Airlines, banking, and dating websites bombarded with forgeries

Web-bots are trying to avoid detection by altering their Transport Layer Security (TLS) fingerprint.

Akamai reports that attackers are increasingly using ‘Cipher Stunting’ – a new technique for evading detection that involves randomizing the cipher suite list during the authentication handshake.

The trend began in September 2018, but over the last few months attackers have been “tampering with SSL/TLS signatures” on an unprecedented scale to target airlines, banking, and dating websites.

“The TLS fingerprints that Akamai [found] before Cipher Stunting was observed could be counted in the tens of thousands,” Akamai explains in a blog post.

“Soon after the initial observation, that count ballooned to millions, and then recently jumped to billions.”

The technique is being used to run either sketchy content scraping or straight-out illegal credential stuffing attacks.

SSL/TLS fingerprinting mechanisms first developed by security researchers including Ivan Ristic and others have made their way into security products, hence the need by miscreants to develop evasion techniques capable of bypassing fingerprint-based filters.

Analysis by Akamai shows that tampering with SSL/TLS signatures by attackers is being carried out using a “Java-based tool”.

Recognizing the malign behavior is the first stage of developing defenses, and Akamai is already on the case.

“Akamai has been able to profile well-known client behavior over time and across different scenarios, such as SSL/TLS traffic originating from different operating systems and devices, etc,” Akamai concludes.

“This historical visibility has allowed us to monitor, track, and mitigate these latest evasion advancements.”

The question arises that if attackers are capable of tampering with cryptographic handshakes then why don’t they just mimic known legitimate clients? This might be more elegant but it’s also more computationally intensive, hence miscreants don’t bother.

In the course of a discussion on Twitter about the topic, security researcher Tal Be’ery explained: “Exactly mimicking browsers can be resource intensive, as many different behaviors need to be consistent across layers, e.g. TLS, TCP, HTTP, JavaScript, etc. And defense usually only have white / black list signature, so the easiest thing for abusers is just to randomize.”

Attackers sometimes mess up in forging user agents, security practitioner Kevin Beaumont noted: “We see malware, credential stuffing etc where they mess up the user agents all the time. Eg. you can detect Cobalt Strike because they put an extra space in the user agent,” he said.


RELATED False sense of security? HTTPS is no panacea, researchers warn