When we talk about abusing business logic, we usually mean a bot attacks impersonating approved users and devices so the business inadvertently executes fraudulent transactions. The bots take advantage of website processes and account assumptions to use rules for promotions, purchases, gift cards and the like to their benefit. Traditional web security technologies are helpless against these attacks.
IP addresses in the dark web come and go too frequently for IP reputation functionality to be very effective; use of mobile devices precludes endpoint security software; sophisticated bot tools are easily purchased and easy to use, allowing attacks to target business after business.
Web behavior analytics (WBA) is the key ingredient in a fraud prevention strategy where everything – user accounts, devices, network, and transaction details – are likely to be hijacked by professional fraudsters. The ability to expose when approved users and devices are acting as if they've been hijacked is the driving motivation behind machine learning.
There are no limits to fraudster creativity when it comes to making relatively risk-free money from websites. It is simply too easy to abuse business logic by impersonating users and devices. Enterprises are embracing WBA to catch the new bot-driven attacks. If you have recently been on a website that asks you to re-authenticate because it believes you are using a device you've never used before or are on a new network, then you are probably experiencing WBA in action.
WBA is the key ingredient in a fraud prevention strategy where everything – user accounts, devices, network, and transaction details – is likely to be hijacked by professional fraudsters. The ability to expose when approved users and devices are acting as if they've been hijacked is the driving motivation behind machine learning.
We are seeing a trend of WBA vendors integrating intelligent machine-learning techniques across at least four main layers:
IP addresses in the dark web come and go too frequently for IP reputation functionality to be very effective; use of mobile devices precludes endpoint security software; sophisticated bot tools are easily purchased and easy to use, allowing attacks to target business after business.
Web behavior analytics (WBA) is the key ingredient in a fraud prevention strategy where everything – user accounts, devices, network, and transaction details – are likely to be hijacked by professional fraudsters. The ability to expose when approved users and devices are acting as if they've been hijacked is the driving motivation behind machine learning.
There are no limits to fraudster creativity when it comes to making relatively risk-free money from websites. It is simply too easy to abuse business logic by impersonating users and devices. Enterprises are embracing WBA to catch the new bot-driven attacks. If you have recently been on a website that asks you to re-authenticate because it believes you are using a device you've never used before or are on a new network, then you are probably experiencing WBA in action.
WBA is the key ingredient in a fraud prevention strategy where everything – user accounts, devices, network, and transaction details – is likely to be hijacked by professional fraudsters. The ability to expose when approved users and devices are acting as if they've been hijacked is the driving motivation behind machine learning.
We are seeing a trend of WBA vendors integrating intelligent machine-learning techniques across at least four main layers:
- User authentication where a username and password can be stolen and multifactor authenticators are simply not pragmatic. Fraud prevention vendors are including mobile device-friendly biometrics such as keystroke analysis and even how a person holds his or her device to help identify users.
- Device authentication layers analysis of the browser, operating system and hardware platform as well as geo-location to help identify poorly disguised bots. That is, you may have issues if your North American-based user looks like he or she is connecting with a Microsoft browser running on a Linux server hosted in Eastern Europe.
- Endpoint inspection reveals man-in-the-browser threats, other forms of malware and non-compliant configurations. While some transactions can be completed even in the presence of malware, the risk threshold is something that is better determined by the business. The ability to continuously authenticate the transaction session is an important WBA feature.
- Validation of the transaction details requires involves correlating field-level information to ensure compliance with business logic. WBA products working at this layer usually include customer-defined rules with machine learning to align with unique business requirements.
Most of the WBA vendors now deliver their products as a service, where multiple layers can execute without inconveniencing users or disrupting business flows. Operating website security as a service allows vendors to react quickly to innovations in bot development and fraudster activity without having to distribute updates to customers.
