitting on this data and not using it. In fact they are very aggressively. Over the past couple of months, Gartner clients have been telling us about the significant rise in automated attacks, whereby hackers use bot armies to run through user credentials at various consumer service websites, knowing that a few percent of them will probably work. According to a Gartner survey several years ago, we learned that over two thirds of consumers reuse their passwords across sites whenever they can.
This automated criminal cycling through user ids (generally email addresses) and passwords at various websites, such as online banking or credit card portals, is nothing new. We’ve heard about this from our clients for at least three years now. But these massive automated account takeover attacks have gotten much more sophisticated and escalated substantially according to our clients, with big pickups in such traffic just over the past 60 days, both during and after the holiday season.
Lots of good stuff goes on limited sales for the holidays, and lots of stored value in the form of gift cards and other loyalty programs is available, courtesy of family and friends who give these as holiday gifts. In fact, fraud detection vendor NuData Security has seen such scripted attacks against their large online customers double in just the past couple of months.
So what kind of online accounts are the hackers taking over with their newly acquired credentials and stolen data? Anything and everything that has monetary or resale value – usually via resale on popular auction sites – including;
a) Credit card or other bank account information stored in digital wallets at online retailers used to make checkouts much faster (so you don’t have to reenter all of it)
b) Digital currencies used for online games that they steal or purchase anew with stolen credit cards
c) Digital content such as electronic images
d) Travel awards, such as frequent flyer miles or hotel loyalty points (See Brian Krebs’ blogs on this at krebsonsecurity.com)
e) Limited editions of high-fashion goods like purses, sneakers, concert tickets where fraudsters or other types of scalpers buy them up in seconds or minutes usually with stolen credit cards, depriving legitimate shoppers of these nice deals. Instead consumers now have to buy these hot items at up to 450% markups on auction sites.
f) Stored value accounts at major brands representing favorite food and drink establishments or retailers.
These massive account takeover or account creation attacks (hackers often have to create new accounts to get their jobs done or launder the stolen goods through) are undetected by conventional fraud detection techniques that the hackers have learned to avert. Using large bot armies, they often throttle down the speed of their attacks while decentralizing the originating endpoints attacking the site so that they remain under the radar of their victims.
For example, they will have one endpoint across thousands in the bot army try one account credential once or twice in one hour and this will be repeated by different unique bot endpoints over the course of days or weeks. In this way, traditional fraud detection measures such as device fingerprinting or velocity checks will fail to detect the attacks. In other cases, the criminals are going through affiliate networks using popular cloud based infrastructure services so that the originating IP addresses are indeed legitimate and won’t be suspected or blocked.
In one attack just this month, the bad guys spread their bot army across 68 countries and almost 1000 IP addresses. In another instance also this month, the bot army attempted 5000 logins a day through an affiliate network.
In summary here are some of the most notable trends in automated attacks:
1. Use of widely distributed scripted attacks that emulate full device characteristics, i.e. a full web session with a modern browser, making it harder to detect using traditional device identification techniques.
2. Circumvention of velocity checking by spreading account attacks over many IP addresses and accounts. The average online retail attack will only use an IP address 2.25 times now before moving on to the next IP address. Likewise with accounts, a single account is rarely used for more than two purchases.
3. Matching IP address geos to billing address geos on credit card purchases, eluding common fraud detection techniques.
4. Rising use of cloud hosted solutions to launch account takeover attacks in order to evade IP address checks used to detect fraud
5. Account takeover is growing as the preferred method for taking over payment instruments, as opposed to credit card cycling for fraudulent purchases. This trend will no doubt continue as more ecommerce players offer consumers digital wallets for storing their payment instruments, making it easier and faster to check out.
What are the solutions?
Thankfully there are solutions on the market that can stop most of the automated attack activity we see today. Captchas, the traditional solution used for stopping automated attacks, aren’t effective anymore. Readily accessible Captcha bypass services will solve as many as 1000 captchas for $1.39 with 90% accuracy.
Two complementary approaches have proven effective with our clients.
1. Detection using a cloud-based fraud detection service that combines the first three layers of Gartner’s five layer fraud detection framework – endpoint centric, navigation centric and user/account centric — with metadata on devices and IP addresses across millions or billions of transactions at various websites (the more data points the better). NuData Security is a vendor that successfully does this. See our April 2014 “Market Guide for Online Fraud Detection” that discusses other fraud detection software and services.
2. Deflection, which involves a relatively new web application security technique that scrambles website code using a process called polymorphism. This precludes the hackers’ ability to decipher how a web site can be attacked since the logic of the web application is no longer transparent (e.g. no more ‘in the clear’ HTML code). Shape Security is a vendor that successfully does this.
Until websites and service providers engage in these more advanced fraud detection services, as consumers we would be better served by changing our passwords as frequently as practically possible. We just can’t count on most of our service providers using anything more than simple passwords to secure our data and accounts. If we reuse our passwords across sites, the chances of one of our account credentials getting stolen is probably around 50%, and the chances of one of our accounts getting hacked, in my estimation, is probably around 5-10%.
Password compromise is the most common way bad guys get into our accounts – whether they are Twitter, bank, credit card, frequent flyer, gaming or other ecommerce accounts. Unlike the situation with banks, there is no legal recourse or money/service back guarantee from other non-regulated providers. I’m not sure my preferred airline will give me back the hundreds of thousands of frequent flyer points I so painfully earned…
It’s amazing that most service providers still rely on password security, after all these years and after all these breaches. “When will they ever learn, when will they ever learn?”