"If you can force someone to rewind to 10 years ago where they have to do everything themselves, it kicks the stool out from under a lot of attacks," says Williamson. "How do I monetize stolen credit cards? How do I know if they've logged into their bank? If you can't deal with those sites automatically, everything deescalates."
By way of example, Williamson explained when a target is breached and criminals get their hands on stolen credit cards, their value on the black market jumps substantially — say, from 20 cents to anywhere from 40 to 80 dollars apiece — once they have been verified. It's what gives the stolen cards value, so criminals have an automated process to determine whether or not the cards are, in fact, verified.
"So let's say they take a thousand of those cards and go to the Red Cross and make a one dollar donation with each of them," says Williamson. "It's something that people aren't going to notice. They make the donations and say, okay, 900 out of 1,000 of them worked. So when they sell the cards, they say that the cards are from this area in the country and they have a 90% success rate. People pay a really high premium for [a rate that high]."
The key, then, is breaking that verification process, since that's where all the value in the cybercriminal economy gets generated. To do so, defenders need to take advantage of the fact that the entire process is automated; again, without changing the GUI of the site in question, the ID of field names can be changed to a random string, ensuring that each user interaction is unique. This, of course, breaks the automated process when it can't find the fields that it's attempting to fill out.
"If you think about this in the context of testing credit cards, the script says, 'Put in the number here, address, hit submit, and if I get a good verify back, I know it works,'" says Williamson. "And since nothing was ever submitted, it looks like they went zero for a thousand."
Sign up for CIO Asia eNewsletters.