Anatomy of Business Logic Attacks
Today we published our second Web Application Attack Report (WAAR). The full version is available here (no reg required).
Last report we described the most common attacks against applications which included SQL injection, Local File Inclusion, Cross Site Scripting and Directory Traversal. This time we added Business Logic Attacks. Here's an excerpt from our WAAR detailing the nature of attack.
Business Logic Attacks
A Business Logic Attack (BLA) is an attack which targets the logic of a business application. “traditional”, technical, application attacks contain malformed requests. On the other hand, business logic attacks include legitimate input values. This lack of unusual content attributes makes a business logic attack difficult to detect. BLAs abuse the functionality of the application, attacking the business directly. A BLA is further enhanced when combined with automation, where botnets are used to challenge the business application.
BLAs follow a legitimate flow of interaction of a user with the application. This interaction is guided by an understanding of how specific sequences of operations affect the application’s functionality. Therefore, the abuser can lead the application to reveal private information for harvesting, allocate her a disproportionate amount of shared resources, skew information shared with other users, etc. The motivation for BLAs is that the attacker can convert these effects to monetary gains. We followed two types of BLAs: email extraction and comment spamming.
Email Extraction
Email extraction (also called email scraping) is the practice of scanning web applications and extracting the Email addresses and other personal contact information that appear in it. These emails are then used for promotional campaigns and similar marketing purposes. Email extraction is one of several activities that harvest data from web applications against the intent of the data owners and the applications’ administrators.
On average there were 20000 such attacks each month, but clearly there was a peak of activity during September-October and much lower activity during other months:
Email extraction is a “grey area” practice: attackers earn easy money by selling information extracted illegitimately from web applications. The attack does not exploit vulnerabilities in the application. Rather, the data is extracted by automatically scanning the targeted application, while imitating a user’s browsing activity. To speed up the attack and avoid black listing, several scans are run concurrently using web proxies.
Email extraction is offered on the web both as an online service (i.e., “pay on delivery”) and as software tool for download. The notorious “Beijing Express Email Address Extractor”, a software tool freely available on the web, was responsible for over 95% of the Email Extraction activity we identified. Usage of the commercial software Advance Email Extractor was also seen in the traffic. This is the Beijing Express Email Address Extractor:
Hosts that sent Email extraction traffic to the observed application had very unusual geographic locations: Of the 9826 hosts, 3299 (34%) were from Senegal and 2382 (24%) were from Ivory Coast. Other unusual countries (Thailand, Malaysia, Ghana and Nigeria) were also prominent in the list of attacks’ geographic sources. Obviously, attackers are hiding their tracks by employing remote and perhaps less monitored hosts for this attack type.
Comment spamming is a way to manipulate the ranking of the spammer’s web site within search results returned by popular search engines. A high ranking increases the number of potential visitors and paying customers of this site. The attack targets web applications that let visitors submit content that contains hyperlinks: the attacker automatically posts random comments or promotions of commercial services to publicly accessible online forums, which contain links to the promoted site.
Comment spamming is based on automatic tools that masquerade as a human that surfs the web, but with a “hidden agenda” of leaving traces of good feedback (in various forms) to promoted sites. The observations from the last 6 months show a long term trend of growth in traffic related to comment spam. It should be emphasized that not all of this traffic contains the actual spam – the automatic tools must interact with the application like a user (for example, find a forum for posting data, register as a user, login and find a popular thread for posting the spam) before actually injecting the spam link into the site. The volume of traffic associated with comment spamming is:
We have observed several variants of comment spamming within the monitored traffic. For example:
- The spammer posted comments to an application’s web forum. In some of these posts the Referer HTTP header was a URL of a Facebook page promoting specific prescription drugs were given in posts. This URL would show up in the spammed site’s logs, increasing the ranking of the promoted site in search engine results. (See picture below).
- The spammer promoted the reputation-based ranking of specific answers in a discussion forum. In this application, experts answer questions posted by users. Answers and experts are ranked and displayed based on users’ feedback (e.g. based on correctness and usefulness). By artificially increasing the good reputation of specific answers, this promoted content becomes more visible.
An unusual attribute of the observed Comment Spamming attacks is the geographic locations of the involved hosts: Hosts from Russian Federation, Ukraine, Latvia and Poland were very active in this sort of attack. We note that this phenomenon was also detected by other researchers through other means.
Comment spamming can be tricky to identify, since a large part of the spammers traffic looks no different than the traffic generated by an innocent user. Good indications of potential malicious activity of this kind are black lists of User Agent values and hosts’ IPs, based on activity observed in many applications. Generic indications of automatic attacks, like high rate of requests and missing HTTP headers that are normally sent by browsers, are relevant as well.
One of the mechanisms used by applications to defend against comment spammers is CAPTCHA challenges, which require the user to visually identify a specific text within a non-trivial image. We have observed attempts by automatic tools to answer these challenges, probably using a predefined pool of responses to challenges. Even if these attempts are mostly unsuccessful, with enough retries the automatic spamming tool has a chance to eventually get the answer right and complete its spamming task.
