February 25, 2015

Use of Stolen Creds Is Most Dangerous Web Threat, Verizon Finds


Use of stolen credentials is the biggest web threat, says the most recent Verizon Data Breach Report. A working definition of the use of stolen credentials is available on an OWASP page. The occurance of stolen creds rose from #7 in 2009 to #1 in 2013. 2013 is the most recent data. Here at Shape Security, we hear about stolen credentials, credential stuffing and account checkers every day. We've also blogged about what Gartner told us. According to Gartner's fraud expert Avivah Litan, "clients have reported a significant rise over the last two months in the use of stolen credentials to access accounts".

Contact Shape if you would like our help protecting your site from the use of stolen credentials. Our technology blocks account checkers, credential stuffing and other automated attacks.

February 19, 2015

Hijacking 1 million accounts for $3

Credential stuffing is a dangerous threat. Using simple mathematics and publicly available data we've been able to show how attackers are using botnets to try to hijack 1 million online accounts for just $3. Assuming a 1% success rate, attackers are still netting 10,000 accounts for $3.

The economics of botnet technology makes credential stuffing a growing threat for consumers and enterprises.

To highlight the economics of credential stuffing, let’s compare labor costs between a single human, a bot, and a botnet to test 1 million credentials. According to WSJ, a botnet costs $2 to rent.




Figure 1. Economics of Credential Stuffing


Using a botnet, an attacker can test 1 million accounts in a matter of hours (100 minutes to be exact). Credential stuffing is a web threat enabled by the rise of cheap botnets. In years past, testing 10 million passwords against a given website was both expensive to do, and easy to detect. Today, cheap botnets consisting of end-user machines have turbocharged credential stuffing. Now, the attack is cheap to perform and very hard to detect. Attackers regularly cycle through 10,000 to 100,000 IP addresses a day, making detection challenging.

Prior to the development of these technologies, the cost and time commitment required to launch this kind of brute force attack was prohibitive to attackers. The advent of botnets allowed credential stuffing attacks to be done in as little as a few days, while avoiding the IP reputation and throttling controls that prevent repeated login attempts. Cheap, easy-to-use botnets are plentiful on the black market, and potential attackers are more comfortable with using technology than ever before.


Market-Driven Attackers


The attackers who control these botnets are still held to the same economics as white-market products and services. Criminal entrepreneurs need to weigh the costs of infrastructure, labor, and profits to justify testing millions of credentials. And as they race against the clock for consumers to change their passwords, criminals become desperate for tools that make account takeover easier, faster, and more profitable for their enterprise.

In the last 5 years, bot technology has innovated the black market economy. As a result, we have seen a dramatic increase in automated, scripted attacks amongst our customers. If you would like to read more about the lifecycle of an automated attack, you can read our previous blog here.


Contact us to learn how Shape Security can protect your site.


[update] In this updated version of this blog post we refer to a single node bot. In a previous version of the same blog post we referred to a click-farm.



February 18, 2015

Rising Attack Vector: Credential Stuffing

Credential stuffing is taking lists of breached credentials from one website and testing them against another. According to the most recent Verizon Data Breach report, it's one the fastest rising attack vectors.

The list of major companies that have fallen to this attack is impressive: Sony ‘11, Yahoo ‘12, Dropbox ‘12, and JPMC ‘14.

Credential stuffing is a general concept, but the outcome of successfully taking over user accounts results in more specific attack in various industries: stealing hotel reward points, pilfering airline frequent flier miles, and committing gift card fraud, to name just a few.

The Definition of Credential Stuffing


Credential stuffing is the automated testing of breached username/password pairs in order to fraudulently gain access to user accounts. This attack involves checking large numbers of spilled credentials against various websites to uncover credentials that are valid on a target website. Attackers then hijack those accounts and commit various types of fraud.

The Anatomy of Credential Stuffing Attack 

  1. The attacker acquires spilled usernames and passwords from a website breach or password dump site.
  2. The attacker uses an account checker to test the stolen credentials against many websites (for instance, social media sites or online marketplaces). 
  3. Successful logins (usually 0.1-1% of the total login attempts) allow the attacker to take over the account matching the stolen credentials. 
  4. The attacker drains stolen accounts of stored value, credit card numbers, and other personally identifiable information 
  5. The attacker may also use account information going forward for other nefarious purposes (for example, to send spam or create further transactions) 

How is Credential Stuffing Different from Existing Threats? 


