What hackers miss when breaking a bank on PHDays

The bank from year to year becomes a special entity for the results of the “Confrontation” on PHDays. In 2017, hackers were able to withdraw more money from the bank than it did. In 2018, the success of the final attack on the bank with the antifraud turned off by us (as planned by the organizers) ensured the victory of one of the teams.

Every year, bank security systems in the virtual city F reflect thousands of attempts to withdraw money from the accounts of “peaceful” residents, but each time these attempts resemble brute force on the banking API rather than an attempt to bypass the antifraud system, which every attack command knows.
')
What trends can be noticed when comparing attacking and “law-abiding citizens” on The Standoff is the topic of this short note. It is also a modest hint to the attacker, although, perhaps, it will not be read in these tense last days of preparation for all participants :)

Determining the legitimacy of the event, whether it is just the entrance to the bank page or an attempt to conduct a payment transaction, in fact, you need to find out who is behind this action. This object can be viewed by the following three metrics.

1. Static characteristics of the object.
2. His behavioral model.
3. The cumulative picture of the operations of the entire bank during the event.

Statics

The attacking side always has the advantage - everyone is behind NAT, which means that the chances of identifying an object and building connections, who works with which IP address, are extremely small. Protection is completely deprived of the ability to block suspicious segments.

Here it is worth noting that attackers mainly use bots for withdrawing money, which together with a large number of legal bots of PHDays organizers leads to the task of determining the legitimate bot by the characteristics of operations.

Dynamics

The first element of screening out simple attempts to attack a bank is hidden here. As soon as a set of events with a high frequency comes into view, the activity of such a source is entered into a list of special controls.

Here is an example of comparing the frequency characteristics of attacking and legal bots (the coefficients and some of the parameters here and hereinafter, of course, are changed).



The graph clearly shows that the credibility assessment, not to mention the ability of a person to do operations with such speed in the web interface, the attackers did not.



This graph shows that the introduction of one additional parameter for the amount turns the identification of fraudsters into an even simpler task.

Overall picture

Now it’s a little about how all this looks from the point of view of the bank as a whole, and more precisely, what makes the normal bots differ from the bots of the attacking ones, where profiling works well.



As can be seen, extremely simple statistics on binding to accounts leads to the unambiguous identification of legitimate and fraudulent activity.



And on this graph, all the bots of the attackers, except for one, are precisely within the conditions, and only one team was able to write a slightly more original algorithm, which as a whole also does not approach the examples of legal activity.

To summarize: given the large possibilities and the complete absence of the classical information security components on banking services PHDays, attackers use the simplest schemes, and their identification is rather trivial for modern analysis tools.

This year we promise not to turn off the antifraud for a minute, not to succumb to provocations and requests, and we are waiting for more ingenuity from the attacking side)

Alexey Sizov, captain of the Jet Antifraud Team, Head of the Anti-Fraud Department of the Jet Infosystems Applied Security Systems Center