APWG Meeting – Tacoma, October, 2009
To continue the trend of posting about upcoming events, the APWG is having their e-Crime Summit in Tacoma, WA. The Member’s-only meeting will be October 19. October 20-21 is the research portion of the meeting.
Silver Tail’s Founder and CTO, Mike Eynon, will be speaking with David Gottlieb from eBay about Business Logic Abuse: Menacing the Electronic Storefront: Business Logic Attacks Against the Online Enterprise.
I’d highly recommend attending this event if you have the chance. Not only will the content of the meeting be super interesting, but the attendees are the decision makers and go-to-people for fighting online crime. In addition, travel to Tacoma is not too outrageous for most people.
If you are planning to attend, let me know, as it would be great to set up in-person meetings with those of you who will be there.
Jeremiah Grossman’s View on Security Religions
As mentioned in a previous post, Jeremiah Grossman (pictured) and Trey Ford gave a presentation at BlackHat about business logic abuse. I understand the talk was very popular.
Jeremiah has a poston his blog that goes into a little more depth on how websites look at security in two different ways: in depth or in breadth.
Each organization must decide for themselves the level of risk they are willing to accept. Security managers are asked to provide budgetary guidance by articulating that spending “$X on Y, will reduce of risk of loss of $A by B%.” These decisions have given rise to two prevailing, but opposing security religions — Depth and Breadth. Graciously referred to as religions for how their value is typically justified resembles more of a belief system rather than rooted in science or metrics.
This is a very interesting post with lots of commentary on the different types of bad guys and the different ways to look at defense. As an added advantage, there is a link at the bottom to an upcoming encore of the BlackHat presentation!
Gaming Incentive Programs on P2P Lending
Lending Club is offering a $50 incentive to refer new lenders to its program. The catch: the $50 can only be used by the new lender to loan out through the program – essentially creating a “free” loan.
At first glance this might seem to get around the usual risk of bad guys signing up a bunch of accounts so that they can earn money since the referring account doesn’t benefit. But, I think this can (and will) still be gamed. If I were a bad actor, I would register as a lender and then refer all of my “friends” (stolen identities of which I have control) and then use the $50 in each account to lend money to other accounts I signed up with stolen identities. This is a form of business logic abuse: using the pages of a website in the way they were intended to perpetrate bad behavior.
I’ll admit, I haven’t looked at the terms of this and there may be terms in place that would make it difficult to game. Since these types of programs are often launched by marketers, they don’t think about how bad actors could make money by gaming the system.
It sounds like Lending Club also has a traditional incentive program - $25 to refer an approved buyer – I wonder if they’ve seen any bad behavior on this campaign yet.
Man in the Browser via Dynamic CSRF?
Brian Kreb’s article today is entitled “Weaponizing Web 2.0″. The article talks about one of the presentations given at Black Hat this year where the researchers show that there are ways to beat the typical defenses of cross site request forgery (CSRF) using off-domain images that grab referring URLs.
While it is fascinating that people are already figuring out how to beat the defenses against CSRF, I was struck by the explanation of simple CSRF. Here’s how Brian explains it:
A relatively benign CSRF attack takes place on a Web forum, wherein Alice browses a posting left by Bob. Unbeknownst to Alice, Bob has included in his message a booby-trapped image that takes advantage of the fact that she is logged in to that forum in an active session. Inside that image is a link tag that includes the URL needed to post messages on that forum. Once that image loads on Alice’s machine, the embedded link posts a message in her name to the forum, via her browser, without her permission.
In this case, the forum’s webserver sees the transaction as coming from Alice. But page flow analysis would show that Alice was interacting on two distinct page flows. This is analogous to a Man in the Browser attack where the bad actor does not have malware on Alice’s machine, but instead using the malicious link to perpetrate the bad activity.
Page flow analysis of the web server traffic would still identify this as malicious. You might even be able to figure out that it wasn’t malware and was, instead, CSRF, if you notice that the bad behavior tends to always come when the victim gets to a particular page.
If any of you have seen CSRF used in this way, it would be great to talk to you about analyzing your data to see what our page flow analysis flags.
Business Logic Abuse at BlackHat 2009
Good news! This year’s BlackHat USA will feature Jeremiah Grossman and Trey Ford presenting the sequel to last year’s smash hit “Get Rich or Die Trying”. The new presentation, entitled “Making Money on the Web, the Black Hat Way” will include even more ways bad guys are abusing the legitimate page flows of websites to reap huge profits.
Some of the exploits included in the presentation have been discussed by yours truly – for example the iPod warranty exploit and scamming Amazon and iTunes.
For those of you who are interested in learning more about business logic abuse, I encourage you to attend Jeremiah’s and Trey’s presentation. Silver Tail’s own Mike Eynon will be in attendance at BlackHat so if you are interested in other exciting exploits we are seeing, be sure to track him down.
