Tales from the Front Lines: A Long Weekend Ruined for Whom?

November 5, 2019 | by CQ Prime Threat Research Team

protecting from automated attack

Automated bot attacks are a bit different than other types of cyber-attacks in several ways. First, these attacks are difficult to defend against because they appear to be legitimate uses of the public-facing application business logic (e.g., login, account sign up, browse, shop, check out, etc.), and blocking the seemingly real traffic without due cause can result in lost business or customer dissatisfaction.

Another key, yet subtle difference is the bad actor’s persistence. Whereas a bad actor looking for, yet not finding a specific application vulnerability may move on to a new target, those who are executing automated attacks are persistent, continually changing tools and tactics to achieve their end-goal of committing loyalty points fraud. These characteristics are exemplified in a summary of attack activity targeting a large retail customer over the long Labor Day weekend and into the early part of September.

The weekend began with a massive, sustained, multi-application attack campaign of more than 23 million requests. For perspective, these attacks were 3X the total amount of traffic – both good and bad – observed in an entire normal week. The attacks observed and repelled can be broken down into five distinct campaigns summarized below:

  • Campaign #1: This first attack of the weekend was relatively small, sending roughly 1.5M requests distributed across 3,800 unique IP addresses owned by a known Bulletproof Proxy service documented by the CQ Prime Research team. Lasting more than 5 hours, the target of this attack was a legacy, deprecated mobile login API endpoint and all requests were successfully blocked. This campaign is a good example of garden-variety ATO behavior that exhibits obvious characteristics that make it easy to block. However, in the context of the rest of the holiday weekend, this campaign functioned almost as a diversion, drawing attention away from other endpoints open (and targeted) for abuse.
  • Campaigns #2 and #3: These two distinct attack campaigns targeted the current, active Mobile Login API endpoint. Campaign #2 lasted only two hours and was seen attempting to emulate the Android version of the mobile application. This attack campaign was more of a recon attempt, peaking at about 40k requests per 5 minute period and was more widely distributed than most ATO campaigns. Each transaction request used at least one unique IP address sourced from organizations in Taiwan, China and Vietnam, specifically HiNet, TE Data, and Vietnam Posts & Telecommunications (VNPT). In many cases, for some US-based companies, appropriate geo-fencing can help provide zero-day mitigation to these recon attempts. Campaign #3 was a multi phased effort that also attempted to spoof the Android application. The first phase was a series of reconnaissance probes that were then followed three days later by the attack itself. Peaking at roughly 73k requests per minute, the attack lasted a mere two hours and was unique in that the source of the traffic originated primarily from cloud provider organizations such as Digital Ocean and resources within AWS. This retooling was likely in response to a lack of success with foreign residential proxy IPs, and the attackers attempted to evade geo-fencing by using cloud providers in the United States. One of the common threads between campaign 2 & 3 is the focus on targeting the mobile login endpoint spoofing the Android application. We find that Android emulators are some of the most frequently used attack tools against retailers, as reverse-engineering the application is less difficult than others.
  • Campaign #4: This effort featured the reappearance of an attack tool that had not been seen at scale in many weeks – SNIPR. The attack targeted a deprecated version of the mobile login API that has been unsupported for more than three years. This campaign was widely distributed across organizations in the US., Russia, Indonesia and India. What was notable about this campaign was the persistence of the tool to send bursts of attack traffic throughout the weekend. This is likely due to the ease-of-use of the tool SNIPR and how easy it is for many disparate attackers to get their hands on a copy and launch an attack campaign, during a weekend they know will be popular for shopping.
  • Campaign #5: This effort was the largest campaign of the weekend, hammering the current, active web login service with more than 20 million requests distributed across roughly 33,400 IPs, with approximately 55k requests per IP. The vast majority of the requests came from Performance Systems International (PSI) organization, known to be part of a US-based Bulletproof Proxy service that is comprised of hijacked IP space from defunct companies (PSI was a large ISP in the first dot-com boom later acquired by Cogent).

Analysis of timing and traffic sources indicate that campaign #5 was a diversionary tactic to draw attention away from another part of the attack campaign – low & slow attack requests against the deprecated legacy Web Login flow. This campaign was persistent, lasting more than 24 hours despite complete blocking on both application endpoints. Furthermore, this attack campaign attempted to fool many common browser fingerprinting techniques by reverse engineering and trying to uniquely rotate through combinations to fool those techniques. That explosion in unique fingerprints, distributed across a period of a day-long campaign, can be difficult to detect without proper behavioral analysis that can connect the dots, linking the campaigns and focusing on [blocking] the account takeover behavior rather than attack tool signatures.

Observations

Based on the CQ Prime Four Pillars of Detection framework, the attack activity exhibits some of the following characteristics:

Tools observed: Off-the-shelf tools like SNIPR, Android emulators targeting the customer’s mobile app and custom attack toolkits designed to rotate and fool browser fingerprinting techniques.

Infrastructure used: Attackers used more than 38,000 high fidelity, residential proxies (IP addresses) distributed globally to make the activity appear to be legitimate while masking their identity and location.

Behaviors observed: The volume and variations observed in these campaigns highlight how persistent the bad actors are in achieving their end goal. Additional behaviors observed include:

  • Several of the attack campaigns appeared to be diversionary in nature, drawing resources away from the ultimate target.
  • Significant background work was done to find and target legacy, deprecated login endpoints in an attempt to avoid detection.
  • Using a browser rotation toolkit, the campaigns spoofed thousands of browser fingerprints to avoid detection.

Credentials: The credentials used in these attacks were likely sourced from the billions of compromised records readily available on the dark web. As valid credentials were discovered within the
campaigns, they were sent to the fraud department for additional analysis and follow-up actions.

The customer’s security team successfully blocked a massive attack over a long weekend, ruining the efforts that the bad actors had put forth. The effort put forth by the security team was significant and took away from any Labor Day activities. However, this inconvenience was offset by the tremendous satisfaction derived in the successful defense of the customer’s loyalty points program.

Learn more: Watch a 5-minute video of API Spartan.

CQ Prime Threat Research Team

Author

CQ Prime Threat Research Team

Additional Resources