Top 3 attack tools to look out for during the holiday season

Part of what we do at Spec is to study attackers, their tools, and how those tools get used in the real world. AI-powered attack tools are popular, widely distributed, and effective at giving attackers the ability to automatically discover new vulnerabilities in a merchant’s customer journey. As important as Black Friday and Cyber Monday are for merchants, they’re also the debut days for new attack tools and tactics that Spec defends against. Here are a few that we’re seeing and what they’ll look like on the merchant side.

A quick note: There is a huge difference between AI-powered attack tools and bots. Bots scale attacks against known exploits or vulnerabilities. AI-powered attack tools automatically discover new exploits or vulnerabilities and then launch hard-to-detect attacks against them.

Race Condition Attacks

Attack Focus: An attack against the customer journey that enables attackers to bypass controls at the point of login or payment by tricking your systems into reusing a stale positive risk assessment for a high-risk login or payment. These are vulnerabilities thought to be so improbable to find that they’re generally unaddressed in most merchant applications – but AI attack tools inevitably find them.

Attack Affects:

• Payments
• Logins

How it works: 

1. Attackers reverse-engineer how merchant and vendor request deduplication and timeout error handling works. 
2. Request fuzzing and data leakage are the primary tools they use to achieve reverse-engineering, basically making tiny changes that are hard to detect and seeing how they can manipulate the way your website or app responds. AI attack tools make this process easy and fast.
3. Once the AI tool has mapped out your system, the attacker will then create “duplicate” requests to authenticate or make a payment, but some of them will have higher-risk data in them, such as compromised logins or stolen payment data. Because they can convince your systems these are duplicate requests, the requests containing high-risk data sail past your defenses.

In plain english: This works like two people walking through a badged access door, but the first person holds the door open for the second person despite the 2nd person having a fake badge. 

What this looks like for merchants: Successful orders made with high-risk payment instruments but with good risk ratings from your payment risk model. Dig deeper into your payments data, and you’ll see that these payments happened at virtually the same time as declined transactions from low-risk cards (often pre-paid or virtual cards with insufficient funds).  For logins, this can be logins that bypass risk-based MFA, you’ll need to look at your raw request logs to surface this.

Vendor Denial-of-Service

Attack focus: An attack against the customer journey that enables attackers to degrade the capabilities of your risk vendors, sometimes without the merchant noticing. Because these attacks don’t hit networks or infrastructure owned by the merchant, it’s often impossible to tell when this is happening, but GDPR subprocessor disclosure has made it easier for attackers to know what vendors they need to target. Attackers use AI to uncover resource vulnerabilities.

Attack affects:

• Credential stuffing
• Account compromise
• Payments
• Account creation
• Collusion

How it works: 

1. Attackers target the resources of critical risk vendors (connections, bandwidth, CPU, memory) in an attempt to knock them out or degrade their service. 
2. Once they’ve achieved this, attackers proceed through the merchant’s customer journey unfettered by risk controls. Sometimes, these attacks could last 10-30 seconds – short enough that they don’t set off any huge alarms, but long enough for an AI-powered attack to do tons of damage.

In plain english: This is like knocking out the guards and freezing the security cameras before a heist.

What this looks like for merchants: Risk vendors timing out, returning reduced data, or returning default “accept” responses – some of these may not be obvious, depending on how the vendor functions and how the merchant has integrated them. This will eventually manifest as an uptick in compromised accounts and bad payments. In some cases, attackers might make a significant number of requests that use duplicate or manipulated address information in order to put additional pressure on your risk vendor’s data tier.

Session Harvesting

Attack focus: An attack against the customer journey where risk controls are bypassed by hiding inside a previously fabricated “good” session. More restrictive session limitations can’t be enforced without harming the good user experience.

Attack affects:

• Credential stuffing
• Compromised accounts
• Shared accounts
• Card testing
• Scraping
• Content abuse
• Fake account creation
• Ad abuse
• Promotion abuse
• Reseller abuse

How it works: This is an old attack given new life by AI attack tools.

1.  Attackers use these tools to reverse-engineer how to get a “good” user session, and how long and in what context they can re-use that user session before your systems invalidate it. 
2. They can create and hoard thousands of these sessions, which enables them to wreak havoc on your controls, manipulate your models, and scale attacks in a way that bot defense provider’s can’t detect.

In plain english: This is like organizing a group of people to wander through a hardware store and pretend to shop, all while staging all the items they want to steal near a fire exit.

What this looks like for merchants: Major application abuse despite “good” checks from risk and bot detection providers. The telltale signs of session harvesting are unusual site requests to generate, refresh, and enrich these sessions. Some of these requests involve viewing a shopping cart, so this practice can sometimes be called “cart harvesting” by attackers.

—

These are just a few of the attack patterns being enabled by AI in the real world. Spec’s Customer Journey Security platform detects and prevents these attacks, even going so far as to blind and poison the AI-models used by modern attack tools. If you’re under active attack or need to get off the incident response hamster wheel, we’re here to help. Get your incident response engagement today!