We’ve classified credential stuffing as a renewed form of attack because the primary vector for account takeover has changed from the breaching of databases to automated web injection.

According to our analysis, credential stuffing is now the most popular method used by attackers to achieve account takeover. This is particularly dangerous to both consumers and enterprises because of the ripple effects of these breaches.

Credential Stuffing was the Attack Vector Used in the Sony, Yahoo, Dropbox and JPMC Breaches 


Below are excerpts taken from publications analyzing these large-scale breaches. There is evidence to support that these breaches were connected by credential stuffing.

  • Sony, 2011 breach: “I wish to highlight that two-thirds of users whose data were in both the Sony data set and the Gawker breach earlier this year used the same password for each system.” Source: Agile Bits
  • Yahoo, 2012 breach: “What do Sony and Yahoo! have in common? Passwords!”. Source: Troy Hunt
  • Dropbox, 2012 breach: “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log into sites across the internet, including Dropbox”. Source: Dropbox
  • JPMC, 2014 breach: “[The breached data] contained some of the combinations of passwords and email addresses used by race participants who had registered on the Corporate Challenge website, an online platform for a series of annual charitable races that JPMorgan sponsors in major cities and that is run by an outside vendor. The races are open to bank employees and employees of other corporations”. Source: NY Times
Screen Shot 2015-01-16 at 6.54.55 AM.png
Figure 1:Anatomy of the 2011 credential stuffing attack on Sony. From left to right, credentials from smaller sites are leaked and injected into Sony’s login pages to test for credential reuse. The attacker gained access to any Sony accounts which used the same credentials as were leaked from the smaller sites.

Using botnets, Sony credentials were tested on Sony’s login page. According to Wired, this resulted in 93,000 breached accounts. In other words, the credential stuffing attack that led to the Sony breach was made possible by prior breaches of smaller sites.

This connected chain of events from Sony to Yahoo to Dropbox excludes JPMC. The JPMC breach came from a separate and unrelated source. We know that the JPMC breach was caused by attackers targeting an unrelated third-party athletic race/run site for credentials to use against JPMC.

What Can SysAdmins Do to Prevent Attackers from Hijacking User Accounts by Credential Stuffing? 


The answer requires an understanding of the technical mechanism by which credential stuffing works.

Like account checkers, credential stuffing works by using the static form elements of the login page as an implicit API. The attacker references various form element names (email and password) in order to interact with the target webpage. Since most websites accept such traffic as normal (having no means to distinguish between intended and malicious use), the attacker can automate the attack by using scripts and account checkers to easily run through millions of tests per unit time. Using a large-scale distributed botnet and a huge number of IP addresses allows the attacker avoid rate and volume limits which might otherwise prevent such a large number of login attempts. Thus, it is trivial even for unsophisticated attackers to launch attacks of this nature and scale against some of the largest websites in the world.

To defend websites against such activity, which we call “unwanted automation,” Shape Security uses an approach that is familiar to attackers: we dynamically change the underlying code of the site each time a page is viewed to defeat the types of scripts used in credential stuffing attacks. Just as malware authors have long used polymorphic code to evade antivirus products by constantly presenting different signatures, Shape’s solution creates a moving target which frustrates potential attackers attempting to automate easy credential testing on the website using scripts. The effort an attacker must invest to successfully automate login attempts on a given website without changing the front-end use experience.

Of course, savvy readers will point out numerous ways these measures can be circumvented. While, it is beyond the scope of this article (but perhaps the subject of future pieces) to consider such attacks (DOM, GUI, and others), Shape is keenly focused on comprehensively defeating them and has solutions at each of those levels.

Contact us to learn how Shape Security can protect your site.

February 2, 2015

3 Steps for CISOs to Protect Login Accounts



Tweets like the one below are becoming more and more common. This frustrated consumer lost $100 from a gift card account he had with his favorite retailer. Besides the direct financial loss in replacing these stolen funds, the retailer also incurred call center costs and brand damage (this tweet represents just one of many related to hijacked accounts).



