CyberWire Daily - Gift card bots evolve and adapt. [Research Saturday]
Episode Date: August 24, 2019Researchers at Distil Networks have been tracking online bots targeting ecommerce gift card systems of major online retailers. The threat actors show remarkable resourcefulness and adaptability. Jonat...han Butler is technical account team manager at Distil Networks, part of Imperva, and he joins to share their findings. The research can be found here: https://resources.distilnetworks.com/all-blog-posts/giftghostbot-attacks-ecommerce-gift-card-systems Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Typically, when you get a gift card, there's usually, it depends on the vendor, but sometimes
there will be like a registration process. That's Jonathan Butler. He's the technical account team manager at Distal Networks,
part of Imperva. The research we're discussing today is titled,
Gift Ghostbot Attacks E-commerce Gift Card Systems Across Major Online Retailers.
But at that point, once it's registered or if it's already pre-registered,
once you've purchased that and the cashier has approved and all of that,
I mean, it's more or less money in the pocket for you to then go and buy products or services
from that particular retailer. And that's tied to the number on the gift card.
Exactly. So just like a credit card, these gift cards will have an integer, you know,
These gift cards will have an integer, you know, a number on the back, like 16 digits,
that more or less identifies that card to the actual money sitting behind it. And then there will usually be like a pin associated to it to additionally validate those funds.
Okay. I was going to ask you about the pin because unlike a credit card, for example,
there's no expiration date or there's i was
thinking about numbers that have to match up for it to be able to work yeah exactly so when you
go to you know validate the funds on this card the systems are going to be able to read those
digits and then validate against that with the the PIN that you can feed in on that thing,
like a CID PIN or something like that.
So that's how it's doing the validation to access the funds.
I see.
So the folks who are trying to hack this system, how are they going about that?
So it's interesting because, you know, as a hacker who, you know, me with the gift card in hand,
I'm non-malicious, I'm going to use that gift card
and buy products and services with it at the retailer,
but for an attacker, an adversary who sees me as a target with the gift card,
he or she won't necessarily know the number that associates those funds off top of head, right?
So it ends up forcing this play by the adversary to effectively have to come up with guesses of those numbers.
And so what ends up happening and where bots come into this whole space is that that adversary will go and write a bot or effectively a script that can go and target
these you know check balance services on a retailer site and just start guessing you know
hundreds thousands you know upwards of millions if it's long enough and they've got the the scale and
support to do that they can just start brute force guessing with no real rhyme or
reason but eventually if they get enough guesses the probability starts to
increase drastically that they'll be able to more or less guess my card and
once they access it they'll have full access to to those funds and so if
they're guessing that number are they they also guessing the PIN as well?
Yeah, exactly.
So they're going to do the same enumeration process over both the card and the PIN as well.
So they'll have the card number, and then they can just randomize and just start guessing at scale the PIN number as well and eventually crack that. Now, from the retailer point of view, I mean, I put this functionality on my website
as a good gesture of customer service to the folks who are buying these gift cards.
What am I going to see on my end?
On your end, you would just see, you know, assuming you have the proper monitoring in place of your systems,
you wouldn't necessarily know if it's a malicious request or not.
Short of, you'd probably start seeing a punch of validation requests coming in, right?
So if you're looking at your traffic logs, you're going to see a huge spike on the particular
application call that goes and does that gift card balance lookup, right?
And so when we see these attacks, that's typically what's happening or what cues it and gives
it away is that the chart or the
traffic logs will see a large surge particular to those calls and and so for retailers it's really
important to have in general just heightened visibility into some of the critical application
functionality that you know will be a high value target for bot writers so in this case it'd be
target for bot writers. So in this case, it'd be that, hey, I go to the site, I have my gift card,
I do a quick search, hey, how can I check my gift card balance? Go to the page,
you'll put your numbers in, and when you click submit or check my balance, that's sending a call to the application behind the scenes where it's delivering the number and the PIN to the
application, application gets that, feeds it back to the
client and says, hey, here's your balance.
And so what you're really looking for is that surge in traffic on those particular validation
requests or the balance check requests.
And that would be pretty clear.
If the bot started targeting you and you were looking looking at these logs chances are you would know it
i would say so uh... obviously it's it's all situational but but typically you're
not seeing a ton of traffic on those types of pages
relative what to what uh... about writer is going to be doing to that thing
arms so you expect relatively
low and stable volume and usually usually the traffic patterns of these things is very predictable, right?
Like it's going up and down with the peaks, the on and off peaks of the website.
Whereas when a bot writer comes in and runs their script against the site, you're going to see that thing just go up very drastically and anomalously.
Well, let's dig into the research that you all did here,
specifically with Gift Ghostbot. Describe to us, how are they going at these things?
