How Attacks Evolve From Bots to Fraud - Part 2

In our previous article we discussed how an attackers sophistication evolves in order to bypass anti-automation countermeasures and achieve their actions on the target. In this article and video we walk through some specific automated attack tools and test them against a real endpoint protected by F5 Bot Defense to get a real look at this scenario.

When it comes to an attacker being successful with their automation toolkit, it heavily depends on the Anti-Automation solution that is protecteing the web property they are attacking and the sophistication of the attacker. In order to bypass any countermeasures the attacker must make the attack look as human as possible.

Let's briefly discuss the different tools we'll be using in our demo starting with low sophistication and ending with a higher sophistication attack.

Low sophistication Attacks (e.g. CURL):

for run in {1..10}
do
 curl -s 'https://credstuff.acmecorp.com/user/signin' -i -X POST -d "username=1&password=1" > /dev/null
 echo
 echo CURL Credential Stuffing attempt $run done
 sleep 2
done

Sample: CURL Script performing basic credential stuffing HTTP POST example

CURL is a tool that almost everyone uses these days to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS,
POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP). The
command is designed to work without user interaction so of course it lends itself well to automation both good and bad.

CURL offers a busload of useful tricks like proxy support, user authentication, FTP
upload, HTTP post, SSL connections, cookies, file transfer resume, Metalink, and
more. The number of features will make your head spin but it can also facilitate malicious activity and potentially fool origin servers that don't have proper checks in place.

CURL can be used to generate automated credential stuffing attacks do to the massive amount of features CURL can generate much of the network traffic, headers, user agents strings and such that a real browser would. This can be used to fool origin servers into thinking it is a real browser and not an automated login attempt.

Medium sophistication (e.g. Open Bullet 2)

OpenBullet 2 is a cross platform automation suite powered by .NET core. It allows users to perform requests towards a target webapp and offers a lot of tools to work with the results. This software can be used for scraping and parsing data, automated pentesting and much more. This tool can also be used maliciously by attackers for Credential Stuffing and other automated web threats. It allows the user to import proxy lists, build automated attack configurations, leverage third party CAPTCHA solvers, and much more.

High sophistication (e.g. Selenium with Python)

from selenium import webdriver
from selenium.webdriver.common.keys import Keys

driver = webdriver.Firefox()
driver.get("http://www.python.org")
assert "Python" in driver.title
elem = driver.find_element_by_name("q")
elem.clear()
elem.send_keys("pycon")
elem.send_keys(Keys.RETURN)
assert "No results found." not in driver.page_source
driver.close()

Sample: Selenium Python Script performing basic browser automation function

Selenium is an umbrella project for a range of tools and libraries that enable and support the automation of web browsers. Selenium supports automation of all the major browsers in the market through the use of WebDriver. WebDriver is an API and protocol that defines a language-neutral interface for controlling the behaviour of web browsers.

With this ability to automate Web Browsers through the use of scripting can also lend itself to enabling an attacker to attempt to bypass many anti-automation solutions for a variety of different attacks. OWASP has defined a list of many of the different Automated Threats here...

Learn more about the Selenium Browser Automation Project here

Video Description:

Automated attack tools are evolving quickly. Increasing scale, sophistication, and human emulation gives threat actors better chances of bypassing existing Bot Defense countermeasures leading to Account Takeover and Fraud. In this session we'll demonstrate how attacks evolve from bots to fraud.

Hope you guys enjoyed this Overview and Demo. If there are any comments or questions please feel free to reach us in the comments section. Thanks!