Battling Business Logic Abuse

By Jesse McKenna, Threat Researcher, RSA, The Security Division of EMC

A couple months back, one of our customers – a very popular PC manufacturer – approached us because they noticed a dip in their daily revenues and wanted some insight as to why. When we looked into the data collected by Silver Tail, we noticed that some customers were “stacking” multiple coupons onto the already on-sale items, resulting in much lower sale prices and as a result, much lower revenues. While the logic coded for the website allowed for this behavior, it was not the desired outcome for the customer.  Business logic abuse is a type of fraud that is less commonly known but just as harmful and costly as any other form of web fraud.

What makes business logic abuse popular is that generally it is not something that would be detected by a security process or application vulnerability scanning because the website is functioning as designed and without any security vulnerabilities and the traffic is not exhibiting any unusual or malformed requests  (such as with SQL injection or XSS attacks). Instead, it occurs when criminals use the normal functionality of a web site in a way that is unintended causing negative consequences from loss of data, revenue and customers, to the tarnishing of an organization’s brand.

Cyber criminals are continually finding holes in business logic because they understand that businesses tend to invest heavily in the network level and internal security, and pay less attention looking for potential vulnerabilities in the otherwise benign logic of their websites. Unfortunately, vulnerabilities in business logic can have serious consequences.  A recent study conducted by the Ponemon Institute found that 90% of IT professionals reported revenue losses due to business logic abuse.

Business logic abuse can be as ubiquitous as password guessing and site scraping or more complex as the following examples illustrate. In these scenarios, the fraudster usually has a detailed knowledge of how your site works and where the flaws are. Whether finance, e-commerce, government or healthcare, criminals have opportunities to exploit the business logic of nearly any website.

Sweepstakes Gaming

The marketing team for a website launches a sweepstakes to promote a new product or service. To enter the sweepstakes, you just need to register a new account on the website and enter a code sent to you via email. From an attacker’s perspective, this is easy money – just flood the sweepstakes with entries and collect all the prizes. A simple script will take care of registering the accounts – randomizing the account details to be less obvious.

From the perspective of the marketing team, it looks like a wildly successful campaign – just look at all the new accounts being registered!  But once the campaign ends, the attacker walks away with all the prizes and all the new accounts vanish into dormancy. During one such attack at a large e-commerce site, attackers were able to “win” the entirety of the $400,000 prize fund.

 Inventory Freezing

The best e-commerce websites are very cognizant of their users’ experiences. To make sure that they’re able to purchase the items they want when they go to check out, the website will remove the items in their shopping cart from the available inventory. That way, if you’ve virtually picked the item off the shelf and placed it in your cart, you get to buy it – no one can grab it from you. But what if, on the busiest shopping day of the year, your website is reporting that some of the most desirable large ticket items were sold out, and yet no transactions were being completed? Competitors can easily exploit the shopping cart functionality by adding enough items to shopping carts so that the items appear unavailable for purchase by legitimate customers and forcing them to purchase the item elsewhere. What was built to improve customer experience can open the door to attacks from competitors.

Online Coupon Code Theft

Have you ever tried to use an online coupon and received an error that the coupon has already been applied?  Well, that could very well be a result of business logic abuse.  Cyber criminals guess coupon codes to either take advantage of the discounts themselves or disrupt the reputation and customer experience on the target website. They guess codes using simple scripts that are designed to fly under the radar of traditional perimeter defense systems like an IPS or WAF.

Whether using simple password guessing techniques or more complex examples of business logic abuse, cyber criminals are exploiting the lack of visibility into user behavior by using the legitimate functionality of websites in ways they were not intended.  In these attacks, differentiating the normal users from criminals is not something websites are generally equipped to do.  The only way to separate customers from criminals is to provide security and fraud teams with real-time behavioral analytics and deep visibility into user behavior.

Jesse McKenna leads the Threat Research efforts within RSA Silver Tail.  He has spent the past ten years creating detection systems for some of the world’s largest websites.  His experience spans fraud, business logic abuse, account compromise, money laundering, collusion, brand risk, cross-site scripting, malware, and everything in-between.