Research Saturday 8.24.19
Ep 99 | 8.24.19

Gift card bots evolve and adapt.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:01:13] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Jonathan Butler: [00:01:52] Typically, when you get a gift card, there's usually - it depends on on the vendor, but sometimes there will be, like, a registration process.

Dave Bittner: [00:02:01] That's Jonathan Butler. He's the technical account team manager at Distil Networks, part of Imperva. The research we're discussing today is titled, "GiftGhostBot Attacks Ecommerce Gift Card Systems Across Major Online Retailers."

Jonathan Butler: [00:02:14] But at that point, once it's registered, or if it's already pre-registered, once you've purchased that and the cashier has approved and all of that, I mean, it's more or less money in the pocket for you to then go and buy products or services from that particular retailer.

Dave Bittner: [00:02:30] And that's tied to the number on the gift card.

Jonathan Butler: [00:02:33] Exactly. So, just like a credit card, these gift cards will have an integer, a number on the back, like sixteen digits, that more or less identifies that card to the actual money sitting behind it. And then there will usually be like a PIN associated to it, to additionally validate those funds.

Dave Bittner: [00:02:54] Okay. I was gonna ask you about the PIN, because unlike a credit card, for example, there's no expiration date or - I was thinking about numbers that have to match up for it to be able to work.

Jonathan Butler: [00:03:07] Yeah, exactly. So when you go to, you know, validate the funds on this card, the systems are gonna be able to read those digits and then validate against that with the additional PIN that you can feed in on that thing, like a CID PIN or something like that. So that's how it's doing the validation to access the funds.

Dave Bittner: [00:03:28] I see. So the folks who are trying to hack this system, how are they going about that?

Jonathan Butler: [00:03:34] So it's interesting because, you know, as a hacker who - you know, me with the gift card in hand, right, I'm not malicious. I'm gonna use that gift card and buy products and services with it at the retailer. But for an attacker, you know, an adversary who sees me as a target with the gift card, he or she won't necessarily know the number that associates to those funds off top of head, right?

Dave Bittner: [00:04:03] Mm-hmm.

Jonathan Butler: [00:04:03] So it ends up forcing this play by the adversary to effectively have to come up with guesses of those numbers.

Jonathan Butler: [00:04:12] And so what ends up happening, and where bots come into this whole space, is that that adversary will go and write a bot - or effectively a script - that can go and target these, you know, check balance services on a retailer site, and just start guessing, you know, hundreds, thousands, upwards of millions if it's long enough and they've got the scale and support to do that. They can just start brute force guessing with no real rhyme or reason, but eventually, if they get enough guesses, the probability starts to increase drastically that they'll be able to more or less guess my card. And once they access it, they'll have full access to it to those funds.

Dave Bittner: [00:04:57] And so if they're guessing that number, are they also guessing the PIN as well?

Jonathan Butler: [00:05:03] Yeah, exactly. So they're going to do the same enumeration process over both the card and the PIN as well as. So they'll have the card number, and then they can just randomize and just start guessing at scale the PIN number as well, and eventually crack that.

Dave Bittner: [00:05:18] Hmm. Now, from the retailer point of view, I mean, I put this functionality on my website as a good gesture of customer service to the folks who are buying these gift cards - what am I going to see on my end?

Jonathan Butler: [00:05:31] On your end, you would just see - you know, assuming you have the proper monitoring in place of your systems - you wouldn't necessarily know if it's a malicious request or not, short of you'd probably start seeing a bunch of validation requests coming in, right? So if you're looking at your traffic logs, you're going to see a huge spike on, you know, the particular application call that goes and does that gift card balance look up, right? And so, when we see these attacks, that's typically what's happening. What cues it and gives it away is that the chart or the traffic logs will see a large surge particular to those calls.

