A presentation I gave at FraudCon on June 28 2017, an event which was part of CyberWeek Israel.
Discussing automated fraud in the hands of attackers against commerce websites, and some ways to fight them back.
3. Bot evolution: bots are evolving rapidly
Gen 4 Bots - Infected Users
Hijacked Browsers, Fake Extensions
Gen 3 Bots - Headless Browsers
Javascript, Cookies, Engine Automation
Gen 2 Bots - Scripts + State
No Javascript, Cookies
Gen 1 Bots - Scripts
No Javascript, No Cookies
10. Basic techniques
10
▪ Support multi-factor-authentication
▪ Encrypt or hash stored credentials
▪ Have good password practices
Don’t be one these guys
http://badpasswordpolicies.tumblr.com/
11. Monitor correctly
▪ Separate API from website – different endpoint URL
▪ Monitor logins for anomalies and spikes
▪ Lookup suspicious user-agents in github (and not just google)
http://mstajbakhsh.github.io/Microbot/
11
12. Detect
12
▪ Validate user is running javascript
▪ Validate a cookie
▪ Device fingerprint (https://github.com/Valve/fingerprintjs2)
▪ Track legitimate flow
13. Recommended resources
▪ Have I been Pwned by Troy Hunt - https://haveibeenpwned.com/
▪ Biggest breaches -
http://www.informationisbeautiful.net/visualizations/worlds-biggest-da
ta-breaches-hacks/
▪ Detection labs - https://github.com/PerimeterX/bot-tools
▪ Device Fingerprinting - https://github.com/Valve/fingerprintjs2)