O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Automated Fraud

30 de Jun de 2017
0 gostaram 226 visualizações
Próximos SlideShares
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Carregando em…3
×

Confira estes a seguir

Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Invincea, Inc.
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks
Automation Attacks At Scale
Mayank Dhiman
nullcon 2011 - No bullshit on underground crime: traces, trends, attribution,...
n|u - The Open Security Community
Cybercrime in the Deep Web (BHEU 2015)
Marco Balduzzi
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk
OWASP AppSec USA 2011 - Dismantling Web Malware
Aditya K Sood
1 de 13
1 de 13

Automated Fraud

30 de Jun de 2017
0 gostaram 226 visualizações
Internet

A presentation I gave at FraudCon on June 28 2017, an event which was part of CyberWeek Israel.
Discussing automated fraud in the hands of attackers against commerce websites, and some ways to fight them back.

A presentation I gave at FraudCon on June 28 2017, an event which was part of CyberWeek Israel.
Discussing automated fraud in the hands of attackers against commerce websites, and some ways to fight them back.

Internet

Recomendadas

Mais Conteúdo rRelacionado

Semelhante a Automated Fraud

Webinar: Operation DeathClick: Uncovering Micro-Targeted Malvertising Against...
Invincea, Inc.
Splunk Enterprise for InfoSec Hands-On Breakout Session
Splunk
Distil Networks 2017 Bad Bot Report: 6 High Risk Lessons for Website Defenders
Distil Networks
Automation Attacks At Scale
Mayank Dhiman
nullcon 2011 - No bullshit on underground crime: traces, trends, attribution,...
n|u - The Open Security Community
Cybercrime in the Deep Web (BHEU 2015)
Marco Balduzzi
Splunk Enterprise for Information Security Hands-On Breakout Session
Splunk
OWASP AppSec USA 2011 - Dismantling Web Malware
Aditya K Sood
From russia final_bluehat10
F _
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
Jeremiah Grossman
Code by the sea: Web Application Security
Boy Baukema
網頁弱點掃描服務簡報 20120606
Fionsu
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
NowSecure
IDS+Honeypots Making Security Simple
Gregory Hanis
SEO Keyword Research and Content Mapping
Vivastream
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network

Em destaque

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn

Livros relacionados

Gratuito durante 30 dias do Scribd

Ver tudo
Primeiros passos com Node.js João Rubens
Gratuito
Construindo APIs REST com Node.js: Caio Ribeiro Pereira Caio Ribeiro Pereira
Gratuito
HTML5 e CSS3: Domine a web do futuro Lucas Mazza
Gratuito
Psicologia oculta das redes sociais Joe Federer
Gratuito
Amazon AWS: Descomplicando a computação na nuvem Jonathan Lamim Antunes
Gratuito
Web Design Responsivo: Páginas adaptáveis para todos os dispositivos Tárcio Zemel
Gratuito
Introdução e boas práticas em UX Design Fabricio Teixeira
Gratuito
Guia Para Iniciantes Em Hacking De Computadores: Como Hackear Redes Sem Fio, Segurança Básica E Testes De Penetração, Kali Linux, Seu Primeiro Hack Alan T. Norman
Gratuito
Onde você pode baixar todos os eBooks Kindle gratuitos (Milhares de livros grátis!) Carmen Cardoso
Gratuito
Desconstruindo a Web: As tecnologias por trás de uma requisição Willian Molinari
Gratuito
Guerra Cibernética: A próxima ameaça à segurança e o que fazer a respeito Richard A. Clarke
Gratuito
Aplicações web real-time com Node.js Caio Ribeiro Pereira
Gratuito
Bootstrap 4: Conheça a biblioteca front-end mais utilizada no mundo Natan Souza
Gratuito
Liberdade digital: O mais completo manual para empreender na internet e ter resultados Hyeser Souza
Gratuito
Inteligência Digital Emerson Wendt
Gratuito
Sociedade.com: Como as tecnologias digitais afetam quem somos e como vivemos Abel Reis
Gratuito

Automated Fraud

  1. 1. Automated Fraud June 28th 2017
  2. 2. - - - - - Account takeover and abuse - Price and content scraping - DDOS - Ad fraud What are bots? 2
  3. 3. Bot evolution: bots are evolving rapidly Gen 4 Bots - Infected Users Hijacked Browsers, Fake Extensions Gen 3 Bots - Headless Browsers Javascript, Cookies, Engine Automation Gen 2 Bots - Scripts + State No Javascript, Cookies Gen 1 Bots - Scripts No Javascript, No Cookies
  4. 4. Websites are the new bank ▪ ▪ ▪ ▪
  5. 5. 5 The Attack Vector BOT ATTACK ATO attack 8% Success (varies based on database) Yahoo! 1B MySpace 360M LinkedIn 164M Adobe 153M Badoo 112M VK 93M Dropbox 69M Tumblr 65M Mod Bus Soln 59M Login databases stolen 100K accounts / $10 Validated account ~$3 Site fraud BOT ATTACK ▪ ▪ ▪
  6. 6. 6 They come in large numbers... Botnet Attack ▪ ▪ ▪ ▪ 77% of this attack would go unnoticed by volumetric detection
  7. 7. 7 … and from everywhere Gen 2 Bots No Javascript, Cookies IoT Device Attack ▪ ▪ ▪ ▪
  8. 8. ROI ▪ ▪
  9. 9. How To Fight Back 9
  10. 10. Basic techniques 10 ▪ Support multi-factor-authentication ▪ Encrypt or hash stored credentials ▪ Have good password practices Don’t be one these guys http://badpasswordpolicies.tumblr.com/
  11. 11. Monitor correctly ▪ Separate API from website – different endpoint URL ▪ Monitor logins for anomalies and spikes ▪ Lookup suspicious user-agents in github (and not just google) http://mstajbakhsh.github.io/Microbot/ 11
  12. 12. Detect 12 ▪ Validate user is running javascript ▪ Validate a cookie ▪ Device fingerprint (https://github.com/Valve/fingerprintjs2) ▪ Track legitimate flow
  13. 13. Recommended resources ▪ Have I been Pwned by Troy Hunt - https://haveibeenpwned.com/ ▪ Biggest breaches - http://www.informationisbeautiful.net/visualizations/worlds-biggest-da ta-breaches-hacks/ ▪ Detection labs - https://github.com/PerimeterX/bot-tools ▪ Device Fingerprinting - https://github.com/Valve/fingerprintjs2)

×