Jonathan Butler: [00:06:06] And so, for retailers, it's really important to have in general just heightened visibility into some of the critical application functionality that you know will be a high value target for bot writers. So, in this case, it'd be, you know, hey, I'd go to the site, I have my gift card, I do a quick search, how can I check my gift card balance? Go to the page, you'll put your numbers in, and when you click "submit" or "check my balance," that's sending a call to the application behind the scenes where it's delivering the number and the PIN to the application. The application gets that, feeds it back to the client, says, hey, here's your balance. 

Dave Bittner: [00:06:45] Mm-hmm.

Jonathan Butler: [00:06:44] And so, what you're really looking for is that surge in traffic on those particular validation requests or the balance check requests.

Dave Bittner: [00:06:54] And that would be pretty clear - if the bots started targeting you, and you were looking at these logs, chances are you would know it?

Jonathan Butler: [00:07:03] I would say so. Obviously, it's all situational, but typically you're not seeing a ton of traffic on those types of pages relative to what a bot writer is going to be doing to that thing. So you would expect a relatively low and stable volume and usually the traffic patterns of these things is, you know, very predictable, right? Like it's going up and down, with the peaks, you know, the on and off peaks of the website. Whereas when a bot writer comes in and runs their script against the site, you're going to see that thing just go up very drastically and anomalously.

Dave Bittner: [00:07:40] Well, let's dig in to the research that you all did here, specifically with GiftGhostBot. Describe to us - how are they going at these things?

Jonathan Butler: [00:07:50] How they're going about them is, in the GiftGhostBot scenario, what we found is that this was a very coordinated attack that targeted more than one retailer. So, that alone implies that there was research and coordinated effort behind this thing. And so, you know, we had a particular customer call us and actually say, hey, thanks, you guys are more or less keeping this functionality alive on our site. And when we dug into that more and more, we had realized that, hey, vendors - those, particularly, not being protected by Distil - were actually having to shut down that particular functionality on the application because it was becoming such a costly affair for them. It such a high value target.

Dave Bittner: [00:08:38] Now, is that - are they effectively being DDoS'd by the number of requests that they're getting, or is it that so many gift cards are being compromised, or a little of both?

Jonathan Butler: [00:08:50] I think it's a little bit of both. So in the bot world, when you're talking about defending an application against it, it's very much, you know, human in nature, the way they respond. Right? If they're having success, and you put defense in front of them, it's very likely that they're going to - you know, it's like poking the bees nest of sorts - it's going to almost stir that that botnet to spin up even more traffic. And so that's what we saw throughout the course of the GiftGhostBot attack, is that as we started putting more and more incremental defenses in front of this thing across all the different properties, it actually was evolving throughout the course of the attacks.

Jonathan Butler: [00:09:34] So, very early on in these observations, it was very primitive, right? It wasn't doing a lot of things to necessarily obfuscate itself. And as it started to have, you know, marginal success, we ended up having to throttle our defenses and put more and more advanced and sophisticated signatures in front of it. And as a result, we saw this thing evolve where it's distributing itself over more and more IPs, it started spoofing the browsers that it said that it was. It even went from going to desktop browsers over to mobile.

Jonathan Butler: [00:10:10] And really interestingly, what we saw is that there were actually channels within the broader attack that was suggestive that there was more than one kind of player involved here. So, over the evolution of the attack, we saw simplistic efforts kind of come and go, both early in the phases of it and then coming back on the back end of it. And then the sophistication levels were kind of throttling and kind of grouped into a few different core behaviors over the course of this thing. So it was just really interesting to see how not only was it a researched and coordinated attack from the fact that it was just targeting many retailers - and particularly what we saw was in the clothing and fashion space - but that there might have even been multiple players involved, where everyone's kind of bringing their own tactics to the table.

Dave Bittner: [00:11:07] Interesting. And explain to me the significance of them switching to iPhone and Android user agents. What's the background on that, and why does that matter?

