abuse prevention in the globally distributed economy presentation
DESCRIPTION
Shyam Mittur (Yahoo)TRANSCRIPT
![Page 1: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/1.jpg)
Abuse in the Globally Distributed Economy Shyam Mittur
June 26, 2012
![Page 2: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/2.jpg)
Welcome to the Global Economy – how to create new jobs
6/23/12 2
![Page 3: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/3.jpg)
Welcome to the Global Economy – let’s go crack Y! accounts
6/23/12 3
![Page 4: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/4.jpg)
Outline
4
History – What is abuse and how did we deal with it? Evolution of abuse Keeping up with abuse – our strategy and tools Continuing challenges
![Page 5: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/5.jpg)
What is Abuse?
![Page 6: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/6.jpg)
Abuse is – “Something you’re allowed to do, but in a way that is not allowed”
6
Service abuse: primarily overuse › Mass registration › Account and credentials compromise attempts
Content abuse: undesirable user-generated content › Spam: “go to stockmarketvideo.com it 5o bucks a month i subscribe there the guy is
good ., stop doin wat ur doin” › Offensive posts: “****WHY IS YOUR SXXX WXXX CXXX MOTHER CXXXXXX
OVER MY HOUSE TONIGHT?****” › Solicitations: “!!!!!!`"[Seek¯ing¯R¯ich .C¯0M]],(remove'¯'),,,,,,,,where to find educated
men! where to find women with inner and outer beauty....” › Offensive images
![Page 7: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/7.jpg)
The view from the inside
7
High-rate abuse is still present Content abuse is everywhere
› Commercial spam: solicitations, stock scams, etc. › Off-topic postings: politics, bigotry, baiting, harassment › Image abuse: porn sites, webcams, URLs
Account compromise is up › Every merchant wants you to register › Many have poor back-end infrastructure, user databases are compromised and sold › Users use the same id/pw/questions in many locations › Baffled family and friends: “I got this e-mail from you … ” › Leads to: “Help, my account has been hacked!”
![Page 8: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/8.jpg)
Example – registration attempts
8
5-25% of attempts in one colo were deemed abusive and denied
![Page 9: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/9.jpg)
Junk Account Registrations
9
Over 50% of successful registrations are suspected to be abusive
Black: Total Registrations Yellow: Suspected abusive registrations Blue: Likely good registrations
![Page 10: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/10.jpg)
Login attempts
10
20-40% of the attempts in one colo were deemed abusive and denied
![Page 11: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/11.jpg)
Service Requests
11
12-20% of all service requests were denied
![Page 12: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/12.jpg)
CAPTCHA Challenges
12
50% of CAPTCHAs are not attempted 40% of those attempted are successful
![Page 13: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/13.jpg)
How we deal with Abuse
![Page 14: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/14.jpg)
Prevention and Mitigation
14
Overuse-detection and service-denial at the edge › Common base rules and conservative limits everywhere › Additional custom rules and aggressive limits in select locations
(high activity and/or high risk)
Liberal registration (sign-up) › Biased in favor of quick and easy sign-up for new users
Widespread use of CAPTCHA Aggressive action on detected abusive activity
› Wide range of sophistication in detection techniques and strategies › Blacklists and regular expressions to machine learning approaches
![Page 15: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/15.jpg)
Platform Tools and Solutions
15
Rate limiting and filtering › YDoD
Challenge/response validation › CAPTCHA service
Content classification › Anti-spam (Mail, Messenger), Standard Moderation
Platform (other contexts) › URL database and services
Account action › Warn, Rehab, Suspend, Trap, Delete
![Page 16: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/16.jpg)
YDoD – A self-aggregating blacklist manager and rate limiter
16
![Page 17: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/17.jpg)
YDoD works with “filters”
17
A filter describes the criteria for identifying abuse › Preconditions and descriptions of the information to be used for tracking abuse
(what kind of activity am I interested in watching and/or blocking?) › Limits and descriptions of the table used to track abuse
(how much of that am I willing to take?) › Response (what do I do when I’ve had enough?)
Like a set of configuration files in a custom language Filters are installed on client hosts and central “clusterhosts” The clusterhost cares about the limits The client cares about the preconditions and responses
› On “overlimit” condition, a configurable set of responses (actions) are invoked
![Page 18: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/18.jpg)
What a YDoD table looks like
18
![Page 19: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/19.jpg)
CAPTCHA over the years
19
2001
February 2004
February 2008
April 2008
September 2010
![Page 20: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/20.jpg)
Content Abuse
20
Standard Moderation Platform › A framework for classification and moderation of user-generated content
Web service interface, provides a synchronous judgment › Uses a configured stack of classifiers
• Blacklists • Regular expressions • Obscenity word lists (with variants) • Image analysis • Signature/hash matching • Machine learning algorithm implementations
Abusive or “suspect” content can be forwarded to human moderation (generally asynchronous)
![Page 21: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/21.jpg)
The Evolution of Abuse
![Page 22: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/22.jpg)
Data Entry Job?
22
![Page 23: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/23.jpg)
Another “Data Entry Job” recruiter
6/23/12 23
![Page 24: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/24.jpg)
A few “record holders” here
6/23/12 24
![Page 25: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/25.jpg)
When $0.75/day solving CAPTCHAs is the alternative
6/23/12 25
![Page 26: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/26.jpg)
Need a few Yahoo! accounts?
