Web Fraud & Business Logic Security - Hybrid Security

abdomendebonairSecurity

Nov 2, 2013 (3 years and 10 months ago)

145 views




Cyber

Fraud

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.



Pioneer in AI based website protection



First business
-
logic security solution



Website misuse detection



User behavior profiling

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

Hybrid Leak Sensor

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

About Me



Founder:

Hybrid Security



Blogger:
Chapters In Web Security



Hacker:

MultInjector


WebTuff


R.U.D.Y

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

Cyber Fraud



Identity and CC fraud




Automated bot activities




Business logic abuse

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

Citibank

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

Sony

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

AT&T

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

AT&T

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.


Exponential growth


Geographic clusters


Mutual website
-
client infection



Bot Epidemic

Infections
-

McAfee

Distribution
-

Microsoft

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

Man
-
In
-
The
-
Browser

“…Automated

transaction monitoring or anomaly
detection and response could have prevented


many of the frauds…” FFIEC

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

Business Logic Flows

Login

Register

Main Page

Registration

Details

Item Search

Results

Verify

Email

Land

Add To

Shopping

Cart

Payment &

Checkout

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Missing / additional parameters

Vulnerable password recovery

False registration

Invalid parameters

Invalid business workflows

Guessable session identifiers

Forceful browsing


Business Logic Flaws

Highly
Illogical


Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Target Victims



Airlines

Government


Gaming


Financial


Subscription

Services


E
-
Commerce

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Commission manipulation

Spread tampering

Transaction time lingering

Logic fuzzing

Forex Fraud

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

0.01



~

0.00168144044

£





Forex Fraud

Normal business logic:

After
2
digit currency rounding:

500
% more satisfaction for the buck!!

1
,
000
,
000
transactions *
0.00168144044
£

=
1681.44044
£


~
10
,
000



1
,
000
,
000
transactions *
0.01
£

=
10
,
000
£


~
60
,
000






( , April
8 2012
)

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Client
-
side logic flaws:

Flash / JS / Java / Silverlight

Digital goods theft

Poker bots

Player collusion

Screen scraping




Online Gaming Fraud

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Online Gaming Fraud

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Using GHDB / Shodan

to hack into open PBX

Authentication bypass /

unpaid content download

Subscriber PII scraping

Telecom Fraud

Copyright © Hybrid Application Security Ltd. (2010
-
2012). All Rights Reserved.

Browser “
Helper
” Objects

Parameter injection

Evil Bankers

Pump & Dump

Account traversal

E
-
Banking Fraud

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Concerts, sports, flights, movies

Ticket scalping bots

Lower vendor margins

Seat locking &

defacement

Ticket Order Fraud

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Web
2.0
spam bots

Social scrapers

Predators & imposters

Phishing

Likejacking

Social Network Fraud

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Card
-
Not
-
Present

eWallet Pick
-
pocketing

(Google, PayPal)

Auction bots

Affiliate click fraud

Stolen goods











E
-
Commerce Fraud

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Data mining / Industrial

Espionage / Email harvesting

Browser COM API

+ JavaScript injection

Scrape
-
As
-
A
-
Service:

ScraperWiki












Spiders & Scrapers

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.


Black & white lists



Dynamic web page profiling



Heuristic behavior analysis

Technology Evolution

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Hybrid

Appliance

Hybrid Telepath

Hybrid

Cloud

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Behavior Analysis

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Hybrid Architecture

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.


Reverse Proxies (F
5
, Zeus, Cisco)


SIM/SOC (HP, IBM, Symantec)


Firewalls (Juniper, Checkpoint, Cisco, Fortinet)


Analytics (Clicktale, GhostRec, LivePerson)


Sniffers (Radware, Metronome, Sourcefire)


Authentication (SafeNet, Microsoft, Oracle)

3
rd

Party Integration

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.

Web:
www.hybridsec.com

Email:
info@hybridsec.com

Phone: +
1
(
650
)
319
-
7389

Copyright © Hybrid Application Security Ltd. (
2010
-
2012
). All Rights Reserved.