Jonathan Butler: [00:11:21] Yeah, so it matters because the most important and fundamental concept to - when you get into organized bots, right, like, we're not talking about the person who goes and writes a bot to pull down the weather for the day, or some recreational hobby - when you get into people who are writing bots for professional reasons, whether malicious or non-malicious, it's all incentivized by money, right? It becomes an actual operation that involves investment, both in time, effort, and research. And what happens is, in the defense against really advanced and sophisticated actors, it's not always about stopping every single request, but it becomes more about how do you thwart their ability to operationalize and make a business off of this?

Jonathan Butler: [00:12:13] And so, what we saw is that as the defenses were put in place of them, they actually had to invest more time, more effort, and more research into detecting these, you know, figuring out these detection tactics on our side. But more importantly, it forced them to have to evolve and move from desktop to mobile. And that actually increases the cost of operations for them just because those are more expensive devices to get a hold of.

Jonathan Butler: [00:12:43] And so, what ends up happening is, as they evolve, you're actually forcing the cost of their operations to go up. And, you know, again, for very advanced and persistent actors, if you can force that bottom line to a point where it almost makes the whole effort or operation pointless, you almost discourage the motivation to a point where they're going to go away.

Dave Bittner: [00:13:11] Hmm.

Jonathan Butler: [00:13:11] So, it's a pretty interesting phenomena that we see oftentimes in the bot space, is that if there is enough of a financial incentive behind these things, they're never going to go away. And there's correlations to why that could happen. You know, if you're the only person who has that particular dataset, or you're just a high value target that particularly happens to hold very valuable datasets, you know, that you start to correlate the persistence and advanced natures of these attacks to that type of thing. In this case, with that GiftGhostBot, I mean, this was a direct pipeline into being able to validate very real money that can be in turn either resold or leveraged in financial transactions as a real medium to get very real goods and services in the world.

Dave Bittner: [00:14:04] I suppose from the retailer's point of view, obviously, it would be great to shut down these bots altogether, but, you know, selfishly, if I just make it harder for them to come at me than the store down the street, that's a good outcome for me as well.

Jonathan Butler: [00:14:22] Yeah, so, the security world is a really interesting one, in that defense can be relative, especially in the bot space, right? If you build your defenses just slightly better than the competitor down the street, you've more or less made it extra difficult to go after you. And so we do see this behavior where bots tend to go towards the path of least resistance that still allows them to accomplish their goal. So, you putting out even, you know, medium effort, medium level defenses, and if your competitor or competitors don't have those, you've really secured yourself from being less of a target for those bot writers.

Dave Bittner: [00:15:08] Can you give us some insights - on a high level, when you all are protecting an organization against bots, what's going on there? How are you blocking the bots but still allowing the normal legitimate users to get through?

Jonathan Butler: [00:15:26] Yeah, so for Distil, now Imperva, the way our bot detection system is built is that, when a client makes a request to an application, we're doing a series and multilayered interrogation against that client to ultimately make a decision around, hey, are you human or not? And so, some of those interrogation steps get down to very simplistic things like, hey, is your user agent legitimate? Are you coming from a valid source or are you coming from like a hosting center? You know, are you just doing something that you otherwise shouldn't? All the way into more advanced stuff like, hey, are you running a JavaScript engine? And even as the space has evolved and progressed, we're doing more and more algorithmic and probabilistic decision making via machine learning of whether the behaviors themselves are suspect.

Jonathan Butler: [00:16:23] And so all of this decision making is happening in real time, on every request, very seamlessly. And so, when our customers are leveraging our platform and technology to effectively protect their applications and endpoints, you know, we're more or less running those interrogations and making very real-time programmatic decisions that ultimately know how to siphon out the bot traffic, while still allowing someone who's just going to the site non-maliciously and there to help promote and generate revenue for that business, you know, those types of users won't be impacted.

Dave Bittner: [00:17:06] So, what are your recommendations for the retailers in order to best protect themselves? What sort of steps can they put in place?

