Completed
Cloud Deployment
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Breaking Fraud and Bot Detection Solutions
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Bot Detection • Defend against bots trying to automate abuse activities e.g. test credential dumps, scraping etc. • Is this activity from a human or a bot?
- 3 Fraud Detection • Defend against fraudulent activities e.g. manual ATOs, credit card transactions etc. . Look for anomalies in activity of a given user, given past activity.
- 4 Inline Deployment
- 5 Attacker Goal • Conduct fraudulent activity • Automate abuse scripts without getting caught
- 6 Threat Model • Attacker has full control over the browser • Attacker can craft requests and modify responses according to the responses from the server
- 7 Cloud Deployment
- 8 Browser Fingerprinting
- 9 Anti-Tampering JavaScript Obfuscation • XOR based packed code • Randomize location of JavaScript file to load
- 10 Stripping Attack
- 11 Replay Attacks • No check on freshness of payload.
- 12 Dynamic JS Tokens • A dynamic token is generated, which is derived from the timestamp. • Same logic can be replicated in a script.
- 13 Headless Browsers • Browser without a GUI, often used for automation and testing . Either render full JS or run JS in a virtual DOM
- 14 Underground Tool • Anti-Detect $399 in the underground market
- 15 Architecture • Recompile mobile app with SDK .JS -Native Code
- 16 Android Fingerprinting
- 17 Takeaways • Implementation and architectural issues in multiple deployments • Not possible to win the race on web, given no root-of-trust via browsers • State of the world in mobile is better • Getti…