Prismo Systems Sep 24, 2020 12:00:00 AM 3 min read

Virus Bulletin 2020: Just-In-Time Deception to Detect Credential-Stuffing Bots

We are excited to announce that the Prismo Systems team will be presenting our work on detecting bots at the upcoming VB2020 conference.

Just-in-time deception to detect credential-stuffing bots

Abhishek Singh, Manish Sardiwal & Ramesh Mani

Credential stuffing is a critical exploitation technique. As per the published statistics, between 1 January 2018 and 31 December 2019 there were more than 88 billion credential-stuffing attacks across all industries. On 26 March 2020, a video media service in Europe experienced a strong spike in attacks, reaching 348,050,675 malicious login attempts in 24 hours. On 17 August 2020 the Canadian Revenue Agency portal was directly targeted with a large amount of traffic using a botnet to attempt to attack the services through credential stuffing. The attack led to the compromise of 11,000 out of 12 million personal accounts.

In this presentation, we share our research on using deception to detect credential-stuffing bots. Credential-stuffing bots can either scrape the website's login page, submit the login form with the compromised credentials, or use login APIs to provide compromised credentials. To scrape the victim's page, some of the libraries used by bots are mechanical soup, phantom js, and selenium headless browsers. In such a scenario where bots scrape the victim's login page, breadcrumbs or lures on the web page can divert the traffic of bot to deceptions. In the presentation, we first share the analysis of various credential-stuffing bots, which then lays the foundation for the design of breadcrumbs, which can be dynamically injected to the website to detect credential-stuffing bots.

Traditionally, deception-based technology involves using statically placed breadcrumbs and lures to divert the traffic generated by the malware or threat actor for detection. In this presentation, we will also introduce just-in-time deception. Just-in-time deception leverages instrumented applications, and upon the occurrence of an event, it will inject breadcrumbs. Once these breadcrumbs are accessed, the traffic is analyzed by the detection algorithm for the detection of the credential-stuffing bot. The design of the algorithm will be shared in the presentation.

Finally, we conclude by sharing the results of our study. Our study shows that deception-based detection is not only highly effective in detecting bots that scrape websites and submit stolen login and passwords, but it also provides the inherent advantage of detecting bots on the first attempt at exploitation. 



Click to view the video of the presentation on YouTube 

Prismo Systems

Prismo is the first security platform to connect fragmented data across silos, empowering enterprises to continuously expose blind spots, proactively reduce attack surface, automatically mitigate risk, and adhere to the NIST cybersecurity framework. With Prismo, enterprises transform the way they secure users, assets, and applications with an active risk-based approach that simplifies the security stack, streamlines operations, lowers costs, and dramatically reduces risk. Headquartered in Silicon Valley, Prismo is backed by Sequoia Capital.