Jonathan Butler: [00:17:15] I think first things first. It just comes down to sitting down and looking at all of the functionality of the web application and making sure that the business units are very tightly connected at the hip with the security teams of those organizations. Even into today, I think a lot of organizations see security as kind of second to growth of the business. You know, revenue preservation, all of these things that are very, obviously, friendly for the business. And security's always kind of taken the back seat, short of those early adopters and kind of pioneers in the space. And more and more we're starting to see that organizations are realizing the severity of and true damage of these cybersecurity attacks and things like that.

Jonathan Butler: [00:18:01] So, I think first things first. It's just sitting down and taking a mature posture on security practices within your Web applications and mobile applications, and making sure that when you guys roll out these new functionalities, that they're being really considered and understood at that cybersecurity layer, where, yes, it may be a good thing for the business - you know, exactly the example for this GiftGhostBot attack is the people behind that functionality are probably thinking, hey, this is a huge win for our team, you know, no more do people have to call in and ask a person at the support desk what the balance is, but it's actually, hey, I can just go to the website, very seamlessly interact with the application to get a validation of my balance and move on.

Jonathan Butler: [00:18:54] But when you do that, when you introduce that functionality on the website, you end up now allowing someone to directly talk to your database of gift cards and more or less get creative and come up with scripts to, you know, guess these balances and cash out and fraudulently steal money from your customers. So I think it just starts with having a mature cybersecurity posture on security and making sure that the business teams are very in lockstep with the security team.

Jonathan Butler: [00:19:27] And I think more tactically, I would just make sure that the security teams are constantly scanning the web applications and, you know, looking for anomalous behavior in the logs that they have available and making sure the tooling is giving them insight into those types of attacks. And obviously, as the security space evolves and new problem sets arise, you know, just doing some education around it and talking with vendors, it's always a really healthy thing to stay on top of this stuff.

Dave Bittner: [00:20:02] Is there anything to be gained by doing any kind of rate limiting or things like that to, you know, keep it within the range of normal requests you would expect, but to keep these high volume requests from being able to go through?

Jonathan Butler: [00:20:18] I think that that's really where it gets interesting and where the problem set really starts to get complex, is that, you know, a person looking at this who may not have boots on the ground and, like, their nose close to the grindstone sees it as, hey, this is a huge flood of traffic - how come we can't just rate limit this or put barriers around how many requests that a client or a user can make? The reality is that, you know, with a WAF, like a web application firewall, well, it all boils down to how the system is detecting an individual user. And if the adversary can spoof and obfuscate their identity with relative ease, the idea of rate limiting against these types of attacks gets really hard. And that's really where a bot detection system is coming in and able to do more granular identification to truly say, hey, I know you're doing all this stuff to obfuscate your behavior, but I still know that you are you, and the rate limiting becomes a lot more effective.

Jonathan Butler: [00:21:25] So, it is good practice to have rate limiting in place, and particularly around these types of application functionalities. But when you get into advanced bot attacks, these are people who have done their research and reconnaissance efforts on your applications to more or less know how to beat and circumvent those types of rate limit measures. It's just a constantly evolving space, and I think in the next five years, the bot space will continue to evolve and it's gonna be a very interesting sector to be in. And it's something that a lot of companies who have serious revenue invested in their online presence, their web applications, they should be legitimately concerned about and making sure that they're keeping their security practices and protocols and tools up to par with what every day is an evolving space.

Dave Bittner: [00:22:22] Our thanks to Jonathan Butler from Distil Networks for joining us. The research is titled, "GiftGhostBot Attacks Ecommerce and Gift Card Systems Across Major Online Retailers." We'll have a link in the show notes.

Dave Bittner: [00:22:35] Thanks to Juniper Networks for sponsoring our show. You can learn more at or connect with them on Twitter or Facebook.

Dave Bittner: [00:22:44] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.