 Good afternoon, so thank you for joining me after your lunch. As I said, my name is Amish Raqab, I work at PerimeterX, and we're going to talk about bots and cards. So, let's start. A very brief overview, what are bots? Well, bots are basically any kind of automated scripts or automating engine that runs against some kind of service. It's responsible for at least 50% of the traffic against websites that we see. Some say even more, but at least 50% is non-human traffic on most websites. And not all bots are bad, some bots are good, you have things like Google and Rigorbot doing a lot of value services for websites. So, we're going to talk about those that are not good. I hope you're familiar with this. It's an excellent piece from our chapter about automated threats against websites. And the highlighted parts that you can see are the ones that are relevant to what we're going to discuss today in terms of threats against the card. And another brief overview. We separate bots into four categories and the differentiation between them is important because you're going to view and handle and tackle those in a different way. The first one is the primitive bots, the generation one and generation two. These are basically scripts based on curl, Python, any kind of other tool that's not running JavaScript. Some of them don't even manage a cookie session, some of them do. Most of them today know how to do it, if you're using things like mechanized and others. And they're very popular, they're very common, but we do see a very big shift from these kinds of bots to the more advanced bots, the generation three bots. Mostly due to the popularity of the automation engines for quality assurance on websites. We're all bidding our websites to be testable and we're trying to run tests as best we can with tools like Phantom and Selenium. Today all the major browsers are built in with those automation capabilities. And so you have the generation three. We see more and more of these kinds of traffic. And the generation four bots that we're going to cover briefly are actually many browser attacks where a legitimate user is being hijacked. Or part of this session is being hijacked and run some kind of abuse. Not against the user, but against the service that the user is using. So this is what we're going to talk about today, the bot and cart relationship. Any of you run an e-commerce or marketplace, work at some place? I know you do. Yes. Okay, so four questions that you need to ask yourself, looking at your traffic and the behavior of your users. These are the four questions. The first one is who added an item to the cart on my website? The second is are they really going to buy the item? And the third one is who is getting the item at the end, even if a purchase was made. Who is going to get the item? And the last one is who are you going to share your commission with? Because most of the time when you have a marketplace, when you have a store, you're sharing commissions with someone, with an ad network, with an affiliate. Is it the one that you actually wanted to share the commission with? I see it's a bit caught off and far left, so scraping. So this is the overview and now I want to dive into the specific examples. So scraping is the first threat that hurts any kind of website, any kind of service. What's interesting when we talk about scraping against the cart is that we see a great advancement and a lot of effort being made by scrapers to get the most accurate information from the cart itself. They're not just focusing on getting the product page, getting some information, the official list price, they will go further. It's a very growing business with low margin industries selling all kinds of physical goods. It's very highly distributed. I'm going to show some examples. They're using a lot of anonymized networks. I'm sure some of you heard about Hola, for example, and how their extension on the browser is being used as an anonymizing network for a lot of other users, meaning that things like accurate reputation are not very good at detecting them because it's legitimate users being abused. Occasionally, they can create an application where they did us because they're not focusing only on getting the cash content. Going all the way to your database to get the most accurate information, this usually involves a lot of backhand requests, and sometimes it can cause a lead-off on the infrastructure. These are just a few examples, but there are plenty of services out there, companies that their entire business model is based on, you will give us the target and we will do the project and scrape it and we'll continue scraping it until we succeed, no matter what kind of protection you will put against it. And so you would get the information you want, as the one who ordered the intelligence gathering. A few examples, plenty of others. So, escaping done right. A recent example just from two days ago, we have here an example of an attack hitting a product page on an e-commerce website, and what you see here are the graph here shows the number of requests made per a number of IPs, meaning 140,000 IPs were used only once, which is around 90% of the scraping attack and another 8% IPs were used to get two pages and the rest is less than 2% requested more than two pages, meaning any kind of defense mechanism that you want to put and any kind of monitoring that you want to do on your service has to rely on trying to detect these attackers as early as possible. They will bypass any kind of standard volumetric detection that is looking at any kind of IP level. This is something very important to remember because IPs are cheap today, very cheap for anybody trying to run an offensive. The second part, so they visited the product page and now they're doing the follow-up, they're adding the item to the cart, they will put the shipping address, they will try to put different details that they can about a user's fake user information because sometimes you have offerings based on all kinds of parameters from location to gender to other things and they want to get the most accurate information because remember, these are intelligence companies giving this information for a competitor or your competitor so they're trying to give them the accurate information. The final pricing