Bots – How To Counter Account Take Over – (Second in a series)
Last week’s blog briefly touched upon malicious bots and their ever-evolving nature. Here we will focus on one of the primary activities bots engage in – Credential Stuffing and the ensuing Account Takeover. “50% of the web attacks are using stolen credentials”- Verizon 2015 DBIR Report. Credential stuffing is the process of using bots to perform automated injections of stolen user credentials into web applications. Malicious bots, at the core of this emerging threat, are clearly making this brute force attack popular and viable. Account Takeover (ATO), simply put, is when cyber criminals are using stolen credentials (usually validated by credential stuffing) to login as genuine users and perform unauthorized transactions without the victim’s knowledge.
Financial, E-commerce and Healthcare verticals are the high-value targets ATO attacks, given the sensitive data handled coupled with 24×7 online presence. SaaS applications are also very susceptible to automated attacks for the same reasons. Anthem, Sony, eBay, Adobe, and Ashley Madison have all dealt with data breaches in the recent past; certainly the trend points to more data breaches in the making. Here we will focus on a B2B SaaS application hosted by a large healthcare provider where the customers PHI/PII data is at risk from account takeover fraud. Needless to say, suffering a data breach would have a devastating impact on the business.
Digging deeper into their use case, you can see that protection against credential stuffing attacks, especially for their login/registration pages, is of utmost importance. They do have a high number of failed login attempts (>20% of the total), so the solution has to be able to distinguish between legitimate users and malicious users/bots with 100% accuracy. The healthcare provider had already ruled out endpoint protection mechanisms since there were several flaws in that approach as evidenced by the several variants of Man in the Middle Attacks- MITM, MITB, and MITC. Obfuscation-based solutions could only inspect headers and cookies and were wreaking havoc on existing downstream and upstream application optimization and security solutions.
Leave it to Imperva, “The Knight in Shining Armor”, with ThreatRadar Bot Protection and Account Takeover services to come and save the day. Account Takeover is one of the many applications of the Imperva SecureSphere ThreatRadar Solution. Imperva uses a combination of device profiling, device risk evaluation, and Web Application Firewall mitigation rules to detect and block Account Takeover. Imperva solution has many benefits:
- Proactive detection of account takeover before fraud happens
- Actionable device intelligence usable for Fraud IR
- Frictionless user experience
- Reduced workload for Security Ops
Imperva SecureSphere ThreatRadar Bot Protection solution has similar powerful applications in the Financial and Ecommerce verticals as well. In the next blog of this series, we will delve into the details (secret sauce) of how Imperva SecureSphere ThreatRadar Bot Protection works and the different inputs that drive the correlation engine.