Cyber Fraud Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
-
Upload
merryl-robbins -
Category
Documents
-
view
218 -
download
1
Transcript of Cyber Fraud Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Cyber Cyber FraudFraud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Pioneer in AI based website protection
First business-logic security solution
Website misuse detection
User behavior profiling
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
About Me
Founder: Hybrid Security
Blogger: Chapters In Web Security
Hacker: MultInjector
WebTuff
R.U.D.Y
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Cyber Fraud
Identity and CC fraud
Automated bot activities
Business logic abuse
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Exponential growth Geographic clusters Mutual website-client infection
Bot Epidemic
Infections - McAfee Distribution - Microsoft
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Man-In-The-Browser
“…Automated transaction monitoring or anomaly detection and response could have prevented many of the frauds…” FFIEC
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Business Logic Flows
Login
Register
Main Page
RegistrationDetails
Item Search Results
VerifyEmail
LandAdd To
Shopping Cart
Payment &Checkout
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Missing / additional parametersVulnerable password recoveryFalse registrationInvalid parametersInvalid business workflowsGuessable session identifiersForceful browsing
Business Logic Flaws
Highly Illogical
…
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Target Victims
GovernmentAirlines
FinancialGaming
E-CommerceSubscription Services
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Commission manipulationSpread tamperingTransaction time lingeringLogic fuzzing
Forex Fraud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
0.01 ₪ ~ 0.00168144044 £
Forex Fraud
Normal business logic:
After 2 digit currency rounding:
Kosher
500% more satisfaction for the buck!!
1,000,000 transactions * 0.00168144044 £ = 1681.44044 £ ~ 10,000 ₪
1,000,000 transactions * 0.01 £ =10,000 £ ~ 60,000 ₪
( , April 8 2012 )
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Client-side logic flaws: Flash / JS / Java / SilverlightDigital goods theftPoker botsPlayer collusionScreen scraping
Online Gaming Fraud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Using GHDB / Shodan to hack into open PBXAuthentication bypass / unpaid content downloadSubscriber PII scraping
Telecom Fraud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Browser “Helper” ObjectsParameter injectionEvil BankersPump & DumpAccount traversal
E-Banking Fraud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Concerts, sports, flights, moviesTicket scalping botsLower vendor marginsSeat locking & defacement
Ticket Order Fraud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Web 2.0 spam botsSocial scrapersPredators & impostersPhishingLikejacking
Social Network Fraud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Card-Not-PresenteWallet Pick-pocketing(Google, PayPal)Auction botsAffiliate click fraudStolen goods
E-Commerce Fraud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Data mining / Industrial Espionage / Email harvestingBrowser COM API + JavaScript injectionScrape-As-A-Service:ScraperWiki
Spiders & Scrapers
Kosher
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Black & white lists
Dynamic web page profiling
Heuristic behavior analysis
Technology Evolution
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
HybridAppliance
Hybrid Telepath
Hybrid Cloud
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Reverse Proxies (F5, Zeus, Cisco) SIM/SOC (HP, IBM, Symantec) Firewalls (Juniper, Checkpoint, Cisco, Fortinet) Analytics (Clicktale, GhostRec, LivePerson) Sniffers (Radware, Metronome, Sourcefire) Authentication (SafeNet, Microsoft, Oracle)
3rd Party Integration
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.
Web: www.hybridsec.comEmail: [email protected]: +1 (650) 319-7389
Copyright © Hybrid Application Security Ltd. (2010-2012). All Rights Reserved.