26
This one seems to be out of business, there are many such providers
![Page 27: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/27.jpg)
Rent-a-botnet
27
http://www.zdnet.com/blog/security/study-finds-the-average-price-for-renting-a-botnet/6528
![Page 28: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/28.jpg)
From hacking/fun/malice to business/profit
28
There is money to be made › Jan 30, 2012: “It is estimated that financial institutions have lost $15 billion in the past five
years” – NPR All Things Considered1
› Sept 14, 2011: “The FBI is currently investigating over 400 reported cases of corporate account takeovers in which cyber criminals have initiated unauthorized ACH and wire transfers from the bank accounts of U.S. businesses. These cases involve the attempted theft of over $255 million and have resulted in the actual loss of approximately $85 million.”2
Globalization › Specialized services that source knowledge and manpower from low-cost locations › Examples: Registration, CAPTCHA solving, Spam pushing
Botnets, malware and data breaches › Botnets are available for rental by-the-hour or for entire campaigns › Malware propagation, key logging, identity theft, account compromise/takeover
“Multi-level marketing” at its best! 1. Original source unknown 2. http://www.fbi.gov/news/testimony/cyber-security-threats-to-the-financial-sector
![Page 29: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/29.jpg)
A global market and ecosystem
6/23/12 29
![Page 30: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/30.jpg)
Kolotibablo.com: A “full-service” offering
30
Registration, CAPTCHA-solving, spam campaigns
![Page 31: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/31.jpg)
Funny – they use CAPTCHA, too!
31
Not very good either
![Page 32: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/32.jpg)
Xrumer – another full-service solution
32
‘The system of “Antispam” – correct spam’
![Page 33: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/33.jpg)
decaptcher.net – a CAPTCHA solving service (busted?)
33
Hi. I need to crack captcha. Do you provide a captcha decoders? DeCaptcher CAPTCHA solving is processed by humans. So the accuracy is much better than an automated captcha solver ones
Hi guys. Can you make an advert program for me for *****.com? Contact us and we'll discuss it.
Can I solve captchas in many threads? Yes, you can. CAPTCHA solving can be parallelized. Just make sure in every thread you do like follows: login solve as many captchas as you need logout.
![Page 34: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/34.jpg)
6/23/12 34
“The Commercial Malware Industry” by Peter Gutman, University of Auckland
“Krebs on Security” blog by Brian Krebs Stefan Savage and his team’s work at UC San Diego
![Page 35: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/35.jpg)
Evolution of our strategy and tools
![Page 36: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/36.jpg)
Going forward: a two-pronged strategy
36
General approach: more detection and mitigation at the edge Classification of every request
› Good – service, abusive – deny, not sure – service or challenge › Algorithmic approaches, beyond just counting
Presentation of graded challenges › Simple CAPTCHAs still work well in many situations › In-line and out-of-band › All kinds of other ideas, too
Special handling of account compromise › More notification (mostly opt-in, some not) › The account is placed in a trap state › Challenge/verify at next opportunity
![Page 37: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/37.jpg)
Project Blackbird: a new framework
37
Why we need this › Operating at a much higher scale (of requests, deployments, services) › Up against highly capable adversaries › Who they are and where they are coming from are not meaningful or relevant › What they do is what matters › Tight performance budget for synchronous detection › Quick reaction time for deployment and customization
Approach › Plug-in deployment of blacklists, exemptions, classifiers › Encapsulation of detection techniques as classifiers › Abstraction of classifiers as algorithm (code) + model (data) › Support for automatic data sampling, retraining, model building and updates › Central control of the framework (development and deployment) › Distributed ownership of classifiers (development, deployment and customization)
![Page 38: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/38.jpg)
Blackbird design: front-end
38
![Page 39: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/39.jpg)
Blackbird design: support infrastructure
39
![Page 40: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/40.jpg)
CAPTCHA: not just those squiggly characters
40
We generalized and abstracted the CAPTCHA framework Changed integration and delivery to a service model
› Create challenge (the “test”) › Present challenge › Validate response
Made the challenge techniques configurable and selectable › Several graphical presentations › Non-graphical challenges › Out-of-band challenges: Voice, SMS, E-mail, Postcard (yes) › Difficulty levels
![Page 41: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/41.jpg)
New visual variants
Overlap Text
Background Clutter
Floating Screen: Demo
41
![Page 42: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/42.jpg)
New CAPTCHA Challenges
3D-Wave: Demo
OverlapTextWave: Demo
DelayedAnimation: Demo
42
![Page 43: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/43.jpg)
Telephone Voice/SMS Challenge Generate a phone call or text message
› With a one-time numeric code
Why this is effective: › We check on phone numbers and exclude those available in bulk for abuse
› We can watch for overuse
43
![Page 44: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/44.jpg)
Continuing challenges
44
New user acquisition › Ease of sign-up vs. challenge/validation friction
Anonymity vs. verifiable personal data › Users have “learned” to not provide real information
Use of activity data, building and using reputation › “I can’t believe you track this!”
Abuse/compromise mitigation in “free” vs. “at-risk” environments (e.g., banks)
Account/credentials compromise › Id/password overloading › Mobile devices and apps › Reverting to risky behavior
![Page 45: Abuse prevention in the globally distributed economy presentation](https://reader033.vdocuments.mx/reader033/viewer/2022051817/5491c1d0ac795953288b45fe/html5/thumbnails/45.jpg)
Shyam Mittur Yahoo! Abuse Engineering