How do web attackers exploit applications for financial gain through credential resale, money laundering, headless browser automation, and MFA-bypassing phishing proxies, and why does cyber fraud remain low-risk yet highly profitable?

Why do attackers attack?

When we consider the security of a web application, we should not only consider the application itself, but also the people and processes associated with the application. Attackers don't (usually) attack a system for the fun of it (although some do!). They usually have some higher objective in mind.

The best way to defend against fraud in a system is to think like an attacker. By putting yourself in the attacker's shoes, you will start to ask questions like:

• What can I possibly gain by exploiting the system? Are the rewards guaranteed? How do I get the rewards out of the system? Are the rewards liquid, or do I need to spend more time and effort to liquidate them for money?
• Besides money, what else could I gain from exploiting the system?
• How difficult is it for me to exploit the system? What is the easiest way to do so? Can I perform the exploit manually (and still get my rewards), or do I need to hit some minimum scale?
• What are the chances of getting caught? What are the ramifications?

Rewards

Rewards are often, but not always, monetary in nature. Cash is obviously the most liquid reward: Consider that more than 100 billion USD worth of fraudulent unemployment claims have been paid out since the pandemic started. There are numerous ways to defraud a system for cash: Stolen credit cards and remote check deposit are two common methods.

Gift cards probably come a close second, since many gift cards are almost as liquid as cash. Consider an Amazon or Target gift card -- You could buy anything with them, and it would be really difficult to trace your purchase. In the first nine months of 2021, gift card fraud losses totaled $148 million, according to the Federal Trade Commission (FTC). That works out to some $23,000 per hour. Of this staggering amount, $35 million was attributed to Target gift cards.

The truth is that any digital system holding something of significant value is bound to be attacked at some point. This includes really obvious targets such as online banking accounts and airlines' websites, to less obvious (perhaps more localized) targets such as grocery store rewards websites and mobile network carrier sites (like T-Mobile).

Systems can also be exploited to enable or facilitate financial gain occurring on other systems. A common example is money laundering. Consider this: If you had $10M in illicit gains, how would you "clean" the money to avoid being discovered? One option would be to create many bank accounts (preferably in different banks) with different synthetic or stolen identities, deposit a certain amount (say $9,500 – just under the $10,000 threshold for transaction reporting), and then transfer the money across many accounts (in different quantities), before finally transferring them to a smaller number of accounts that you own. This operation is also known as "rinsing". Instead of synthetic identities, you could also hire a mule.

Attackers also extract value from systems in other ways. Besides cashing out directly from a system, they might also simply sell access to the system. It is fairly common to see bundles of user credentials being sold on the dark web. One potential advantage of selling access to a list of accounts is that the attacker could resell the same credentials multiple times and reap a larger profit than the value of the account.

How do fraudsters use stolen credit cards? Case study: A popular U.S. fast food chain

Let's call this fast food chain "H". H is one of the largest fast food chains in the U.S., with thousands of stores in the U.S. and globally. H's website accepts online orders, and H partners with DoorDash and other companies to deliver its food to customers from H's physical stores.

As an attacker, what is there to gain by exploiting H's website? What does it even mean to exploit H's website?

Turns out that there is a lot to be gained! Here is one common exploit:

• Fraudsters would advertise heavy discounts (50% or more) for H's meals online -- such as on Twitter or various Discord servers.
• Interested buyers would see those posts, and send their orders (typically large, in excess of $100) in to these fraudsters via DMs. They would pay these fraudsters the discounted price via PayPal, Venmo, Zelle, or some other means.
• Fraudsters would place these orders online on H's website using stolen credit cards, and have them delivered to the buyers.
• The buyers score a heavily discounted meal, and the fraudsters pocket the money from the buyers.

While this might not seem like a lot of money, it quickly adds up. Because the fraudsters are able to accept orders from anywhere in the U.S., there is no shortage of demand. If each meal is on average $100 and marketed with a 50% discount as $50, a hundred meals per day would already net $5,000 in profits.

Of course, this depends on a healthy supply of stolen credit cards. Those can often be bought from the dark web, or provided by some other reputable supplier. If each stolen card works for at least 10-20 orders, each fraudster only needs to run through 5-10 credit cards per day.

It is therefore not surprising that H's fraud rate was extremely high, even by online fast food restaurants' standards. Its gross fraud rate exceeded 1% during some months!

Exploits

As an attacker, it is also important to consider how easy it is to exploit a particular system. Between two systems holding similar value (e.g. two online banking systems), the attacker would probably choose the one that is easier to exploit.

Attackers often, but not always, use some form of automation to help them exploit systems at scale. Depending on the sophistication of the target system's defence, attackers might write simple Bash scripts using tools like CURL or Python requests, or use headless browsers with tools such as Selenium or Puppeteer. More advanced attackers might resort to entire suites like Browser Automation Studio, which can simulate fairly realistic user behavior.

This carries additional risk because this type of automation tends to leave its own unique signature, which can be "fingerprinted" and used to trace attackers, as well as to correlate their activity across web applications over time. (The one notable exception to this is when attackers target APIs, as it is much more difficult to secure APIs.) Over the next few weeks, we will explore some techniques that will help you to identify such automated and malicious activity.

One challenge that fraudsters face is that they often have to impersonate victims online. Most of the time, all it takes to do so is to simply obtain the victim's credentials and use them. However, there are an increasing number of solutions in the market to help protect web applications against various types of attacks. This forces many attackers to also invest more time in scaling up their "technology stack," such as by routing application requests through more legitimate and higher-quality IP addresses, or even copying and reconstructing users' known browser and device environments.