How they're going about them is, in the Gift Ghostbot scenario, what we found is that this
was a very coordinated attack that targeted more than one retailer.
So that alone implies that there was research and coordinated effort behind this thing.
And so we had a particular customer call us and actually say,
hey, thanks, you guys are more or less keeping this functionality alive on our site. And when we dug into that more and more, we had realized that, hey, vendors,
those particularly not being protected by Distill, were actually having to shut down
that particular functionality on the application because it was becoming such a costly affair for
them. It was such a high value target. Now, are they effectively being DDoSed by the number of requests that they're getting,
or is it that so many gift cards are being compromised, or a little of both?
I think it's a little bit of both. So in the bot world, when you're talking about
defending an application against it, it's very much human in nature the way they respond. If they're having success and you put defense in front of them, it's very likely that they're
going to, it's like poking the bee's nest of sorts, it's going to almost stir that bot
net to spin up even more traffic.
And so that's what we saw throughout the course of the GIF ghostbot attack is that as
we started putting, you know, more and more and incremental defenses in front of this thing
across all the different properties, it actually was evolving throughout the course of the attack.
So very early on in, you know, these observations, it was very primitive, right? It wasn't doing a
lot of things to necessarily obfuscate itself. And as it started to have, right? It wasn't doing a lot of things to necessarily
obfuscate itself. And as it started to have, you know, marginal success, we ended up having to
throttle our defenses and put more and more advanced and sophisticated signatures in front
of it. And as a result, we saw this thing evolve where it's distributing itself over more and more
where it's distributing itself over more and more IPs. It started spoofing the browsers that it said that it was.
It even went from going to desktop browsers over to mobile.
And really interestingly, what we saw is that there were actually channels within the broader attack
that was suggestive that there was more than one kind of player involved here, right?
So over the evolution of the attack, we saw simplistic efforts kind of come and go,
both early in the phases of it and then coming back on the back end of it.
And then the sophistication levels were kind of throttling
and kind of grouped into a few different core
behaviors over the course of this thing. So it was just really interesting to see how not only was it
a researched and coordinated attack from the fact that it was just targeting many retailers,
and particularly what we saw was in the clothing and fashion space, but that there might have even
been multiple players involved where,
you know, everyone's kind of bringing their own tactics to the table.
Interesting. And explain to me the significance of them switching to iPhone and Android user
agents. What's the background on that? Why does that matter?
Can you do, what's the background on that? Why does that matter?
Yeah. So it matters because the most important and fundamental concept to, to when you get into like organized bots, right? Like we're not talking about the person who goes and writes a bot to
pull down the weather for the day or some like recreational, uh, hobby. When you get into people
who are writing bots for professional reasons, whether malicious
or non-malicious, it's all incentivized by money, right? It becomes an actual operation that
involves investment, both in time, effort, and research. And what happens is, in the defense
against really advanced and sophisticated actors, it's not always about
stopping every single request, but it becomes more about how do you thwart their ability to
operationalize and make a business off of this. And so what we saw is that as the defenses were
put in place of them, they actually had to invest more time, more effort, and
more research into detecting these, figuring out these detection tactics on our side.
But more importantly, it forced them to have to evolve and move from desktop to mobile,
and that actually increases the cost of operations for them, just because those are more expensive devices to
get a hold of. And so what ends up happening is as they evolve, you're actually forcing the cost
of their operations to go up. And again, for very advanced and persistent actors, if you can force
that bottom line to a point where it almost makes the whole effort or operation
pointless you almost discourage the motivation to a point where they're
gonna go away so it's a pretty interesting phenomenon that we see
oftentimes in the bot space is that if there is enough of a financial incentive
behind these things they're never never going to go away.
And there's correlations to why that could happen.
If you're the only person who has that particular data set,
or you're just a high-value target that particularly happens to hold very valuable data sets,
you start to correlate the persistence and advanced natures of these attacks to that type of thing.
In this case, with the gift-go-spot, I mean, this was a direct pipeline into being able to validate very real money
that can be in turn either resold or leveraged in financial transactions as a real medium to get very real goods and services in the world.
I suppose from the retailer's point of view, obviously it would be great to
shut down these bots altogether, but selfishly if I just make it
harder for them to come at me than the store down the street, that's a good
outcome for me as well.
Yeah. So the security world is a really interesting one in that defense can be relative,
especially in the bot space, right? If you build your defenses just slightly better than,
you know, the competitor down the street, you've more or less made it extra difficult to go after you.
And so we do see this behavior where bots tend to go towards the path of least resistance that
still allows them to accomplish their goal. So you putting up even, you know, medium,
medium effort, medium level defenses, and if your competitor or competitors don't have those,
you've really secured yourself from being less of a target for those bot writers.
Can you give us some insights on a high level
when you all are protecting an organization against bots?