is never on the official front page. So what we see them doing is around 20% of the traffic against the cart is completely from automated 20% adding items to the cart is completely from automated strippers, I'm not talking about other kinds of taxis and this is very important to know and understand because even if you're doing just BI analytics and trying to understand why are your products not being sold if there is a 20% bias in your data that's not even trying to really buy the product just doing it to get accurate information, something you should be aware of even from the business perspective and of course they won't buy it. They will do all of this and they won't buy and they do it continually for all the products every day, every season. So this is the first part. You have the attackers doing an attack against your cart to get the most accurate information in terms of pricing, to do a pricing bidding war. Anybody know what this is? How much did it cost? 25K, right? Yeah, 25K, so this is a very expensive item and this brings us to the next kind of attack against the shopping cart. The next kind of attack is scalping. Scalping like we all know in the physical world same kind of attack only happening by bots in the online business. You see scalping in all kinds of businesses where there is high demand items or special hype sales, items that are released like tickets that are very limited in quantity. All of them experience scalping attacks and do you know the story behind this little box? Mediousness. Yeah, so this one was sold at Walmart for around $70 and they had two such hype sales that sold all the items at $70 and the item was sold within minutes. Walmart didn't lose any money. Walmart sold all the items but when you checked who's buying the item you saw it's not people who are actually going to use it. Minutes afterwards on eBay this device was offered from $200 to the high price eBay sold was $1500. Now it was sold for only $80 on Walmart meaning they were buying this with bots and they were reselling them later on. Wait, so you're saying the bots were buying this? Yeah, bots were buying this and reselling it on platforms like eBay and others at a higher price and real people who wanted these devices didn't get them and had to pay a higher price. Never got it, never got the chance to get it. Never got the chance to get it because of the bots. Well, you can pay a higher price, $1500 is the latest. And it's true for a lot of things not only these ones it's very known in the ticketing world but it's also for a lot of other products. So here's an example of scalping down the rights. You have bots are coming you can see here the sale is about to start all the red ones and if you don't see the blue that's okay. All the red ones are bots checking if the sale started. The sale starts, you can see a bit of blue can you see the blue? Okay. No? So a bit here and a bit there but most of it is bots after lunch you're going to be very sleepy. So you're going to have to trust me. So this is a bit of here and a bit there blue let's say 15%. So the sale starts and you have a lot of bots buying and some humans manage to buy so they're the lucky ones and the sale continues and there is no one humans left. No human manages to get in on the chance to actually complete the purchase and buy the item on sale. That was a very successful scalping attack against that specific product. For a second, why do you call it a scalping attack? It's not an attack, somebody wants to make money. It's not a hacking or something. I'll get to that a bit later and then I'll answer you if you're not convinced. So the first thing actually about scalping is the company doesn't lose money because all the items were sold. It's a lot more hurting in reputation. These guys are not very nice in what they do. They load YouTube, the videos showing here are all the boxes that we bought and pointing out the company failing to protect them, etc. And then you have a lot of complaints against the company from users who wanted to buy the product. But yes, you can say that nobody lost money in the process but that's a big issue and the fact that it's a big issue, you can see here there is trying to do legislation against it because it's completely legal to do it but they are trying to do all kinds of legislation against it. If you can see here the Better Online Ticket Sales Act or the Bots Act, I guess we know who's the geek who offered this bill to Congress but they're trying to offer bills to make it illegal just as scalping of tickets in the road, that's illegal. So you can say it's an attack. Okay, any questions so far? Okay, so this should answer what we just heard. Why is this an attack? Why is this a problem? And the answer is holding. We have a very common... It's sort of like a Selenium kind of attack where it's just something set up a routine and an issue. So you see, it depends on the site but you see the basic ones that never added any kind of protection you can bypass them even with simple Python scripts but then you have those that use Selenium, Phantom and other kind of automation engines but they don't stop there because it's a business because they do a lot of money, you will find a lot of companies that do scalping as a service you will find a lot of repositories on GitHub with the source code on how to do scalping you can check it out, Nike bot and stuff like that you will find a lot of examples out there of tools to use to do scalping. They're not hiding it. Because it's not illegal, they're not hiding what they're doing. Well, the question was asked and I think this is the first thing here. Is it just fair game? I'm buying cheap, I'm selling high that's just the way our economy works. Well, it is if you're playing fair but they're not playing fair one of the things they're doing is preventing the item to be available to anybody else they're holding it only to themselves and this is the hoarding attack that we do see quite a lot the hoarding attack, basically you hoard all the items to yourself how do you do that? You run an attack on the cart, you add items to the cart now the way physical goods cart work usually is when a user adds an item to the cart to put it out of the inventory for 5 minutes, 10 minutes, 20 minutes to give the user a chance to actually