Attackers are successfully pivoting away from complex technical exploits and instead are identifying ways to exploit a business’s core functionality. These business logic attacks exploit legitimate functions like username and password login or pages to add new credit cards and changes to shipping addresses. These new attacks are significantly harder to detect and stop than traditional attacks because they are performing actions expected of a typical user.
For instance, an e-commerce website will often not question a user that orders a delivery to a new address or submits a refund request. Yet behind that activity, there might be a criminal bot operator seeking to commit fraud, scrape information and generally profit from their abuse of the website’s functionality.
What are business logic attacks?
Just Eat and Deliveroo fell foul of multiple sustained business logic attack during the summer; although that’s not quite how the incident was reported. The attackers utilised usernames and passwords leaked in previous data breaches and automated bot technology to take over accounts.
Here comes the clever part, the attackers understood the functionality of Just Eat and Deliveroo to an expert degree and were able to manipulate the system to acquire refunds via the customer account, using completely legitimate means. Because after all, there are multiple, valid business reasons for why a refund might be applied as credit rather than repaid direct to a credit or debit card.
Once they have credit on the account this can be used to place an order for anything from ice cream to cider and cigarettes. Meanwhile, the real customer has no idea their account has been breached until they receive a text message or email confirming an order they didn’t place.
The fatal flaw lies in the delivery service’s – very natural – desire to make it easy for their customers to process a refund in their efforts to retain loyal customers. By abusing this functionality, anyone who fancies a cheap takeaway can buy a compromised account on the Dark Web and use the refunded credit.
How do business logic attacks work?
While the Just Eat and Deliveroo attack required the use of compromised account details, attacks that rely entirely on public facing business logic are also common. Take sneaker bot attacks for instance.
Limited edition sneakers are big business. A pair of Air Jordan Travis Scott sneakers, for example, could be bought for $175 and resold for over $1,000. Grabbing these sneakers on release day means being quick, often far faster than any human.
Instead individuals or groups use bots to automatically buy limited edition sneakers to make a fast profit. In this instance, the easy checkout process is manipulated. Attackers use a bot program to buy the sneakers, quickly going through a system that’s designed to be as user-friendly, and therefore as easy as possible.
While selling out of sneakers might seem like a dream for a retailer these tools generate huge amounts of traffic to a website as they compete to grab the latest “kicks”, at best this slows the website for regular customers at worst it knocks it offline.
Another risk is some of the bots use stolen credit cards to purchase meaning that the retailer is exposed to fraud.
Inventory exhaustion is yet another example of a business logic attack. Here, bots put goods into a basket, but don’t actually buy them—instead, they hold them in the basket while trying to sell them on another website or online auction for a small profit. As a retailer you become frustrated that all your stock is being held in the checkout process but very few transactions complete.
With seasonal goods, new phone releases or airline tickets this might mean you miss the peak selling opportunity. Other risks include skewed analytics which make you think you need to drop prices or offer incentives to complete the checkout process when in reality this isn’t going to help. For the attacker there is no risk as they only complete the transaction when they have a guaranteed buyer and profit.
What these last two attacks have in common is that no “hacking” has taken place. In fact, the retailer’s site has been used for exactly the purpose it was designed and instead its business logic has been manipulated.
Preventing business logic attacks
Business logic attacks are bad for business, and retailers must be able to identify them and stop them when they occur. As well as affecting profits and revenue, these attacks affect customer reputation.
Business logic attacks are typically automated by bot software. Bot operators rely on the scale and speed of automation ensuring they can launch attacks and commit fraud faster than any human could. Stop the bot and you stop the attack.
This is where it gets tricky for retailers. They have, rightly, made the buying process as simple and as frictionless as possible to keep customers on their site. Consumers are after all, accustomed to simple and easy e-commerce, and complicating the buyer journey with security measures risks losing out on sales.
Even simple “I am not a robot” CAPTCHA challenges will reduce revenue—the more complex measures such as identifying cars and crosswalks in a number of photos are likely to drive away even more potential customers.
Plus, not all bots are bad. Search engine spiders ensure that websites are indexed appropriately in search engine results, while comparison sites use scraper bots to mine data and list prices on their own site; referrals that retailers often rely on. Identifying and banning bots isn’t an option, neither is introducing friction.
Retailers need, instead, to be able to identify the intent of bot traffic. The question needs to go beyond asking “is this a bot?” and ask “what is this bot doing?”. The automated nature of bots means there are patterns of identifiable behaviour when a bot has ill intent.
Once a retailer gains this visibility and understanding of their web app traffic, they can not only block the bots that attack them but start to make better business decisions with increased accuracy in their analytics, reduced fraud costs and less risk to website stability and performance. With bots now making up just over half of all website traffic, now is the time to start thinking about the risks they pose to your business.
James Maude, head of threat research, Netacea