If 2014 was the year of the breach, then 2015 will be the year of account hijacking at a scale we’ve never seen before. The huge sets of credentials stolen in the past will be tested on just about every major website (and lots of minor ones), and roughly 0.1% to 20% of them will be valid. A Microsoft study found the typical consumer has terrible password hygiene and re-uses the same username / password combination across sites. Specifically, the study found the typical user has 6.5 passwords per 25 accounts, meaning that each user password is shared across 3.9 different sites. Due to frequent password reuse, credentials stolen during the breach of one site are also likely to be valid on 3.9 other unrelated sites. Each breach is also a breach of other sites on which the same credentials are valid.

Why is this so important? According to the 2014 Verizon Data Breach Investigations Report, compromised credentials are now the most commonly-used threat action. Almost every major website, including those with fully-patched, up-to-date security, is susceptible to account takeover and the use of account checker scripts to hijack accounts. Attackers use scripts to take over an account, drain its funds or other assets, and resell the drained account so it can be used for spam, money or reputation ‘laundering’. On our customers’ sites, an average of 60% of login page traffic is caused by malicious bots testing stolen credentials, up 10% from the same time last year.

Here’s a 3-step approach which SysAdmins can implement to help mitigate this vulnerability and protect user accounts.

Step 1. Diagnose if the site already has account hijackers


The first step is to measure whether criminals are actively testing stolen credentials against your website. The easiest metrics to deploy is to inspect failed logins versus successful logins over a typical one-week window. For most enterprises, the graph should have the following characteristics:
  • Failed logins should be a small percent of successful logins, typically under 10% (this varies widely, but if failed logins are over 100% of successful logins there is a very strong probability of a serious problem).
  • Failed logins should follow roughly the same pattern as successful logins.
  • Failed logins should not have large bursts of activity. 
Look out for hijackers guessing at your usage bursts and trying to hide within that. Also, look for DDOSing attackers who hide within a large amount of fake web traffic that they create. There are many patterns and signs to evaluate. The techniques above can help you determine whether you have a problem.

Step 2. Recognize that old traps don’t stop new login attackers

The traditional approaches to stopping account takeover (throttling, reputation, and CAPTCHA) are not current. They are outdated and ineffective. Don’t get caught deploying a solution easily defeated by criminals.

  1. Throttling solutions: Throttles won’t help, but they can hurt.
    Brute force throttling solutions will not reliably protect your website because determined adversaries will reduce the speed of their attack to fall below the threshold for detection, or source the attack from a diverse set of source IPs to spread out their traffic. Even unsophisticated crooks will quickly realize that web security throttles initially let the attack go unabated, typically for the first 60-90 seconds. Typical customers using rate-limiting heuristics find that 5,000 login attempts can occur in the first 90 seconds. If we assume a 1% success rate, which is conservative, each IP address used for the 90 second window will give the attacker access to 50 accounts. If we assume an average loss of $200 per account, the crook will net an estimated $10,000 per incident, with no real limit on the number of incidents beyond the availability of credentials to test.
  2. Reputation solutions: Reputation isn’t what it used to be.
    Reputation solutions, especially IP-based products, are increasingly easy to circumvent given rentable legal (like Rackspace and Amazon) and illegal infrastructure (from crimeware-as-a-service botnet creators who, according to Gartner, rent 10,000 clean IP nodes for $1.50 per hour). Botnets are especially damaging to the efficacy of IP reputation services, since botnets are comprised of zombified computers and therefore appear to be valid residential IPs. We can expect the botnet problem to get worse with the end of support for Windows XP.
  3. CAPTCHA solutions: This antiquated method disrupts customers, not fraudsters.
    CAPTCHA is disintermediated by commercial bypass services. Search for “CAPTCHA bypass service” to find a list of services that provide 1000 solved CAPTCHAs for as little as $1.39, with 95% accuracy. As the average user is only 71% accurate when solving CAPTCHAs, bypass services are 25% more accurate than legitimate users. This is equally true for niche CAPTCHAs like Confident Technologies’ implementation, mainstream CAPTCHAs like Google’s reCAPTCHA, and even reCAPTCHA v2.

Step 3. Implement user interface security on the login page

To protect user login accounts from being hijacked, we propose a solution that has been long-theorized but undeployable till now. We suggest that sites make critical elements of the underlying code dynamic, rendering machine automated attacks impractical to implement. We call this “user interface security” because it protects the user interface’s HTML, DOM, CSS and JavaScript from attack. This new method of defense defeats script attacks on web applications, and can be home-grown or purchased from Shape Security as a network appliance.