complete the purchase you don't want him to have the experience of adding an item and then telling him not available. So, they're adding the item to the cart doing it enough times for enough IPs and stuff like that and they're denying the availability of the item being purchased by other users. We can see an example here you can see the bot this was a very limited item they sold only two pieces the attack was successful very quickly you see the bot visiting the page constantly the product page on the second graph you see the active cart attempts and you see they're going down and in a minute we'll see why but it's constantly adding the item to a cart every time a new cart, adding the item a new cart, adding the item effectively taking all the items off the inventory in the website's back end and this is the item availability and as you see it goes down and there are times when the item is not available now the experience the user has when he goes on the specific e-commerce website he goes to the product the product is not available sales sold out but if you check a database and ask a company and say we haven't sold a single piece the item is never available but we're not selling it then if you will check on eBay it's there, the item is available for sale how are you doing it? they're combining these things he's putting the item to sale on eBay he's using them as a free storage effectively preventing anybody else from buying the item once he manages to get a sale on eBay he just releases one item purchases it, ships it directly to the one he wanted and has made the money so this is the answer to what you asked even it's just fair game so I don't think it's fair game but it's legal so far it's legal by the way regarding I'm not talking about laws by the way I'm talking about what we and everybody here should look at and focus on as security you call it an attack yeah I do call it an attack because it hurts the company it hurts the reputation they willing to put money to protect themselves so for them it's an attack if you throw a bag of dirt on their windows it's an attack it's pretty much the same for them in terms of experience they're not losing money they're losing reputation and customer experience sport it no they don't lose money they sold all the items with this one yes this one they actually lose money with hoarding they actually lose money but if they're only doing scalping they don't lose money eventually they will lose money they are not losing money this moment next moment they lose money in terms of reputation damage could be I'm not so sure because usually it's products that are so in high demand that people always try to buy them so I don't know but what you say is it completely possible that it will happen so far I haven't seen actual examples where they lose money because of scalping with hoarding they have lost a lot of money okay so the last attack the clock is not working here so where are we at times? excellent okay so the last attack is we talked about scraping and we talked about hoarding usually those attacks happen with fairly primitive bots Python scripts and saving cookies managing sessions scalping almost always done with some kind of an automation engine more advanced because the site has more complex security measures because they know they're being hurt and let's go to the final attack against the cart which is the affiliate fraud now you all will know how affiliate works as an e-commerce website I have affiliates the affiliates bring traffic to my site when a user complete purchase or some kind of conversion on my site they pay a commission to their affiliates could be a percent of the purchase could be something else but that's how it basically works and here we have a lot of attacks from malicious extensions and other kind of malware tackling that exact issue we'll go here how does the store works I download the Chrome extension from the store any kind of store exposed Chrome extension I unpack it I open one of the files I add some lines of code and script into the manifest I repack it maybe change the name a bit I'm not U-Block I'm U-Block the best one plus and I reload to the store and I hope somebody will download it and wait if somebody downloads it he stores it on his browser he gets the full experience of the real Chrome extension plus a few lines of code that I added they do some nasty stuff what do they do here's an example can you see the code? no that's shame yeah the switches for the light switches are on the right you're right that's a different track I just pressed everyone better? it's good I'm gonna push on okay so anybody knows what's written here can you decode it? well I'll say it out loud while I'm trying to light it says double bay 64 and you have that's it, that's all the options okay so this is the script inserted inside the extension what you have here you can see this slide later on it will be available so you have create element bay 64 in the string now double bay 64 is not a real function but if you reverse a bit the JavaScript you find that it really is kind of a bay 64 and bay 64 and this line of code it basically says iframe now this little hack bypasses most of the antiviruses and the chrome store checkups because it doesn't know what kind of element it adds and it doesn't know that it's a malicious extension because it adds an iframe what it does is adds an iframe the chrome extension adds an iframe to the active page the user is viewing and it's injecting with this piece of code this is the interesting part it's a bit longer but this is the interesting part also doing a call to a CNC server getting a URL doing bay 64 decode to get the actual line that's interesting and makes a call and basically adds a cookie to the site now why is this interesting because the way it works is by sending a cookie with the affiliate ID when you're in the store that you're currently using meaning that I can override it the chrome extension actually overrides the cookie while you're using the store and sets a different value according to what they wanted they will do it repeatedly in a few seconds so I don't know the extension they will do any kind of website ebay.com they set the affiliate ID to be my affiliate ID and if somebody completes a purchase I make money without doing anything