Note that when we consider the security of a web application, we should not only consider vulnerabilities in the application itself, but also vulnerabilities pertaining to the people and processes associated with it. Attackers will always choose the easiest route to exploit a given system. Humans are probably the most common source of failure in all technical systems, so phishing and spearphishing remain hugely popular options for attackers.

Does MFA always defeat phishing?

A common security feature to thwart the effects of phishing is to use multi-factor authentication (MFA) -- also commonly known as two-factor authentication, or 2FA. Dedicated tokens can be either hardware-based (e.g., an RSA token or Yubikey) or software-based (e.g., Google Authenticator or Microsoft Duo), and there are also SMS-based and email-based tokens. These focus on verifying the users' identities based on what they possess, in addition to their passwords (which is what they know).

While mandatory MFA has certainly improved the security of many online banking systems and other sensitive online systems, they can also be fairly costly to implement. They may not always be practical (such as in retail situations), as they adversely affect user experience and often lower customer conversion rates.

They are also not necessarily secure! Around two to three years ago, a "real-time reverse phishing proxy" (or RTRP) became popular. Here is how it works:

Essentially:

• Fraudsters register large numbers of lookalike domains, where they host authentic-looking login systems, such as for a bank.
• An unsuspecting user somehow finds his way to such a page, and enters his credentials, expecting to login.
• The fraudster's RTRP receives these credentials, and programmatically drops them into the bank's actual login page, and attempts to login.
• At this point, the bank might detect that the user is attempting to log in from a new location, and require 2FA. Or, the bank might let the user through, and require 2FA for higher-risk transactions such as a money transfer. Either way, the bank shows a screen to the user (i.e., the fraudster) notifying them that a 2FA code has been triggered. The fraudster's RTRP system detects this, and in turn proxies this requirement to the user.
• If the user remains unsuspecting, then they will simply provide the 2FA code on the phishing website. The fraudster receives the code, and then provides it to their actual interaction with the bank.
• The bank thinks that the request is legitimate and lets the user through.

One such RTRP solution, Modlishka, became rather well-known in security circles as it was posted on Github (where it remains to date). It even links to a video demonstrating a SMS-based 2FA bypass attack.

This is conceptually fairly similar to a Man-in-the-Browser (MitB) attack. However, it is arguably even more potent because, unlike an MitB, it does not require the user's system to be compromised.

Risk

This may seem obvious: fraudsters will consider the risk involved in defrauding a system. Like any rational people, they will evaluate the risk and reward involved in performing an exploit, as well as the cost of performing it.

The TL;DR is that such risk is arguably much lower on the internet as compared to the physical world, as it is much easier to act anonymously online than offline. The popularity and ease-of-use of VPNs (including community-based VPNs such as Hola) and browser extensions such as Anti-detect make it difficult to track down attackers. Not to mention that browsers (and operating systems) increasingly adopt automatic updates, so there is much less entropy amongst browser versions than before, making it difficult to pinpoint any unusual browser versions used by attackers. (We will explore this further over the next few weeks.)

Look at any country's court cases, and it will be clear that the number of arrests and prosecutions for digital crime is significantly lower than that for physical crime, even as the damage from cybercrime continues to increase.

One possible reason why fraudsters are seldom prosecuted is that many fraudulent activities are not clearly criminal. Rather, many of these activities are most accurately classified as violations of private agreements (between organizations and users), and it is therefore up to businesses to investigate, and then to pursue them as civil cases. In fact, these businesses are often in the best position to conduct these investigations, as they run the servers on which such fraudulent activities happen. (Disclaimer: I am not a lawyer.)

Let's consider the problem of Netflix account sharing. Netflix's terms and conditions stipulate that an account may only be shared by persons living within the same household. Obviously there will be users who violate that for their own benefit, but I imagine that for this issue to be impacting Netflix's bottomline and stock price so much, this has to be happening at commerical scale. And this is most certainly the case -- just consider the number of websites that offer "high-quality" Netflix accounts on the cheap:

It is unlikely that any law enforcement agency would take the initiative to identify the "attackers" behind these $1 Netflix accounts. Even the question of which agency's jurisdiction this falls under is unclear, unless Netflix can prove the offenses were committed in a particular location.

When fraudsters do get caught...

Of the estimated $100 billion in fraudulent unemployment claims during the pandemic, only a tiny portion has been tracked. One of those cases involves Abidemi Rufai, 42, of Nigeria, a.k.a. Sandy Tang. He was arrested and charged for filing for over $350,000 worth of pandemic relief in unemployment claims in the Washington State Employment Security Department. He was found to have received almost $300,000! This is of course a significant amount, but one can only imagine how many Abidemi Rufais there must be working the system. (There is a similar case involving Chukwuemeka Onyegbula, also of Nigeria, a.k.a. Phillip Carter -- who is currently detained in Nigeria, and has defrauded 17 states of $290,000.)

The reason why Abidemi Rufai is known as Sandy Tang is because of the email addresses he allegedly used to file for unemployment benefits. The following picture is illustrative:

Note that the email addresses used are all variations of a single e-mail address: sandytangy58@gmail.com. Gmail ignores certain characters such as + and . within gmail addresses, while many systems (including, ostensibly, the systems used by Washington State) do not recognize that fact.

Given that creating new email addresses is free and does not take much effort, it is likely that most fraudsters targeting unemployment benefits would have used multiple email addresses in their pandemic relief applications.