Malware has long used polymorphic code to hide itself from antivirus products by looking unique every time it infects a new machine. SysAdmins can invert this concept and use polymorphism to disable an attacker’s capability to script commands against targeted sites.

This technique is both cutting-edge and effective. Our chief scientist, Xinran Wang, Bob Blakley of Citibank, and Professor Tadayoshi Kohno of the University of Washington authored an academic paper on making web elements dynamic to defeat web automation. The paper was presented at the 2014 International Conference on Applied Cryptography and Network Security.

You can read it here.

Keep an eye out for forthcoming articles where we will categorize threats that rely on automation and the appropriate anti-automation control.

Contact Shape to protect your web application's user interface.

January 26, 2015

Gartner Identifies Shape Security as New Deflection Technique

Avivah Litan

Gartner Research VP and Distinguished Analyst, Avivah Litan, mentioned Shape Security on her blog discussing the growing threat of automated attacks on websites. Shape Security has been mentioned in multiple other reports. The difference here is this blog that is publicly available for everyone (including those without a Gartner subscription).

According to Avivah:

[Shape Security is a] new web application security technique that scrambles website code using a process called polymorphism. This precludes the hackers’ ability to decipher how a web site can be attacked since the logic of the web application is no longer transparent (e.g. no more ‘in the clear’ HTML code). 

In her blog, Avivah features Shape Security as a solution to these automated attacks. Specifically, she states that Shape's polymorphic technology deflects malicious automation, preventing the attacks from executing at the point of entry. Deflection is better than detection – preventing attack is better that finding the attacker ex post facto.

Interested to learn more? Learn more here.

January 21, 2015

Attack Tool on the Rise: Account Checker


Today we introduce and explain an attack tool that is becoming more prevalent among our customers: the Account Checker.

This credential stuffing tool isn't new, but usage is rising sharply for reasons we'll discuss below. Although very conceptually simple and easy-to-use, account checkers are extremely powerful.

Description of Account Checkers

An account checker is an attack tool that takes lists of spilled username/password pairs (i.e. “credentials”) and tests them against a target website.

Powerful account checker packages cost as little as $100, and adversaries can also create their own account checkers from off-the-shelf web automation toolkits like Mechanize, PhantomJS, IEC.py, Sikuli, Selenium or iMacros. These toolkits reduce the technical burden to write account checkers and conduct credential stuffing attacks.

Anatomy of Account Checker Usage

  1. Attacker acquires spilled passwords from a website breach or from password dump site
  2. Attacker uses account checker to test stolen credentials at many websites
  3. Successful logins (usually 0.1-2% of total) result in account takeover
  4. Attacker drains stolen accounts of stored value, credit card numbers, and other PII
  5. Attacker may also use this account for other nefarious purposes (spam, further transactions, etc)

Example of Benign Account Checker 

Below is a ‘benign’ account checker called namechk.com that illustrates how account checkers work. This tool checks if a given username is available on various social networks. In the image below, we checked the username “shapesecurity” and this tool correctly identified all the sites on which that username was taken.




This service uses a script that automatically tests a given username against all the websites visible in the image (e.g. Blogger, Facebook, Youtube, Twitter, etc.).

A criminal account checker functions in the same fashion as the above tool, and adds additional capabilities like checking whether various passwords (based on guessing algorithms, or one of the top 25 passwords) work on that site. The full process of checking usernames and passwords, along with malicious intent, leads to the widespread attack of credential stuffing.

A Microsoft study found that the average user has just over six passwords, that each password is shared across four different sites, and that each user has about 25 accounts that require passwords. Meaning breach anywhere results in passwords on 3.9 top sites becoming public.

Example of an Attack-Ready Account Checker

Brian Krebs wrote about the off-the-shelf account checker below. This is the same type of tool used to hack Hilton.



In the above screenshot, row seven shows an account checker for expedia.com. This checker is able to ascertain whether credentials are valid, and scrape the point balance, last four digits of the credit card number, and billing address of the card.

Below is a sample of the underlying code of an account checker. This account checker tests large numbers of credentials. When it finds a valid pair of credentials, it scrapes PII and steals stored value and credit card details from the account.




Where do attackers get lists of credentials?