without actually putting any website and driving any real traffic this specific extension has 51,000 target domains that it changes the affiliate ID on it has a lot of installs it's several different extensions with the user base from the store of several million users so you can understand the amount of money they might be able to achieve obviously not all those users are completing a purchase but it's a very cheap attack in terms of the attacker and they can do it here's another example this one was a bit different in the techniques of hiding and manipulating they re-edited the jQuery.js file and added a few bits of code into the jQuery file they changed they defined a new function with the same name added a few strings they are just very long strings this is basically base64d code just with a lot more words and this which might at the first glance look different basically says run evil which is take this line of code and run everything in it from these few strings that are actually code and not strings and this was interesting because it wasn't so obvious to find the Chrome extension has jQuery.js everyone has jQuery.js in their extensions they embedded the lines inside the file which is a very big file and non-standard version which was a bit harder to detect the specific lines that were inserted and I don't like going over lines manually so with a script download all the versions of jQuery diff all of them to find the specific additions that they made and they're doing the same thing again they're creating an iframe injecting it into the host website and changing the IDs with a few more target domains 60,000 this time 70,000 of them are in the Alexa top million they're targeting all domain websites um questions so far one second I can see you but not anyone else wait up yes so the attacker actually shared the credit card number with the bot right um not the credit card number but the affiliate ID so you have you create affiliate program every kind of affiliate gets an ID and in your website when an affiliate drives traffic to your website what you do is you take that parameter from somewhere the query string or some of us and you set the cookie on the user so if the user leaves the site and comes back you will still consider him coming from the affiliate and use it as the the affiliate that you will share the commission with I'm going to eBay I'm completing a purchase I went through your blog through the blog I got to eBay I left eBay I came back I still have the cookie for a certain time saying that I came from from your blog when I complete the purchase you get 1% 2% commission from my from my purchase so they're stealing that commission they're actually stealing money from the real affiliate and from the company itself because not all traffic is organic from affiliate they're generating more traffic from affiliate so that's what you're doing more patience? yeah people download it they just download it it's you block you block class you block the best not really fact is we have a dozen of these and they're doing all kinds of tricks so it's hard to attack them and they will change the manifest to make it different nobody says you can't have you can't have you can't have any number of names you want they don't care it's embedded inside the Chrome extension I don't think this case is an attack on the developer itself it's an attack against the store they're just injecting it they're hiding it inside the file it's harder to find that the changes will end it's well known but there are a lot of versions not all of them are official that's how they did it previous one did it a different way we have other examples everybody doing it hiding it in different ways okay where are we on time? I was in ecommerce site well the ecommerce website itself can do all kinds of checks against affiliates and see if traffic is organic real or not real where they're coming I'm gonna touch it a bit to see if somebody is manipulating their affiliates but they're working with cnc servers they're constantly generating new affiliate codes it's not the same code embedded forever inside the script they're changing the affiliate codes all the time all of them have cnc servers they're communicating with okay the affiliate code should be issued by the owner of the service yes it is it is I just inject it you have a huge website it has thousands of affiliates it doesn't really know anyone of them personally think of Amazon just sign up you do not register officially you just create a free program to use any affiliates it's a very common practice most big platforms in ecommerce has these kinds of programs our networks that offer them to them as a program so they can just attack the network and gain it against the entire network of affiliates okay so we talked about a lot of the threats let's talk briefly about how you can fight back because I do want you to take something out of it which is not just it's a problem so first thing let's just put a capture if it's not a human it's a bot we put a capture we know it's not a bot well I don't recommend it for two reasons they're written here so you already read them you should do sales and in terms of what we talk about so far in losing sales you should do your own analysis of what costs more but I think 30% donkeys in conversion is a great great impact and the second thing is captures are solved automatically any one of them Google we capture the same thing maybe a lower success rate but it's very cheap to do it even by human farms or anything and this is important because let's go back even not for the scalping where you say let's make sure it's a human even in the scraping attacks we talked to the first place you will not put a capture on every page every time the user goes in to see a product page nobody will browse your website besides the attackers so I don't recommend using a capture same thing the invisible capture can be bypassed by bot that's what I mean it will be bypassed I understand what you're saying but the fact is the attacker can bypass the invisible capture and if you actually want to try and present a real challenge you will present a capture challenge which is not invisible and that will hurt users it's true the invisible capture is relevant but it's something but it's not enough otherwise I might not