Account Checkers and Fraud

Similar documents
Secure Content Delivery Network

THE AKAMAI SERVICE CONSULTING PACKAGE 10FOR10 IMPROVES YOUR WEB PERFORMANCE METRIC(S) BY AT LEAST 10%! AKAMAI 10For10 AKAMAI INDUSTRY BROCHURE

HIMSS Survey Uncovers Critical Weaknesses In Hospital Web Security

Secure Content Delivery Network

AKAMAI WHITE PAPER. Delivering Dynamic Web Content in Cloud Computing Applications: HTTP resource download performance modelling

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

Web Application Vulnerability Scanner: Skipfish

kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR)

AKAMAI WHITE PAPER. The Challenges of Connecting Globally in the Pharmaceutical Industry

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

JOOMLA REFLECTION DDOS-FOR-HIRE

Protect Your Business and Customers from Online Fraud

THE INTERNET GETS BETTER WHEN WE WORK TOGETHER

Securing Cloud-Based Workflows for Premium Content:

How to Evaluate DDoS Mitigation Providers:

Making the Internet Business-Ready

Improving Web Application Security: The Akamai Approach to WAF

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks

Gladiator NetTeller Enterprise Security Monitoring Online Fraud Detection INFORMATION SECURITY & RISK MANAGEMENT

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

PERFORMANCE MATTERS CONSUMER INSIGHTS FROM THE UNITED KINGDOM

AKAMAI WHITE PAPER. Weighing Risk Against the Total Cost of a Data Breach: Can You Afford a Web Application Layer Attack?

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

SSDP REFLECTION DDOS ATTACKS

Beyond passwords: Protect the mobile enterprise with smarter security solutions

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Avaya G700 Media Gateway Security - Issue 1.0

Intelligent Layer 7 DoS and Brute Force Protection for Web Applications

2X SecureRemoteDesktop. Version 1.1

ACCOUNT TAKEOVER TO IDENTITY TAKEOVER

Reverse Proxy Guide. Version 2.0 April 2016

Capitalize on Mobile Commerce by Optimizing the Mobile Shopping Experience

How To Prevent Hacker Attacks With Network Behavior Analysis

akamai s [state of the internet] Q executive review

Phishing Trends Report

Penetration Testing Report Client: Business Solutions June 15 th 2015

CUSTOMERS & CRIMINALS: USE WEB SESSION INTELLIGENCE TO DETECT WHO IS WHO ONLINE

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS

Enhancing Organizational Security Through the Use of Virtual Smart Cards

The Trivial Cisco IP Phones Compromise

Application Note VAST Network settings

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

SPEAR PHISHING UNDERSTANDING THE THREAT

How To Protect Your Online Banking From Fraud

Mobile Device Management Version 8. Last updated:

Strengthen security with intelligent identity and access management

Dynamic Site Accelerator

Basics of Internet Security

Creating a generic user-password application profile

ecommerce Stages of Authentication Dynamic Factor Authentication

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Doyourwebsitebot defensesaddressthe changingthreat landscape?

COORDINATED THREAT CONTROL

Protecting Against Online Fraud with F5

Innovations in Network Security

OVERVIEW. 1. Cyber Crime Unit organization. 2. Legal framework. 3. Identity theft modus operandi. 4. How to avoid online identity theft

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Fighting Online Fraud

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, Integration Guide IBM

Getting a Secure Intranet

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Copyright 2013, 3CX Ltd.

M 3 AAWG Compromised User ID Best Practices

Client Security Guide

Where every interaction matters.

HOW IS WEB APPLICATION DEVELOPMENT AND DELIVERY CHANGING?

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Creating an ESS instance on the Amazon Cloud

Avaya TM G700 Media Gateway Security. White Paper

Client logo placeholder XXX REPORT. Page 1 of 37

Using SUSE Studio to Build and Deploy Applications on Amazon EC2. Guide. Solution Guide Cloud Computing.

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Guide to Evaluating Multi-Factor Authentication Solutions

WatchDox for Windows User Guide. Version 3.9.0

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

The Key to Secure Online Financial Transactions

Kaseya Server Instal ation User Guide June 6, 2008

Active Directory Provider User s Guide

Top 5 Essential Log Reports

Sync Security and Privacy Brief

WEB ATTACKS AND COUNTERMEASURES

3rd Party VoIP Phone Setup Guide (Panasonic b)

User Manual. 3CX VOIP client / Soft phone Version 6.0

IBM Campaign and IBM Silverpop Engage Version 1 Release 2 August 31, Integration Guide IBM

Quarterly Report: Symantec Intelligence Quarterly

What Is Ad-Aware Update Server?

AKAMAI WHITE PAPER. Accelerate and Protect your E-learning Initiatives using Akamai s Cloud Based Intelligent Platform TM

WestermoConnect User Guide. VPNeFree Service

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Xerox Mobile Print Cloud

Protecting Your Network Against Risky SSL Traffic ABSTRACT

Proxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009

VOIP SECURITY: BEST PRACTICES TO SAFEGUARD YOUR NETWORK ======

FKCC AUP/LOCAL AUTHORITY

Transcription:

kamai Technologies Inc. Account Checkers and Fraud Carders in Action VERSION: 2013-0005-G

Table of Contents Executive Summary... 2 Observed Behavior... 2 Attacker Tactics, Techniques and Procedures... 2 Build Tools Server... 2 Cultivate List of Open Proxies... 2 Acquire Compromised Logins... 3 Check/Alter Compromised Accounts... 3 Make Fraudulent Purchases... 3 Indicators, Detection and Defense... 3 Altered Account Data... 3 Failed Login Attempts... 3 IP Network Characteristics... 4 Defenses... 4 Akamai Defenses... 4 Research Data... 5 Mechanisms of Attack... 5 Multiple Site Account Checkers... 6 Credit Card Number Checker... 7 1