What's going on there?
How are you blocking the bots,
but still allowing the normal legitimate users to get through?
Yeah, so for Distil, now Imperva, the way our bot detection system is built is that
when a client makes a request to an application, we're doing a series and multi-layered
interrogation against that client to ultimately make a decision around, hey, are you human or not?
And so some of those interrogation steps get down to very simplistic things like, hey, is your user agent legitimate?
Are you coming from a valid source?
Are you coming from like a hosting center?
coming from like a hosting center?
You know, are you just doing something that you otherwise shouldn't?
All the way into more advanced stuff like,
hey, are you running a JavaScript engine?
And even as the space has evolved and progressed,
we're doing more and more algorithmic
and probabilistic decision-making via machine learning
of whether the behaviors themselves are suspect.
And so all of this decision-making is happening in real time on every request very seamlessly.
And so when our customers are leveraging our platform and technology to effectively protect
their applications and endpoints, we're more or less running those interrogations and making very real-time
programmatic decisions that ultimately know how to siphon out the bot traffic while still
allowing someone who's just going to the site non-maliciously and there to help promote
and generate revenue for that business,
those types of users won't be impacted.
So what are your recommendations for the retailers in order to best protect themselves?
What sort of steps can they put in place?
I think first things first, it just comes down to sitting down and looking at all of the functionality of the web application
and making sure that the business units are very tightly connected at the hip with the security teams of those organizations.
Even into today, I think a lot of organizations see security as kind of second to growth of the business,
you know, revenue preservation, all of these things that are very, obviously,
friendly for the business. And security is always going to take in the backseat,
short of those early adopters and kind of pioneers of the space. And more and more,
we're starting to see that organizations are realizing the severity and true damage of these
cybersecurity attacks and things like that. So I think first things first, it's just sitting down and taking a mature posture on security
practices within your web applications and mobile applications and making sure that when
you guys roll out these new functionalities that they're being really considered and understood at that cyber security
layer where, yes, it may be a good thing for the business, exactly as the example for this
gift go spot attack is the people behind that functionality are probably thinking, hey,
this is a huge win for our team.
No more do people have to call in and ask a person at the support desk
what the balance is, but it's actually, hey, I can just go to the website, very seamlessly
interact with the application to get a validation of my balance and move on. But when you do that,
when you introduce that functionality on the website, you end up now allowing someone to
directly talk to your database of gift
cards and more or less get creative and come up with scripts to guess these balances and
cash out and fraudulently steal money from your customers.
So I think it just starts with having a mature cyber posture on security and making sure that the business teams are
very in lockstep with the security team.
And I think more tactically, I would just make sure that the security teams are constantly
scanning the web applications and looking for anomalous behavior in the logs that they have available
and making sure that the tooling is giving them insight into those types of attacks.
And obviously, as the security space evolves and new problem sets arise,
just doing some education around it and talking with vendors,
it's always a really healthy thing to stay on top of this stuff.
and talking with vendors, it's always a really healthy thing to stay on top of this stuff.
Is there anything to be gained by doing any kind of rate limiting or things like that to keep it within the range of normal requests you would expect,
but keep these high volume requests from being able to go through?
I think that that's really where it gets interesting and where the problems that
really start to get complex is that a person looking at this who may not have boots on the
ground and their nose close to the grindstone sees it as, hey, this is a huge flood of traffic.
How come we can't just rate limit this or put barriers around how many requests that a client or a user can make.
The reality is that with a WAF, like a web application firewall,
it all boils down to how the system is detecting an individual user.
And if the adversary can spoof and obfuscate their identity with relative ease, the idea of rate limiting against these types of attacks gets really hard.
And that's really where a bot detection system is coming in and able to do more granular identification to truly say, hey, I know you're doing all this stuff to obfuscate your behavior, but I still know that you are you,
and the rate limiting becomes a lot more effective.
So it is good practice to have rate limiting in place,
and particularly around these types of application functionalities.
But when you get into advanced bot attacks,
these are people who have done their research and reconnaissance efforts on your applications
to more or less know how to
beat and circumvent those types of rate limit measures. It's just a constantly evolving space.
And I think in the next five years, the bot space will continue to evolve and it's going to be
a very interesting sector to be in. And it's something that a lot of companies who have serious revenue
invested in their online presence, their web applications, they should be legitimately
concerned about and making sure that they're keeping their security practices and protocols
and tools up to par with what every day is an evolving space.
Our thanks to Jonathan Butler
from Distil Networks for joining us.
The research is titled
Gift Ghostbot Attacks
E-commerce Gift Card Systems
Across Major Online Retailers.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman, Peru Prakash,
Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick
Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter
Kilpie, and I'm Dave Bittner. Thanks for listening.