We also see an increase in rating services for applying intelligence derived from the history of users and devices when it comes to fraud reports. One thing that online businesses lack is knowledge of fraud unleashed against other businesses. Services that compute risk scores of digital identities and devices help businesses make decisions before committing to transactions. Thus, a user who has a long history of online fraud may get lower transaction limits or a user with a pristine history may be given special 'preferred customer' promotions.
Let's use Scalper and Adware bots as a primer
When we talk about abusing business logic, we usually mean bot attacks impersonating approved users and devices so the business inadvertently executes fraudulent transactions. The bots take advantage of website processes and account assumptions to use rules for promotions, purchases, gift cards and the like to their benefit. Traditional web security technologies are helpless against these attacks. IP addresses in the dark web come and go too frequently for IP reputation functionality to be very effective; use of mobile devices precludes endpoint security software; sophisticated bot tools are easily purchased, and easy to use, allowing attacks to target business after business.
Bots are the enemy of anti-fraud departments. In our research we have talked with many security executives that know what bots can do, but don't necessarily appreciate how good the tools are, how easy they are to use and how easy they are to acquire.
Security teams can quickly visualize the power of the bot economy and the skill involved in using business logic to harm the business, via legal scalper bots. Scalper bots take advantage of people's willingness to pay more than retail prices for products where demand exceeds supply. Scalper bots allow fraudsters to be first in line to buy goods that can be resold in online auction sites at a high markup. Simple arbitrage inserts the fraudster between the business and its customers.
We also see an increase in rating services for applying intelligence derived from the history of users and devices when it comes to fraud reports. One thing that online businesses lack is knowledge of fraud unleashed against other businesses. Services that compute risk scores of digital identities and devices help businesses make decisions before committing to transactions. Thus, a user who has a long history of online fraud may get lower transaction limits or a user with a pristine history may be given special 'preferred customer' promotions.
Let's use Scalper and Adware bots as a primer
When we talk about abusing business logic, we usually mean bot attacks impersonating approved users and devices so the business inadvertently executes fraudulent transactions. The bots take advantage of website processes and account assumptions to use rules for promotions, purchases, gift cards and the like to their benefit. Traditional web security technologies are helpless against these attacks. IP addresses in the dark web come and go too frequently for IP reputation functionality to be very effective; use of mobile devices precludes endpoint security software; sophisticated bot tools are easily purchased, and easy to use, allowing attacks to target business after business.
Bots are the enemy of anti-fraud departments. In our research we have talked with many security executives that know what bots can do, but don't necessarily appreciate how good the tools are, how easy they are to use and how easy they are to acquire.
Security teams can quickly visualize the power of the bot economy and the skill involved in using business logic to harm the business, via legal scalper bots. Scalper bots take advantage of people's willingness to pay more than retail prices for products where demand exceeds supply. Scalper bots allow fraudsters to be first in line to buy goods that can be resold in online auction sites at a high markup. Simple arbitrage inserts the fraudster between the business and its customers.
- TicketBots.net offers a product line of more than 100 bots designed to purchase tickets as soon as they become publicly available. As of this writing, the site offers a TicketMaster.com bot for $990 that allows customers to use automation to purchase tickets before major games and events are sold out. Fraudsters then often resell those tickets at a profit. Bots such as this are a major reason why casual consumers are locked out of buying tickets at list prices. This practice motivated the federal government to pass S.3183, the Better Online Ticket Sales, or BOTS, Act of 2016 and the state of New York to make the use of ticket bots a class A misdemeanor starting in February 2017.
- AIObot.com markets a sneaker bot for $325 that promises to purchase the latest craze in sneakers from major online retailers as soon as they become available to the public. The sneakers can then be offered for online resale at a profit that will eventually pay for the cost of the bot.
- Methbot is a classic advertising fraud engine designed to generate false compensation claims from web advertisers that define performance as the number of clicks received for an ad. Methbot has an impressive infrastructure to confuse anti-fraud rules, but at the end of the day, its purpose is to have bots simulate clicks on ads and to be rewarded by ad sources impressions generated.