The fuel for any account checker is a list of credentials. Fortunately for attackers, there are a huge number of credentials that are public.
  • 38,000,000 Adobe accounts 
  • 318,000 Facebook accounts 
  • 70,000 Google accounts 
  • 60,000 Yahoo accounts 
  • 22,000 Twitter accounts 
  • 8,000 ADP accounts 
  • 8,000 LinkedIn accounts 
Hundreds more credentials are leaked each day on this twitter handle: twitter.com/dumpmon. Many security professionals use this list to identify which user accounts on their respective sites have been compromised, and to lock out compromised accounts. Obviously, attackers also use this list, in conjunction with account checkers, to find vulnerable accounts which they then use for various fraudulent activities. 



What can security professionals do to curb account checkers and prevent attackers from hijacking user accounts? 

The answer requires an understanding of the mechanism by which account checkers work.

Account checkers work by using the static form elements of the login page as an implicit API. In the code sample above, the attacker references various form element names in order to interact with the target webpage. Most websites cannot distinguish such interactions from normal human interactions
and thus gladly accept the attacking traffic. This allows the attacker to automate the website using account checkers and easily run through millions of tests over the course of a few days or weeks (often using a large distributed botnet and a huge number of IP addresses in order to avoid rate and volume limits). Thus, even very unsophisticated attackers can trivially launch potent attacks against many of the largest websites in the world.

To defend websites against such activity, which we call “unwanted automation”, we use an approach that is familiar to attackers - we change the underlying code of the site on every pageview. Just as malware authors have long used polymorphic code to evade antivirus products by constantly presenting different signatures, so Shape’s solution creates a moving target which frustrates scripts that seek to automate a website. This allows sysadmins to increase the effort an attacker must invest to successfully script or automate a given website.

Of course, savvy readers will point out numerous ways in which to conduct attacks in different ways. It is beyond the scope of this article (but perhaps the subject of future pieces) to consider such attacks (DOM, GUI, and other). Shape of course is keenly focused on comprehensively defeating all such attacks and has solutions at each of those levels.

Click here to learn more about the ShapeShifter Botwall security solution, which is available in hardware and software packaging.

April 8, 2014

Windows XP End-of-Support Will Result In More Powerful Botnets

Today marks the official end-of-support for Windows XP, which means no more security updates for Windows XP installations. Non-supported Windows XP installations will not get updates and will overtime become less secure and easier to hijack.

As millions of XP machine become less secure, we will see more Windows XP machines usurped and zombified for malicious web attacks.  Now that Windows XP machines will be easier to hijack, more nodes will be available to botnets to make attacks on web servers. This will impact the day-to-day of CISOs and security professionals who's job it is to protect web infrastructure from attacks.

While many organizations are focused on upgrading to more modern operating systems, it's the devices that they have no control over that may end up doing the most damage. It boils down to this: while an enterprise may do everything right to upgrade and protect its own computers, they don't control the millions of devices still running XP in the wild.

Vulnerable devices get compromised, and compromised devices become parts of a botnet. Botnets provide cybercriminals with a platform for everything from DDoS against websites to sophisticated account takeover and fraud. As official support for XP runs out, attackers will naturally rush in to take advantage of those left behind.

Here is a quick breakdown of the numbers to help quantify the significance.


Windows XP Usage Remains High


Industry statistics of operating system usage can vary wildly, and current estimates of XP usage range from 10% to 28% of the total operating systems used worldwide. With an estimated 2 billion PCs in world, that means that somewhere between 200 million to 580 million devices will be vulnerable by definition.

Source: NetMarketShare 2014

Windows XP Vulnerabilities Remain High 


2013 was a busy year for new Windows XP vulnerabilities, with a total of 88 new vulnerabilities reported. For comparison, this is twice as many vulnerabilities as were observed in 2012. The comparative view of Microsoft CVEs shows that while XP is not the leading source of vulnerabilities, it remains a very significant source of new vulnerabilities.

 Source: CVEDetails.com

 Windows XP Infection Rates Remain High 


Microsoft’s latest Security Intelligence Report shows that while the popularity of XP is on par with other Windows operating systems, the infection rate is almost double that of more modern operating systems.

Source: Microsoft Security intelligence Report Volume 15

These statistics certainly favor the attackers. Even if enterprises manage the Windows XP end-of-life perfectly, all of the unprotected XP devices in the wild remain. This is why deflecting bots and automated threats has become so important for virtually any organization with an Internet-facing site or application.

Clarification: Wade Williamson wrote this article.