This talk was given on September 27th, 2019 at OWASP's Global AppSec conference in Amsterdam.

1. Jarrod Overson @ Shape Security
Where do account takeovers go from here?
THE STATE OF CREDENTIAL STUFFING

2. CREDENTIAL STUFFING STEP BY STEP GUIDE
1 Get Credentials
2 Automate Login
3
4
Defeat Automation Defenses
Distribute Globally
cre·den·'al stuff·ing
/krəˈden(t)SHəl ˈstəfiNG/
The replay of breached username/password
pairs across sites to find accounts where
passwords have been reused.

3. 2 Billion
The record number of attacks
Shape has blocked in one day.
Credential Stuffing by the numbers
A problem that has exploded.
3 Billion
The largest recorded attack
campaign against one URL for
one company in one week.
1 Billion
New credentials spilled in 2018.
Jarrod Overson

4. Agenda
Attack Detail and Cost
How credential stuffing has evolved
Where ATOs go from here
1
2
3

5. MANUAL WORK AUTOMATIONvs

6. MANUAL WORK AUTOMATION

7. MANUAL WORK AUTOMATION
Sufficient when
value is high
Can’t scale when
value is reduced
Can’t scale when
cost is increased
Sufficient when
value is low

8. If there are no defenses in place, the cost is nearly zero.
valuecost
Any attacker can use existing attack tools, strategies, and exploits.
Jarrod Overson

9. Any defense increases the cost by forcing a generational shift.
valuecost
Generation 1
The cost of entry to each new generation is high at the start.
Jarrod Overson

10. Enough defenses tip cost vs value in your favor
valuecost
Generation 1
Generation 2
Generation 3
This is where you want to be.
Jarrod Overson

11. The cost of entry for each generation decreases over time.
valuecost
All technology gets cheaper as it becomes better understood.
Jarrod Overson

12. While the value of successful attacks only goes up.
valuecost
Jarrod Overson

13. 1. Get Credentials
CREDENTIAL
STUFFING

14. 1. Get Credentials
2. Automate Login
CREDENTIAL
STUFFING

15. 1. Get Credentials
2. Automate Login
CREDENTIAL
STUFFING

16. 1. Get Credentials
2. Automate Login
3. Defeat Defenses
CREDENTIAL
STUFFING

17. 1. Get Credentials
2. Automate Login
3. Defeat Defenses
CREDENTIAL
STUFFING

18. 1. Get Credentials
2. Automate Login
3. Defeat Defenses
CREDENTIAL
STUFFING

19. 1. Get Credentials
2. Automate Login
3. Defeat Defenses
4. Distribute
CREDENTIAL
STUFFING

20. $0
2.3 billion credentials
$0-50
For tool configuration
$0-139
For 100,000 solved
CAPTCHAs
$0-10
For 1,000 global IPs
100,000 ATO attempts can be tried for less than $200 USD
<$0.002
per ATO attempt.
Jarrod Overson

21. $2 - $150+
Typical range of account values.
Identifying our rate of return
0.2% - 2%
Success rate of a typical credential
stuffing attack.
The rate of return on a credential stuffing attack is 100% on the low end
and 150,000%+ on the high end.
$0.002
Cost per individual attempt.

22. Agenda
Attack Detail and Cost
How credential stuffing has evolved
Where ATOs go from here
1
2
3

23. Generation 0: Basic HTTP requests with common tools

24. SentryMBA
The classic.
• Performs basic HTTP requests.
• Extensible and highly configurable.
• Tailored towards specific attack use cases.

25. Early defense: IP Rate limiting.
0k
50k
100k
Iteration 1 : Rotate through proxies

28. Defense: Text-based CAPTCHAs
Iteration 2: Attacks using CAPTCHA Solvers.

29. Defense: Dynamic sites and JavaScript heavy defenses.
Iteration 3: Scriptable WebViews

30. GET / HTTP/1.1
Host: localhost:1337
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/
*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.
(KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X) AppleWebKit/534.34 (KHT
like Gecko) PhantomJS/1.9.8 Safari/534.34
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: Keep-Alive
Accept-Encoding: gzip
Accept-Language: en-US,*
Host: localhost:1337
Defense: Header Fingerprinting & Environment Checks

31. Iteration 4: Scriptable Consumer Browsers
Defense: Browser Fingerprinting
Like Selenium and Puppeteer

32. Iteration 5: Randomizing Fingerprint Data Sources
FraudFox & AntiDetect
FraudFox is a VM-Based
anti-fingerprinting
solution.
AntiDetect randomizes
the data sources that are
commonly used to
fingerprint modern
browsers.

