Organizations around the world are building feature rich web, mobile and API-based applications as a means of extending their competitive advantage and improving their business. However, the more public-facing applications an organization deploys, the more surface area they expose to attackers.
Today’s bad actors are using a rich repository of stolen user information and attack toolkits to programmatically target these public facing applications with malicious transactions that appear to be legitimate, or syntactically correct.
A leader in online dating, Zoosk is committed to delivering personalized matches to its 40+ million members. With the ultimate goal of creating lasting and meaningful relationships, protecting their users from fraud that may be caused by automated bots is a top priority for the Zoosk security team.
Finding Love and Romance – Securely and Safely
Finding a lasting relationship often means letting your guard down. Unfortunately, bad actors are adept at taking advantage of this to execute romance scams. To do this, scammers infiltrate popular platforms and attempt to build connections with legitimate users before asking them to part with their money. However, to bait other users, they first need accounts and lots of them. The two easiest ways to get them?
Fake Account Creation
Bad actors analyzed the Zoosk user interface and mobile applications to understand the platform’s account creation processes and identify APIs that could be targeted. In one example, they used the Android mobile application APIs to programmatically establish fake accounts, leveraging compromised infrastructure to execute their attack and mask their identity and location.
Taking action against fake account creation is a challenging game of cat and mouse between the application owner and bad actors. These attackers are continually evolving their approach using new automated tools and human farms to create fake accounts, and making adjustments in language, frequency of posting, and location to mask their malicious intent.
However, if security measures against them inject too much friction for legitimate users, they may become frustrated and abandon a platform before they finish creating a new account.
Account Takeover (ATO) is a wide-reaching threat, targeting any organization with web, mobile, or API-based applications where users are encouraged to create an account and interact with business services or other users. Also known as ‘credential stuffing,’ bad actors use automated bots to test large numbers of valid credentials acquired on the dark web to see if they will also work on the Zoosk portal.
And, because 52% of all consumers re-use the same login credentials, the success rate makes it an effort worthwhile. Accounts with credentials that are successfully verified are either resold or, as was the case at Zoosk, used as a vehicle for romance scams.
Automated threats, such as ATO and fake account creation often generate high volumes of unwanted traffic. In Zoosk’s case, they determined that, on an average week, 80 to 90% of their traffic was synthetic, which significantly increased their AWS infrastructure spend.
Zoosk Looks for Their Match
Zoosk’s primary mission is to help people connect and find love on their platform. So, with a goal in mind to protect their users from fraud and improve their application security posture, the IT security team began evaluating possible solutions.
This mechanism requests that the client provide browser information so it can evaluate the user behavioral data from the session, such as whether mouse behavior is within the parameters of ‘human-like,’ in order to identify malicious automated activity or unwanted traffic.
At first, the approach seemed effective enough. However, as time progressed, two key issues arose:
With the client-side approach, attackers were able to catch on and began to examine and reverse-engineer the deployed solution. They subsequently evolved their attack strategy to avoid detection. Eventually, Zoosk saw that their new defense had a diminishing impact on stopping bad actors who leveraged bots.
In addition to their web applications and APIs, Zoosk also needed to secure their mobile applications. Though the original vendor provided Zoosk with an SDK, deploying the new security measures with every new release for every OS began to introduce significant friction into their DevOps process.
Partnering with Cequence Security
Realizing they needed a different approach for protecting public-facing applications against bot activity, Zoosk considered other options. Ultimately, they discovered Cequence Security’s Application Security Platform (ASP) and opted to replace their existing bot detection and mitigation solution.
By tracking the unique multi-step behaviors of real attacks against Zoosk’s applications, Cequence Security gave the Zoosk security team the visibility they needed to distinguish malicious bots from legitimate activities and mitigate them.
The Cequence ASP analyzes every interaction from a user, client, network, and application perspective. It then uses the resulting data to build a syntactic profile through machine learning models, behavioral analysis, and statistical analysis.
This approach allows Zoosk to accurately detect automated attacks and create informed policies to mitigate them – even as bad actors re-tool to avoid mitigation.
How well has the Cequence solution worked? In 2018, a breach exposed the access tokens of more than 50 million Facebook accounts. With Cequence, Zoosk was able to detect and address the spike in login activity generated by bad actors that reused the exposed tokens in attempted ATO attacks against Zoosk.
After deploying the Cequence ASP, the dating company was able to future-proof its application security approach, reduce AWS spend, and improve user experience. Since, after deploying Cequence ASP on AWS, their platform efficacy improved.
While Cequence was founded to solve some of the hardest real-world application security challenges, this story is also about the collaboration between both organizations. Zoosk cited that the support from the Cequence Team has been amazing and delivered a great customer experience.
Want to know more?
Watch the full interview with Conor Callahan, Technical Lead of Platform and Infrastructure at Zoosk here.