Shape Security has announced a new product designed to protect small and medium business (SMB) websites from the growing scourge of advanced bot-based credential stuffing.
The Bad Bot problem is known and understood. When credentials are stolen, they are often used by bad bots for automated credential stuffing — that is, the automated and repetitive testing of stolen credentials against new targets of interest, where compromise can be used to generate income for the attacker.
If credential stuffing bots are ‘simple’, then traditional firewalls can detect and block them. Today, however, bots are increasingly sophisticated and intelligent, and can easily defeat traditional security defenses.
“When you have a cybersecurity ecosystem that’s making millions of dollars on a daily basis,” Shuman Ghosemajumder, CTO at Shape Security told SecurityWeek, “the criminals have their own computer scientists who have invested in creating an attack specification incorporating many layers of abstraction. The starting point for them is to have hundreds of thousands of source IP addresses that they rotate constantly. Then there are other behavioral techniques that they use to make sure their transactions are similar to genuine transactions. They have invested in technology that allows them to mask the transactions, so they appear to be coming from different clients, and from different users that use their mouse in different ways, type on the keyboard with different mannerisms. They introduce a great deal of entropy so what is actually credential stuffing looks like a large quantity of organic traffic.”
It works. Recorded Future reported last month, “The average success rate for credential stuffing is anywhere between one to three percent. Hence, for every one million random combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts.” Bear in mind that 3 billion credentials were stolen or leaked in 2018 alone.
According to Shape Security’s figures, credential stuffing fake traffic against unprotected online businesses can represent 90% or more of their website’s traffic. Overall, this fraudulent activity costs North American businesses over $5 billion annually in credit card chargeback fees and other fraud-related expenses.
Shape is one of a handful of companies that have developed solutions able to detect the subtle differences between advanced bot traffic and genuine user traffic, and block the bad traffic before it hits the server. Most of these products serve larger enterprises and are priced accordingly. The Shape Enterprise Defense product is used by eight of the top 12 US banks, five of the top ten global airlines, two of the top five global hotels, and two of the largest US government agencies.
“This is technology that we have built by investing more than $100 million dollars,” explains Ghosemajumder. “It is designed to be able to deal with the most sophisticated attacks that are out there, which disproportionally targets those larger organizations.”
But smaller firms also suffer from the bad bot plague. “We realized,” he continued, “that we could fully productize our enterprise service, take out some of the service-based aspects (which includes a kind of white glove approach where we have data scientists and researchers that are dedicated to the different clients at the high-end), and just use automation instead. Doing this, we could reduce the cost and make it available to folks in a simple form factor.”
This new product is called Shape Connect, announced May 7, 2019. It’s a self-serve model where customers can visit the Shape website and plug Connect into their own website with a DNS redirect. This is not a free service. It is not designed to protect small and personal websites — it is aimed at the growing SMB market that is currently poorly served.
One of the strong points of Connect is that Shape claims a virtual zero delay for visitors. While there are some similar free services, they can introduce a delay between the user entering an URL and receiving the requested page. Some services insert a special page informing the user that there may be a delay of up to five seconds while the service checks the validity of the user’s browser. Ghosemajumder believes this is unacceptable for visitors (that is, potential customers).
In an earlier position, his task was to protect Google from click fraud. “We did measurements and conducted experiments that showed that delays of even tens of milliseconds would result in us losing users if we increased latency by that much,” he told SecurityWeek. “Shape has had all of these conversations with our initial set of high end customers about performance and latency — it’s completely unacceptable to have additional latency that goes into the seconds.
“What we have,” he continued, “is an invisible mechanism that allows us to execute JavaScript that instantaneously determines whether a transaction is behaving in an anomalous manner. It’s our unique technology that allows us to protect in a way, and perform in a way, that other technologies cannot. We have simply chosen to put this technology into a new form factor that is not designed for the really small sites, but for the companies that are a bit larger. So, not Fortune 500, not Global 2000 — that’s what our high-end product and service is designed for — but for all of the other small and medium businesses that are out there that have the problem of fake or automated traffic being directed against them.”
Mountain View, CA-based Shape Security was launched in 2011 by Derek Smith, Justin Call, and Sumit Agarwal, and emerged from stealth in 2014. It has raised a total of the $132 million in funding, with the latest being a Series E round for $26 million in November 2018.
Related: Credential Stuffing: A Successful and Growing Attack Methodology
Related: Bad Bots Steal Accounts, Content and Skew the Web Ecosystem
Related: Credential Stuffing Attacks Are Reaching DDoS Proportions
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Tags: 
