The TruSTAR team recently had the opportunity to sit down with Jarrod Overson, the Director of Engineering at Shape Security. Jarrod, an expert in protecting websites and APIs against mass-scale automation attacks, has seen how these attacks have evolved over the years.
In a Q&A session with Chris Godfrey, TruSTAR’s Fraud Intelligence Lead, Jarrod shared with us some of his insights about modern account takeover attacks, the effects they have on a company and its users, and some strategies to help combat these attacks.
Below, we have edited and condensed part of the Q&A between Chris and Jarrod. To listen to the full discussion and hear about Jarrod’s top five security strategies to combat account takeover fraud, click here.
Chris Godfrey, Fraud Intelligence Lead at TruSTAR: Given your experience over the years, which you said spans from before the first protected transaction all the way to the billions of transactions you're seeing now, how has the account takeover landscape evolved over time?
Jarrod Overson, Director of Engineering at Shape Security: In the early days, before really all that many defenses were in place, it was very easy to kick off a lot of mass scale credential stuffing attacks, which are easily the leading cause of mass account takeover right now, with very, very basic HTP-level tools like cURL and Wget, and websites just kind of accepted whatever request got sent to them.
And then as we all learned how these attackers were taking advantage of our sites, we started to build defenses. Every time there's a new defense that's built in, regardless of what it really is, it causes the attackers to make a cost vs. value justification as to whether or not to retool and continue attacking the site. If the value is high enough for the site, then attackers will retool, and that generational shift is where we see a lot of new innovation in attacks and attack strategies. Each generation of attack comes with new learnings, requires new defenses, and it's an enlightening view into how far attackers will go in order to defeat the defenses on these websites.
That level of sophistication and the generations of attacks we've seen has been incredible. Actually the past five years, and it is at a point where attacks are very, very sophisticated now, and it shows no sign of slowing down. The next three years of attacks are kind of what's scaring me the most because we're at a point now where attacks are so sophisticated and the web and web standards and browsers need to change in order to keep up with these attacks.
Chris Godfrey, Fraud Intelligence Lead at TruSTAR: Can you give us an idea about the type of attacks that you're all seeing? Do they originate from humans or bots? Do they come from click farms? What does it all look like?
Jarrod Overson, Director at Shape Security: A vast majority of automated traffic is what you can classify as “bot”, but “bot” seems to almost be trivializing the sophistication of the attacks that we're seeing nowadays. These are bots that are replaying or learning human behavior, and obscuring their origin to extreme degrees, proxying through residential home networks. It's definitely much more sophisticated than I think the bot term implies given how things evolved over the past few years, but these credentials are absolutely being weaponized in credential stuffing attacks very, very, very regularly.
The average success rate that we see for a credential stuffing attacks is between 0.2 to 2% success rate, which means that for massive attacks, you're going to get a very, very small fraction of valid accounts. And with that list of valid accounts afterward, the value of subsequent attacks is raised greatly, which allows for attackers to rely less on pure automation and even to deal more with the manual fraud because you have the list of all the accounts. You know that every action you're going to take on that is going to very likely lead to a return.
Chris Godfrey, Fraud Intelligence Lead at TruSTAR: I know you guys at Shape are doing some very interesting things while looking for active attacks. Can you talk about that a little bit?
Jarrod Overson, Director at Shape Security: We can see a credential stuffing attack that is automated. We can see an attack that is linked to other attacks. And when we see those, we can make a very reasonable assumption that the credentials in that attack are from a breach.
So because of our own dark web research and the fact that that megaleak was distributed so easily, we have our own database of previously breached credentials I think that we found on the dark web or publicly. But because we are in a position of detecting attacks so early, we can determine whether or not the credentials used in those attacks do exist in public or dark web breach lists. But even if they're not, we can still track those as a very high possibility new breach that has not yet been publicly disclosed or discovered on dark web.
Chris Godfrey, Fraud Intelligence Lead at TruSTAR: Out of the five strategies to fight against account takeover attacks that you shared with us, which one would you say is the most important?
Jarrod Overson, Director at Shape Security: Making sure that the company has an understanding of what the accounts’ value is. Understanding the types of fraud that exist and whether or not they manifest from an account takeover. They could check out some common dark web marketplaces or look for instances of your company or companies that are competitors or in the same industry. Just getting an understanding of what exists out there so that you can better frame the discussion internally, because if you don't start understanding what you don't know, then it becomes hard to have discussions internally, and it becomes impossible to prioritize anything.
To listen to the full Q&A session with Jarrod Overson and hear about his top five strategies to combat account takeover attacks, click here.