33. Behavior Analysis
Naive bots give themselves away by
ignoring normal human behavior.
Humans don't always click in the upper left
hand corner and don't type out words all at
once.
Capturing basic behavior can make naive
automation easy to knock down.
Defense: Behavior Analysis for Negative Traits

34. Iteration 6: Behavior Emulation
Browser Automation Studio
BAS is an automation tool that
combines CAPTCHA solving,
proxy rotation, and loads of
other features with emulated
human behavior all driving a
real Chrome browser.

35. Validating Fingerprint Data
Good Users don't lie much.
Attackers lie a lot. They use a
handful of clients but need to
look like they are coming from
thousands.
Those lies add up.
Defense: Browser Consistency Checks

36. Iteration 7: Use real device fingerprints
Using Real Fingerprints
Fingerprint Switcher allows a
user to cycle through real
browser's fingerprints,
reducing the number of lies
present in the data.

37. The direction these attacks are moving in is clear.
The end game is flawless emulation of human behavior and real devices on home networks.
We call these "Imitation Attacks"
Imitation attacks indicate sophisticated fraud from persistent attackers.
Imitation attacks go back and forth between attacker and defender trying to
drive the attack traffic to be indistinguishable from legitimate user traffic.
Not all automation is an imitation attack, not all imitation attacks are automated.

38. Agenda
Attack Detail and Cost
How credential stuffing has evolved
Where ATOs go from here
1
2
3

39. First, let's clear something up.
2FA does not stop credential stuffing.
The point of credential stuffing is to find valid accounts.
Credential stuffing, even with 2FA, still results in valid accounts.
2FA stops automated account takeovers.

40. **************
victim@gmail.com
Submit
Username
Password
How can an attacker bypass 2FA?
Don't overthink it. Easy attacks are cheap and get good results.
Jarrod Overson

41. *******
barry@gmail.com
Submit
Username
Password
Barry, an everyday user, logs in as normal.

42. Logging in
Barry experiences a login delay but he is used to that.

43. Logging in
Add Payee
This time an injected script or malicious extension kicks in.

44. Logging in
****************
Add Payee
The script tries to add a new payee...

45. Logging in
...which is successful because why wouldn't it be?

46. Logging in
Send Funds
The script then attempts to transfer funds.

47. Logging in
Send Funds
2500
Usually a flat number or percentage, whichever is lower.

48. Logging in
Enter 2FA Token
This time the risk score is too high. Time for additional auth.

49. Enter 2FA Token
Enter 2FA Token
072344
But Barry's used to this flow and doesn't see a problem.

50. Enter 2FA Token
Enter 2FA Token
072344
072344
The script grabs the token and funds are transferred.

52. Photo
Extensions looking for new owners are easy to come by.
It started with ad fraud, moved to cryptomining, and now includes ATOs.

53. Photo
Not good enough? Build your malware directly into the target app.
Popular open source package exploited to inject malicious code into mobile app directly.

54. What's beyond credential stuffing?

55. The value in our accounts is not going away.
As we raise the cost of credential stuffing there is greater incentive to diversify attacks.
Valid Accounts
Credential Stuffing ???

56. Genesis is an early example of the next generation.
Malware that resides at the host to scrape account and environment details.

57. Thousands of infections and growing.

58. Advertises the high profile accounts the bot has already scraped.

59. Regularly updates its records with newly acquired accounts.

60. Each infected computer and its data is sold as one unit
$

61. Photo
Each bot gives the purchaser exclusive access to its data.
One buyer per bot.

62. Bots can have hundreds of scraped resources and accounts.
The bots will collect everything it can, even if it isn't sure what it is yet.

63. Genesis can generate the fingerprints of your exact target.
This bypasses many risk-scoring mechanisms that look for activity from new devices.

64. Select the fingerprint you are looking for
Configure which parts you want to emulate

65. And load it into your current session via the Genesis Security Plugin
Voila! Now you are your target.
93970994-EC4E-447B-B2BD-DE2F4215A44E

66. It follows the rules of shady actors in the CIS.

67. Malware that scrapes, learns, and imitates its host users is what's next.
We've started seeing the signs in ad fraud.

68. Fraud is a human problem, not a technical problem.
Advanced credential stuffing is sophisticated fraud. Treat it as more than simple
automation. Talk to your fraud teams and work from the scams backward.
Imitation attacks are designed to blend in. If you don't think you have a problem,
look deeper until you know you don't have a problem.
Attackers are economically driven, we need to attack the economics. Simple
solutions are only temporary. Every defense will fail if the value is still there.
There are no silver bullet solutions against humans.

69. THANK YOU
- Jarrod Overson
@jsoverson on twitter, medium, and github.