Scalper bots provide clear examples of abusing standard business practices. Organizations need to preload pages in anticipation of product launch and quality assurance needs to run through automated test suites (also known as QAbots) to ensure that consumers can find and purchase the soon-to-be-released products. The scalper bot services find the early links and searches to these products, allow bot customers to preload shopping carts complete with checkout payment details, monitor the indicated websites for when the desired products become available, and then rapidly jam through purchase orders. The fact that businesses have to be sure e-commerce sites function for new products allows scalper bots to follow the same processes to capitalize on public demand.
The sophistication shown by scalper bots – easy to order, intuitive user interfaces, social media promotion and online technical support – is mimicked in the dark web for bot networks that are clearly illegal.
Taking dark web bots to the next level
Professional fraudsters take bots to the next level in their efforts to drain money from businesses. The goal is to obfuscate what is happening as the bots impersonate approved customers. To this end, fraudsters continuously innovate and reinvent old successful ploys to stay ahead of rules-based prevention products.
Browser-based attacks allow the user, browser and connecting device to pass authentication checks before using its control of what is presented to the user to transparently redirect traffic to the fraud service while stuffing fraudulent transactions or collecting sensitive information. We include bots such as TrickBot or FlokiBot in this category.
Enterprises should be careful about trusting application scripts using APIs. These can be very dangerous in the wrong hands because changes in the behavior of scripted interfaces can be very subtle. The recent Electronic Arts fraud involving FIFA soccer and the accumulation of game currency reportedly featured an EA software developers kit meant for game consoles that was ported to cloud-based application servers. While all of the expected protocols and authentication checks were accepted, the fake game reports were generated from high-performance servers and not game consoles.
Selected company profiles
Fraud prevention products address the problem of bots across each of the four fraud prevention layers. Almost all have significant service elements to consolidate analytic operations and quickly deploy new anti-fraud measures to their customers. We find the following vendors to be leaders in protecting against fraudulent activity:
The sophistication shown by scalper bots – easy to order, intuitive user interfaces, social media promotion and online technical support – is mimicked in the dark web for bot networks that are clearly illegal.
Taking dark web bots to the next level
Professional fraudsters take bots to the next level in their efforts to drain money from businesses. The goal is to obfuscate what is happening as the bots impersonate approved customers. To this end, fraudsters continuously innovate and reinvent old successful ploys to stay ahead of rules-based prevention products.
Browser-based attacks allow the user, browser and connecting device to pass authentication checks before using its control of what is presented to the user to transparently redirect traffic to the fraud service while stuffing fraudulent transactions or collecting sensitive information. We include bots such as TrickBot or FlokiBot in this category.
Enterprises should be careful about trusting application scripts using APIs. These can be very dangerous in the wrong hands because changes in the behavior of scripted interfaces can be very subtle. The recent Electronic Arts fraud involving FIFA soccer and the accumulation of game currency reportedly featured an EA software developers kit meant for game consoles that was ported to cloud-based application servers. While all of the expected protocols and authentication checks were accepted, the fake game reports were generated from high-performance servers and not game consoles.
Selected company profiles
Fraud prevention products address the problem of bots across each of the four fraud prevention layers. Almost all have significant service elements to consolidate analytic operations and quickly deploy new anti-fraud measures to their customers. We find the following vendors to be leaders in protecting against fraudulent activity:
- DataVisor applies its behavior analytics service to detect coordinated attacks in action and to identify accounts participating in the unauthorized synchronized activity. DataVisor analyzes uploaded log information from large cloud applications to help determine when good customer accounts have been taken over.
- Distil Networks offers a managed service to ensure fraud prevention mechanisms keep up to date with dark web innovations as well as significant business logic changes in customer websites. Distil's technology scales up for large organizations needing protection against account takeover, credential stuffing, data scraping and application denial-of-service threats.