have a business but I do so it's not really solving the problem 10 minutes, excellent so first thing really basic log everything you do in a single place from your web servers from your application logs from your e-commerce platform if you're using something specific or sales or whatever you have one place where you can do the analysis of all the things we talked about from somebody not completing their purchase to their fee days to adding items to the cart you have to take it into account because some of these attacks will hurt your business decisions and might not do any kind of real damage to your infrastructure those price taping attacks or add to cart attacks they won't hurt you financially but you might make the wrong decisions on your website and how to put different items all your A-B testing think of it as A-B testing with a 20% bias it's not very effective obviously track the specific path for the cart for any kind of spikes and anomalies that will help you greatly in noticing there is actually an attack going against you and the best option I can offer you is use a few lines of code, add a fake item to the page another one of your items add an item to the page and with JavaScript hide that item what that will allow you is it won't tell you who is the attacker because the attacker is going to come from very distributed network but it will tell you that you are under attack it will help you understand that it's something you do need to deal and start working with use JavaScript to hide the item and don't do it by CSS because the speakers will know how to deal with it very quickly so that would be the alert that you can add to your site and know that you are under attack any questions? and we talked about two levels of attackers the primitive bots and the automation engines so I'm going to cover briefly a few options for the primitive bots and then for the more advanced engines things you should consider first thing look at your HTTP traffic again on all your flow to track all kinds of anomalies you would have missing headers you would have invalid values you would have values of a language says Russia and is coming from Israel but with a very high number of strange things it will help you identify them track a legitimate flow if you have a cart page and there is a lot of XHR calls in that page and when you look at your logs you don't see them, you see only the action to add the item to the cart you can understand that there is something going on with that attack maybe from that you were able to identify a specific signature or something like that but this is a behavioural analysis that will help tell you what you are using with your pages and your cart I do recommend looking suspicious user agents not only at Google especially when we are talking about scalpers and other tools you will find them everywhere and don't rely on hyper reputation it really won't help you that much it might actually just cause you false positives and the last thing again a few lines of code that you probably can't see so validate the user is actually running javascript this is very important why because if your user is not running javascript there is a very small chance he is actually human most of you don't disable complete javascript behaviour and if you do you probably can browse a lot of websites so it's something to assume and with that you can use all kinds of things you have a nice library on github you can use for device fingerprinting and try and use that to identify if somebody is manipulating you maybe the same fingerprint is doing all the purchases as a scalper a few tricks or ideas that you can do and from then move on for example Chrome Headless Chrome hard coded in the code this says Headless Chrome as user agent you can use that obviously and you can do a lot more it's zero meaning there is no plugins installed in the browser it doesn't necessarily means it's a bot but it's more likely that it's a bot so it's again something you can use to read your analysis spoof devices if there is an orientation change like in the device and the user agent is windows who here using windows phone excellent so it's not windows so that's an example and you have specific things like phantom usually put values on the window object and you can use them to identify things like phantom a lot of materials out there once you start reading you will find a lot of public researchers you can use that's it if there are any more questions it's interesting we are hiring sell to the right people if it's a hype sale for example enough people want to buy the item make sure you sell to those who you want to sell to if it's a hoarding attack stop the hoarder make sure the item is available for sale and not being stopped at the inventory forever again it comes to price scraping if you manage to find it's an attacker it will do a lot of impact first I talked about bi and analysis but also in terms of competition if your competitors match your pricing by a cent less probably around their attack try to fight it yes but what is the real solution for those because you need to fight this dynamically and you need to realize that you have a hoard attacking you and you need to decide very fast what you need to do it's a real solution you throw different things that human cannot possibly do in real time it's not for offline analysis the solution is to do it real time to do behavioral analysis in real time and to track who is actually doing it that's what we sell but this is not a sales pitch this is what we do this is what we fight but these are items that you can take and see if you're under attack if you have a problem sometimes with simple tools you talk to those attacking you you don't have to go all out with everything against someone hurting you depends on the use case yeah any questions I saw on some American websites they have an image which is kind of a capture it says enter the coupon code summer and get 100% off it's an absolute gain I think that's a consumer gain I don't think it's about defense so obviously you need OCR to decode this if you're not a human if you're human you say oh I'm getting 100% off and then the scalpers only see the higher price yeah that's a nice idea for the scrapers you mean yeah that's a nice trick you can use that anything else thank you