In-depth

Stopping automated attacks with shapeshifting websites

How we can defend against automated attacks? Tom Brewster takes a look...

A moving target is always harder to hit than a stationary one. IT security types have exploited this fact for years, but never before has a service come along that shifts around the high-level of a website's code to thwart attacks.

But that's what the geniuses at Shape Security, who have histories at Google and the US Department of Defense, have done. After two years of development, they've found a way to alter HTML, CSS and JavaScript code without altering the user experience. The algorithms figure out fresh ways to do that with every webpage visit. The ultimate idea of this polymorphism is to stop automated tools probing for predictable weaknesses, as they won't be able to detect them if the structure of the site is scrambled on each request.

This is big. If the major banks apply this kind of technology, it will significantly weaken the majority of banking malware out there. It's no surprise the company's first customers are in the financial industry.

Shuman Ghosemajumder, vice president of strategy at Shape, explains how this actually helps: "What this means is that it now becomes difficult or even impossible to be able to script an attack against the application because it is no longer reliably static. [An attacker] won't know how to get their code to interact with the web application's code anymore."

Automated vulnerability scanners will have no hope against these shapeshifting sites and application layer distributed denial of service attacks should be limited by the technology too. But where I see this technology being really valuable is in the banking sector.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Prevalent financial man-in-the-browser malware like Zeus has long caused issues for banks, costing the millions upon millions of pounds over recent years. Such malware contain scripts that automatically out commands on bank websites as the customer visits them, initiating transactions silently. "What we do is prevent the Trojan from successfully being able to send commands to the banks website anymore," Ghosemajumder notes.

HTML web injects, where the malware replaces pieces of the bank's website, such as the login form, would be impossible too. Any attempt to inject code in this way would corrupt the page "pretty horrendously," Ghosemajumder adds.

This is big. If the major banks apply this kind of technology, it will significantly weaken the majority of banking malware out there. It's no surprise the company's first customers are in the financial industry.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/technology/artificial-intelligence-ai/354796/ai-identifies-11-earth-bound-asteroids
artificial intelligence (AI)

AI identifies 11 earth-bound asteroids

18 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020