Business logic abuse attacks: undetected threats costing UK businesses precious revenue

Opinion by Jason Steer

In a world where a lot of business transactions now take place online, cyber criminals are posing a real risk to businesses' annual revenue.

In a world where a lot of business transactions now take place online, cyber criminals are posing a real risk to businesses' annual revenue.

In fact, in a recent survey commissioned by Silver Tail Systems and carried out by the Ponemon Institute, UK businesses reveal that they are losing more than five per cent of their annual revenue due to business logic abuse attacks.

The ‘2012 Web Session Intelligence & Security Report: Business Logic Abuse Edition study' went on to find that despite today's tough economic climate when businesses really can't afford to make mistakes, 90 per cent lost revenue in the last 12 months due to the financial or brand impact of these types of attacks.

Business logic abuse, more commonly referred to as ‘precision hacking' or ‘internet fraud', results from criminals discovering a flaw in the workings of a website and using it to steal money, confidential information or exploit the system for illicit gains.

These attacks can take many forms including web scraping, account hijacking, click fraud and testing stolen credit cards just to name a few. Today the most common business logic abuse scenario is web scraping. This is when a cyber criminal obtains confidential information contained on the public pages of a company's website, such as price or inventory lists. A script is developed to go page by page on a public site without the company's knowledge to source the information automatically.

However, although this type of attack is the most common, the hardest form to identify is app store fraud. The target is any company that has an app store/marketplace providing access to products and instant rebates. Criminals masquerade as a merchant and a buyer to manipulate the open platform for financial gain, cashing in on rebates and earning points from credit card incentive programs.

The recent ‘Eurograbber' bank fraud malware campaign demonstrates how serious business logic abuse implications are. They also prove that it's not just the small companies, who are perhaps less equipped to deal with internet fraud, that are falling victim.

All companies that have an online presence are susceptible including e-commerce, government and financial institutions. Geographical location too is irrelevant as the exact same study was carried out in a similar time frame in the US and the results found were very similar.

Worryingly, there has been a significant rise in the number of these types of attacks in recent years, with over a third experiencing more than ten separate incidents in the past 12 months.

As a result, 88 per cent of UK businesses recognise that it is at least on par with other security issues and in some cases more important. Attacks are also increasing in sophistication, resulting in business logic abuse that is extremely difficult to detect. The majority of IT practitioners report difficulties in distinguishing between real customers and criminals accessing the website.

Repercussions of business logic abuse attacks include system downtime, lost revenue, disgruntled customers and long lasting damage to the brand and its reputation, as companies struggle to remediate the effects of an attack. More than a fifth of companies questioned admitted it can take more than a day to fix the damage caused, during which time the company is potentially losing not only revenue but also its good reputation.

Despite this, the majority of organisations are not making business logic abuse a priority. The survey found that one of the key issues is that there is no clear assignment of responsibility for reducing the risk of the attacks, hence the lack of priority. Surprisingly, almost a third believe the CIO is responsible.

Insufficient resources are also an obstacle when it comes to companies protecting themselves against the attacks. Only one in three believe their company is vigilant in monitoring websites for this threat, citing a lack of sufficient technologies (67 per cent), budget (76 per cent) and personnel (66 per cent) as barriers to tackling the issue and monitoring their websites for this threat.

As a first step, companies need to assign responsibility for website security to an individual or team within the organisation. Companies need to ensure they also have sufficient in-house personnel to minimise business logic abuses.

Establishing a partnership between website developers and IT can also help make sure a prevention and detection strategy is in place as well as enforced.

It's important to put a strategy in place including how to deal with the attacks, but also how to spot them and prevent them in the first place. The strategy needs to minimise the risk but at the same time not frustrate legitimate customers. The last thing an organisation wants is to drive customers away with too many barriers that make it difficult for a customer to navigate the website and make purchases.

UK businesses need real-time visibility and intelligence to understand the nature of their web traffic. Much like a thief in a physical shop behaves differently to a normal customer; web fraud can be detected by watching clicks on websites and detecting unusual behaviour and patterns. Another key vulnerability is a business partner that might have business logic abuses. Organisations need to also inspect and test business partner websites as well as their own.

Jason Steer is a solution architect EMEA at Silver Tail Systems


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events