Our standard customer engagement process is to deploy Bot Defense into a customer environment to prove our value. We are often deployed alongside an existing general-purpose bot mitigation solution, with the customer not expecting us to find an attack of any significance. Once deployed, our CQ Prime threat research team works with the customer to tease out the details behind the attacks the customer believes they have (but cannot prove) and then show them how we can stop that activity, eliminating the disturbance to their business.
We first applied our ML models to common attack targets such as login or checkout for this retail customer. Upon adding the Gift Card Balance Check flow, our team noticed an abnormally high volume of traffic, leading the team to believe there was an active gift card fraud campaign.
Further inspection showed that the volume of traffic hitting the Balance Check was higher than their checkout endpoint. Our ML-based behavioral models indicated that the traffic hitting the flow didn’t “clash” with normal traffic. In other words, the Balance Check traffic was not normal traffic. The next step was to look more deeply into the usual threads that make traffic interesting. Where is it coming from? Does the request have any standard hints of normal traffic? Is the behavior sequential, erratic, anything standing out?
Our CQ Prime threat research team found that the traffic was coming from all over the planet, but the customer has only a small geographic region so we blocked traffic originating from outside that region. In a classic example of rapid attack re-tooling, the threat actor quickly reconfigured their BulletProof Proxy Network requests to come from within the geography of the client. The attack retooling effort allowed us to more easily identify the proxy infrastructure being used, thereby further validating that the threat actors were after only high-value targets.
Additional missing traffic elements confirmed that these were not normal Gift Card transactions: No referrer, very old user agents (browsers) and the traffic was “bursty,” meaning that the threat actor was creating a list of gift cards and then checking them all in a short amount of time. Traffic spikes are a basic attack pattern our ML-models have been trained to quickly uncover.
The initial attack characteristics pointed to this being an enumeration attack where automation is used to cycle through numeric identifiers like gift cards, shipping tracking numbers and video conference IDs, as shown in the PryingEye vulnerability. To gain additional details behind the end goal of the attack, the team drilled into the card value on the return traffic to discover that the majority of the balance checks were targeted at gift cards that had a value greater than zero. Over the course of a 30-day period, the CQ Prime threat research team determined that roughly $200,000+ in value had been requested by the threat actor, presumably with the intent of defrauding the company and its customers. Based on these results, the attack was quickly blocked using the behavioral policy that had discovered the malicious activity.
As shown in this example, gift card fraud can have significant direct and indirect financial impacts. The financial loss of each card is the obvious, direct impact. The indirect impacts are the fees the bank charges for each card balance check, the human resources spent by the fraud team performing investigations and the potential loss of a dissatisfied customer. In some cases, the sum of the impacts has been significant enough for the retailer to temporarily halt their gift card programs. Fortunately for this customer, the program continued successfully.
Over the next few weeks, the value of our patented Behavioral Fingerprint created by CQAI came into play as the threat actor continually retooled, but the high-efficacy rule that had been deployed continued to block the attack. Retooling efforts continued to play out of the next few days, and each time the mitigation policies blocked the activity. For now, the Gift Card fraud has been reigned in, but threat actors are persistent and the expectation is that they will return. When they do, the customer will be ready.