Executive Summary Akamai has observed attempted account takeover behavior for a customer resulting from reuse of credentials obtained from other sites. Attackers are using automated tools ( account checkers ) to quickly determine valid userid/password combinations across a large number of ecommerce sites. Attackers using these tools can identify valid accounts rapidly, gain access and acquire names, addresses and credit card data from user profiles, as well as fraudulently acquire merchandise. Observed Behavior The following are indications that an account checker has been used against an ecommerce site: User complains that their account mailing address has been altered. Multiple other users altered in a similar time frame. Many failed logins detected in a short period of time from a small number of IP addresses. Locked accounts. Higher than normal rate of fraud activity. Attacker Tactics, Techniques and Procedures Build Tools Server Attackers will usually compromise a hosted webserver and upload the script. Several known groups also have semi-permanent or permanent domain names where they host their tools (tools.nbteam.us, tool.kid1232.com,ugchecker.cc ). Since these scripts make use of proxy sites for the actual attack, however, it is not helpful to block these sites. However, we have seen instances of attackers using Amazon Web Services (AWS) to host their attack tools. Once appropriate web space has been acquired, the attackers will upload their scripts. Cultivate List of Open Proxies Integral to the success of the attack is the use of web proxies. By routing traffic through open proxies, the attackers hope to bypass IP blocks. The tools we have observed allow the attackers to use a list of proxy side and cycle through them with after a fixed number of attempts. The 2

attackers need to ensure their list of proxies is both of sufficient length to disguise the attack and contains valid proxies, or they risk compromising their attack. Acquire Compromised Logins Once the tools are in place, the attackers need to acquire a list of account names and passwords that may be valid on a given domain. These kinds of lists are readily available on sites like pastebin and frequently passed around carder chat forums or offered for sale. Check/Alter Compromised Accounts Once the attackers have a list of potential accounts, they user their tools to rapidly check the validity of the accounts. Accounts that work are marked, and the attackers log in using the credentials. Once logged in, the attackers can collect the user s personal data and credit card information to use for further fraud Make Fraudulent Purchases Attackers can also modify the shipping address of the victim and make purchases with their stored information. The merchandise is sent to an address near the attacker and picked up. Recently gift cards, both physical and electronic have been key items for purchase as they are easily available, difficult to trace and easy to transport. Indicators, Detection and Defense Altered Account Data Users complain that the mailing address on their account has been changed. Sites that send emails when account details change report an increase in calls from customers reporting unauthorized changes. Attackers will often set multiple compromised accounts to have the shipping address, and use that as a canary. If the name or address is later changed, they know that their compromise has been discovered. A sudden spike in gift card purchases is often an indicator that a company is being attacked. Attackers will use stolen cards to make gift card purchase as an easy way of preserving stolen funds. If there is a sudden increase in fraudulent gift card purchases it may also be a sign of an attack underway. Failed Login Attempts Large number of failed account logins in a short period of time 3

A large number of login attempts that are out of expected customer demographics. For example, users with.uk,.fr, or.de email addresses when 99% of the site s customer base resides in North America. IP Network Characteristics When an attacker is using one of these checker tools, targets should expect to see a sudden increase in the number of failed account logins. Specifically, multiple hits to the login and checkout pages from a single IP address. Further investigation will show that these hits originate from web hosting providers or Amazon Web Services instances, not residential routers. If desired, these IP can be blocklisted, although the sheer number of locations an attacker can launch an attack from makes this tactic only minimally effective. Defenses The use of a CAPTCHA or other validation step requiring user intervention will defeat the tools described in this advisory. The use of Akamai s User Validation Module (UVM) will also confirm that the login is coming from a browser and will defeat these tools. If the customer base is primarily from a known country or region, geoblocking may be an option to minimize the locations an attack can originate from. Careful review of authentication logs can identify likely proxy servers being used by the attackers. Sequences of different logins from the same IP may be an indication. Akamai Defenses Organizations that are on the Akamai platform and are using Kona Site Defender can readily block these kinds of attacks by using a combination of rate controls and IP blocklists. Akamai recommends that ecommerce customers configure a bucket for the path to their login page. Customers should then configure a rate control set to 5 requests/sec average and 2 requests/sec burst for that path only. This will ensure that excessive numbers of requests are only blocked to the login page. When the rate control fires, customers can use the Luna portal to determine the IP addresses that are triggering the rule by attempting an excessive number of logins in a short amount of time. These IP addresses can then be added to a blocklist. Since the rate controls are set in excess of what a human would do, and since the attack tools route through open proxies, businesses do not need to worry about blocklisting a customer 4

trying to authenticate to their site. Furthermore, since rate controls only prevent access for 10 minutes, in the unlikely event of a false positive, say a large number of logins from a corporate NAT, legitimate users are not permanently blocked from accessing the site. Customers should review the list of rate limited IP address during and after the attack. If the IP addresses can be confirmed to be open web proxies, those IPs can be placed onto a permanent IP blocklist to proactively prevent these kinds of account checkers from operating in the future. Research Data Mechanisms of Attack The attackers use lists of previously compromised accounts. These are harvested via phishing and readily available on sites like pastebin or underground forums. The attacker calls the appropriate page on the site with a web browser that returns a web form. The attacker pastes pipedelimited email addresses and passwords into a text box on the form and submits the data. The script pieces together a login request, then connects to a listed proxy, if any. The request is transmitted to the ecommerce site and the script monitors the response codes to determine if the account is valid or not. 5

Multiple Site Account Checkers 6

Credit Card Number Checker 7

As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter. Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 57 offices around the world. Our services and renowned customer care are designed to enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on www.akamai.com/locations. 2015 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice. Published 06/15.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information