Scamming iTunes and Amazon for $300k through Business Logic Abuse
This article talks about how arrests were made of bad guys who stole $300k from iTunes and Amazon through business logic abuse. The simplicity of this scam is impressive.
…the group created several songs, had the songs uploaded to iTunes and Amazon, then used thousands of stolen credit cards to repeatedly purchase the songs from these services.
One might think it is difficult to steal money from a place that only sells digital goods that can only be used by the purchaser, but here’s an example of a relatively straightforward case of using exactly the functionality of the sites – selling and buying digital goods – to launder money out of stolen credit cards.
Fascinating!
Silver Tail “Best of Show” Video Available
The video demonstration from our Best of Show win at FinovateStartup09 is now available on through the silvertailsystems.com website and the FinovateStartup09 video website. Leading anti-fraud expert and company co-founder, Laura Mather, presented the Silver Tail Forensics product on stage at the conference. She highlighted a Man-in-the-Browser example, showcasing Silver Tail’s unique capability as the only commercial technology for online sites to detect this emerging threat and protect against business logic abuse.
Silver Tail was awarded, Best of Show, voted on by the 300+ attendees at the conference, made of up mostly of financial services firms. The selection was made based on the audience interest in the solution, the compelling need in the financial services market and the presentation given at the conference. Silver Tail was selected as the winner over 57 companies participating in the conference.
The 7 minute video is available here: http://www.finovate.com/startup09vid/silvertailsystems.html
Silver Tail Selected #2 on Top Tech Companies to Watch – Bank Technology News!
Silver Tail was selected as #2 in the “Top 10 Companies to Watch” by American Banker / Bank Technology News!! The Editor-in-Chief & author, Rebecca Sausner, did a fantastic job of describing what Silver Tail does in an easy to understand and accurate article. Rebecca further mentioned, “Silver Tail plans to federate its findings about attacks, allowing each of its customers to benefit from the experience of others.” From the feedback we get from customers, it sounds like the industry should band together to combat the the criminals in the same way the criminals band together to combat the industry.
It’s fantastic to see more awareness generated for the detection and disruption of online fraud, especially around business logic abuse. Also, we appreciate the support from Bill Bradway at Bradway Research. We agree that the pain our founders, Laura Mather and Mike Eynon, experienced at eBay and PayPal fighting online fraud gives them some street cred! No better way to build the right solution than to have that direct experience.
The Top 10 article is here. What great companies to be associated with in the Top 10 (Fidelity, Mastercard, Oracle…)!
The Silver Tail article is here.
BTW: This follows our recent Best of Show win at FinovateStartup09 in San Francisco, voted on by financial services firms. The financial services firms appear to be taking notice!
Business logic flaws on the rise, according to new report by WhiteHat
WhiteHat Systems released its seventh installment of the WhiteHat Website Security Statistics Report today, with a webinar tomorrow by Jeremiah Grossman going through the top ten most prevalent website security issues.
According to WhiteHat, the top ten vulnerabilities remain largely unchanged, with Cross-Site Scripting continuing to top the list. However, “business logic flaws, an often-overlooked issue that enables hackers to take advantage of the functionality of a site, occupied more than half of the top spots.”
This should be great awareness for business logic flaws and the impact they can have on websites. At Silver Tail, we are always looking to raise the mind share on business logic abuse and business logic flaws because these rising threats are causing companies a tremendous amount of pain today. Bad guys now target the legitimate business logic of website to perpetrate their fraud, and its extremely difficult to detect and disrupt.
The webinar should be very interesting – check it out: Tuesday, May 19, 2009 at 11:00 a.m. PT / 2:00 p.m. ET.
Precision hacking – a new term for business logic abuse?
We’ve been having a lot of discussions lately about one term that describes when people use the legitimate function of websites to perpetrate bad behavior. Sometimes the bad behavior can be fraud and sometimes it is just a nuisance.
An example of the nuisance type of bad behavior is the Time “Most Influential People” poll being hacked. Paul Lamere called this exploit “precision hacking”. But I’m worried that using the word “hack” is too technical for the business folks to take seriously. It also puts these types of flaws squarely in the security space when often these are more risk management issues.
Jeremiah Grossman has called this business logic abuse - the abuse of the legitimate business logic of a website. I like the term since it makes sense logically, but I worry that you have to think about it for a while before you understand what it is implying. This can also be called business logic flaws.
What would be really great is to come up with a term like “Phishing” – something that has no real meaning, but that everyone will come to associate with these types of attacks.
Here are some suggestions for possible terms to represent when someone uses the legitimate pages of a website to perpetrate bad behavior. Let me know if you have opinions or if you have other suggestions.
- business logic abuse
- business logic flaws
- business logic exploits
- precision hacking
- swizzling
- e-cheating
- cheeting
- others?
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (3)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
