The Quiet Rise ofAccount Takeover

Mike MilnerCTO @immuniomike@immun.io

www.immun.io

64

https://blog.dashlane.com/infographic-online-overload-its-worse-than-you-thought/

Attacker Motivations• Financial Fraud

• Virtual Currency

• Warranty Fraud

• SPAM

• Influence / Political Motivations

Financial Fraud and Theft

• Directly Stealing Cash

• Direct Theft of Physical Goods

Warranty Fraud

Virtual Currency

• As good as cash

• Easily Monitized

SPAM

• Nobody Likes SPAM

• Fresh accounts have the most restrictions

• An account with a good history and existing connections is far more valuable for SPAM

Influence &Political Motivations

Impact

Attack Techniques• Credential Stuffing

• Brute Force

• Code Vulnerabilities

• Phishing

• Malware

Credential Stuffing

• Hundreds of millions of leaked credentials available online

• More than 50% of users reuse passwords on multiple websites

• Little or no protection on many sites

http://www.verizonenterprise.com/verizon-insights-lab/dbir/

https://haveibeenpwned.com/PwnedWebsites

Brute Force

Code VulnerabilitiesAll your favourites:

• SQL Injection

• Cross Site Scripting (XSS)

• Session Fixation/Hijack

Phishing

Prevention & Detection

• Strengthen Your Login Process

• Have a “Plan B” to use when auth is suspect

• Majority of attacks require large volumes of requests - generally require automation

• Prevent attacks by stopping automated Bots

• Detect compromised accounts with behaviour profiling.

Multi Factor

Plan B

• Disable Account Access

• Force Password Reset through verified Email

• Security Questions

• Ask details about account

CAPTCHA

• Very difficult for a bot to bypass

• Easy (but annoying) for a human

Rate Limiting

• Count volume of events in a sliding time window

• Take action when the threshold is exceeded

Threat Intelligence• Many Botnets are available for rent by

attackers• Each bot IP may end up attacking

many different sites• Threat Intel feeds aggregate

information about bad IP addresses

Browser Fingerprinting

• Web browsers are very complex.

• Very difficult for a Bot script to replicate the entire behaviour of a browser

• Ask browser to do many different tasks. Use the results to distinguish human from bot

FingerprinTLS

https://github.com/LeeBrotherston/tls-fingerprinting

Behaviour Profiling

• Usual devices

• Usual geolocation

• Typical usage behaviour

• For significant changes, ask for additional verification

Sentry MBA

http://engineering.shapesecurity.com/2016/03/a-look-at-sentry-mba.html

Other Resourceshttps://www.owasp.org/images/3/33/Automated-threat-handbook.pdfhttp://www.darkreading.com/endpoint/anatomy-of-an-account-takeover-attack/a/d-id/

1324409

https://www.immun.io/use-case-account-takeover-protection

https://www.owasp.org/index.php/Credential_stuffing

https://www.owasp.org/index.php/Brute_force_attack

Questions?Mike Milner

CTO @immuniomike@immun.io

www.immun.io

Thank You!Mike Milner

CTO @immuniomike@immun.io

www.immun.io