Skip to main content

Q&A: The rise of business logic attacks

(Image credit: Image source: Shutterstock/jijomathaidesigners)

How is the hacking landscape evolving?

When we think of a hacker, an image comes to mind. It’s of a shadowy figure ‘breaking in’ to something. There’s a zero day vulnerability and code flies across the screen as they bypass the digital defences that stand between them and their virtual treasure. It’s like a heist, but digital.

But in reality, hacking is nothing like this. The technical bar is being increasingly lowered with automated scripts and toolkits that often come with training and support. There’s no Hollywood movie tension around it, it’s simply running an application or logging into a cloud interface.

Credential stuffing is one of the most commonly used automated techniques used to access to user accounts. A hacker simply needs access to “combo lists” of usernames and passwords leaked in data breaches, and these are readily accessible on forums and the dark web for a small fee. As consumers tend to reuse passwords, there’s a good chance that their, say, Yahoo login is the same as their Netflix or Spotify login. By running an off the-shelf tool—an automated bot—they can check thousands of credentials every minute and quickly take over and sell those accounts that have reused a password. Anyone who has logged into Netflix or Spotify to see unknown user profiles on their family accounts has likely already fallen victim to this.

Automation and bot toolkits have made other types of attacks possible too, as bots can be used to exploit a wide range of legitimate business functionality. These “business logic” attacks don’t target what many think of as security vulnerabilities, but instead weaknesses in the normal, everyday use of the website or app.

What is a business logic attack?

Recent Just Eat and Deliveroo hacks are good examples of business logic attacks. These services thrive on a great customer experience and zero friction—the apps need to be simple and accessible in order to retain customers. But this has created vulnerabilities, leading to attacks that take advantage of this ease of use.

These services save card details for one-click ordering and offer quick refunds that credit the customer’s account. So, when a hacker uses a bot to take over the account, they can then commit fraud with the account or sell on the verified username and password via online marketplaces. Fancy a cheap takeaway? Simply buy one of these accounts and use the refunded credit.

A common misconception is that these accounts are only traded on the dark web by anonymous individuals but just as with hacking the technical bar is lowering all the time. Regular web forums and online chat apps are now commonly being used to trade in stolen accounts, loyalty points and stolen goods.

By exploiting the legitimate functionality, neither company was aware of any untoward behaviour and so were unable stop it in its tracks.

What sectors are at most susceptible to business logic attacks?

Almost all sectors are at risk of some form of business logic attack—but the gaming, fashion and travel industries have all been the most heavily targeted in recent months. Often these attacks are harder for organisations to detect as they are not able to differentiate between a real user and automated bot.

Sneakerbots are commonly used in the retail industry to buy up the latest limited-edition footwear or other fashion items, to be resold on specialist secondary marketplaces. The sneakerbots themselves are for sale on reputable-looking websites with full customer service support.

For those unfamiliar with the sneaker market, the cost and resale price of these can be eye-watering: a pair of Air Jordan Travis Scott sneakers, if you were quick enough on release day, could be snapped up for $175 and resold for over $1000.

But you have to be quick, and this is where sneakerbots come in—buying far faster than any human and jumping the queue. Anyone going through the buying process as they should will miss out, and will have to instead go to secondary resellers, buying sneakers at escalated prices that were likely snatched by a bot.

While selling out of a product fast might seem like a retailer’s dream, in reality they can cause real customers to walk away and even just a few sneakerbots can cause such a large volume of traffic on a website it can be taken offline in an accidental DDoS attack.

In the online gaming world, bots have been effective in exploiting arbitrage opportunities between online bookmakers and betting markets, where picking the right odds can mean an almost guaranteed payout.

And airlines have found that bots, rather than buying seats on a flight, are instead hoarding them in an online basket and only buying them when they are sold, at a mark-up, on a secondary site. The reseller in this case is making pure profit, while the airline risks flying with half-empty planes when those seats in baskets are abandoned by the reseller.

It’s important to note with these three examples that no fraud or hacking has taken place. In many cases, no criminal act has taken place at all they are simply abusing the business logic.

What’s the difference between a “good bot” and a “bad bot”?

Not all bots are bad. Search engine spiders are vital to ensure that websites are correctly indexed in search engine results, while comparison sites use scraper bots to mine data and list prices on their own site. Insurers, fashion sites and more rely on these comparison sites for a significant proportion of traffic and sales. By cutting off access to all bots, businesses risk losing out on search engine visibility and vital revenue streams.

Therefore, while it’s important to identify bot traffic, it is much more important to identify its intent.

Why don’t these sites implement 2FA or CAPTCHAs?

Two-factor authentication is a good way to help prevent bots taking over accounts, but some businesses are often unwilling to deploy this technology—for good reason. If a takeaway or taxi is a couple of clicks away on one app, and a couple of clicks plus a one-time password in another app, the chances are that the user will select convenience over security. Creating any friction at all typically results in driving business to other apps. These apps sell themselves on their ease of use and mobile-friendliness and to lose any of this will risk their customer’s loyalty.

Similarly, while CAPTCHAs—those puzzles and distorted words that are only readable to humans—can go some way to defeat bots, they are far from perfect. They put off users in much the same way as two-factor authentication, and essentially become an arms race between the bot and CAPTCHA creators—as new techniques are rolled out, so the bot creators will apply their ingenuity to crack them. But ingenuity isn’t always needed. It’s possible to buy CAPTCHA solvers online for pennies, tapping into an army of people willing to solve what bots cannot, for a small profit.

What’s the future of automated attacks and how can businesses protect themselves?

Business logic attacks will continue to increase in prevalence as hackers discover new ways to exploit websites and apps for financial gain. With more businesses offering online services and mobile apps to make life easier for the consumer this also makes life even easier for the bot creators.

The key to protecting businesses from these attacks is in identifying ill intent within your web traffic—the question that needs to be asked is not “is this a bot?”, but “what is this bot doing?”. The automated nature means there are patterns of bot behaviour that can be identified and used to stop those that have malicious intent.

These automated bot attacks have shifted the balance from cybercriminals who used advanced knowledge of computer systems to those who are able to load a tool and point it at a website. While there are still many threat actors pioneering sophisticated attacks the commoditisation of cybercrime is fuelling large amounts of web traffic. In the retail sector as much as 90 per cent of login attempts are automated and in general over 50 per cent of web traffic is automated (good and bad).

Businesses need to start thinking about their exposure to these risks and establishing clear ownership internally. Often dealing with these attacks requires cross department efforts from infrastructure, security, fraud and marketing teams which results in attacks slipping through the cracks. The important question is do you have visibility of how visitors are interacting with your website—and why?

James Maude, Head of Threat Research, Netacea