- F5 offers WebSafe to combat fraudsters and MobileSafe for those organizations requiring access via a proprietary mobile app. WebSafe is easily added to websites in order to transparently inspect browser configurations for signs of malware. F5 WebSafe enhances the security of applications delivered with F5 Big-IP networking.
- IBM Trusteer builds upon its roots as an anti-malware player to help provide institutions with an end-to-end fraud prevention product family. Trusteer Rapport and Mobile SDK are endpoint software products to protect the integrity of the transaction session at the user end, while Pinpoint Detect leverages behavioral methods to catch illicit account activity. IBM Trusteer's base is strongest in the financial vertical.
- iovation owes its heritage to fingerprinting devices based on a large number of sampled characteristics, with the idea of tracking devices with a history of participating in fraudulent transactions. Organizations subscribing to services such as iovationScore gain insight into the trustworthiness of an online consumer without violating privacy regulations.
- Kaspersky Lab's fraud prevention starts at the endpoint and carries on with elements throughout the transaction path. Kaspersky, one of the leading endpoint security anti-malware vendors, has an extensive customer base clamoring for help in preventing fraudulent transactions. The vendor has recently enhanced its fraud prevention offerings with behavioral detection of anomalies in transaction details.
- NuData Security has recently enhanced its WBA fraud prevention capabilities with a behavioral authentication product for mobile devices. As passwords become less reliable for identifying a user, NuData's behavioral approaches to continuous authentication and transaction validation are lowering fraud rates associated with automated bot networks.
- PerimeterX Bot Defender takes a multi-faceted approach in protecting against next-generation bots and man-in-the-browser threats that may redirect authenticated traffic. PerimeterX is specifically designed to scale to the high-performance requirements of CDNs, bolstered by its API set allowing customers a high level of agility in responding to fraud activity.
- RSA Security, now merged into Dell Technologies, finds fraud prevention market traction with its Web Threat Detection product. RSA Security WTD straddles the clickstream, evaluating each user action against a set of anti-fraud rules. A strength of the product is its rules engine, which allows a high level of customization with flexibility for customers to quickly put an end to new fraud attempts.
- Shape Security deploys its Shape Shifter fraud prevention techniques as a service to protect websites against attacks from bots and reverse-engineered mobile apps. Shape Security has accumulated the most investment capital of the WBA vendors, accumulating roughly $105m, including a $40m round in the second half of 2016.
- ThreatMetrix analyzes billions of transactions and more than 200 user/device attributes in maintaining its Digital Identity Network service. The ThreatMetrix Dynamic Decision Platform allows subscribers to customize detection rules to fit their environment. Its architecture occludes user names, allowing the vendor to deliver risk information before committing to transactions while abiding by privacy guidelines.
Eric Ogren
Senior Analyst, Security
Eric Ogren is a Senior Analyst with the Information Security team. Eric has extensive experience in software development, technology marketing, and as a security industry analyst. Prior to joining 451 Research, Eric held marketing leadership positions with security vendors such as RSA Security and OKENA, and technology vendors such as Digital Equipment, where his experience contributed to pragmatic perspectives for security clients on emerging market trends, company and product strategies, differentiated vendor messaging and positioning, and meeting enterprise solution purchase criteria.
Carl Brooks
Analyst, Service Providers
Carl Brooks is an Analyst for 451 Research's Service Providers Channel, covering cloud computing and the next generation of IT infrastructure. Previously, he spent several years researching and reporting on the emerging cloud market for TechTarget. Carl has also spent more than 10 years supporting small and medium-sized businesses as an IT consultant, network and systems integrator, and IT outsourcer.
Keith Dawson
Principal Analyst
Keith Dawson is a principal analyst in 451 Research's Customer Experience & Commerce practice, primarily covering marketing technology. Keith has been covering the intersection of communications and enterprise software for 25 years, mainly looking at how to influence and optimize the customer experience.