Tactics describe the strategies that may be employed by adversaries during specific phases of business logic attacks. They are the high level activities that the adversary performs during each phase.

ID Name Description Phase
TAC-01 Website Creation The adversary creates a website to support their operations. This may be a duplicate or typo-squat of a legitimate website, or a wholly new one. The details are often faked to give the impression of legitimate activity occurring on it. Resource Development
TAC-02 Credential Acquisition The adversary is trying to steal account names, passwords and authentication tokens. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Methods used to get credentials include phishing, keylogging and extracting from... Resource Development
TAC-03 Infrastructure Acquisition Before compromising a victim, adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating operations. Infrastructure solutions include physical or cloud servers, proxies, domains, and third-party web services. Additionally, botnets are available for theft, rent or purchase... Resource Development
TAC-04 Payment Detail Acquisition The adversary is trying to acquire financial infomation that can be used to make payments in another's name, for example bank account or credit card details. This information is most commonly acquired from keylogging, phishing and data dumps, and may contain either, or a mixture of, complete and partial payment... Resource Development
TAC-05 Tool Development Adversaries will develop tools to help facilitate their intent and planned attack process. This can be in the form of a fully automated computer program or a simple script that is designed for basic web interactions. Resource Development
TAC-06 Specific Target Specific Target Reconnaissance is performed on a specific single target, such as a product, organisation, or individual. This is similar to "Loose Target", but the key differentiator is that here the adversary knows and has specified exactly what they are looking for. Reconnaissance
TAC-07 Loose Target Loose Target Reconnaissance is performed to identify potential targets from a website, catalogue, or similar. This is similar to "Specific Target", but the key differentiator is that here the adversary has not specified any individual target, and is instead trying to identify a target of opportunity and so is scanning... Reconnaissance
TAC-08 Mitigation Bypass The adversary attempts to bypass CAPTCHA-based defensive measures through either automated or manual methods. Defence Bypass
TAC-09 Human Emulation The bot imitates human behaviour in order to bypass User Behaviour Analytics-based defensive measures. This may include moving the mouse, browsing between random pages, scrolling, pausing between actions, and/or fake navigating to a web app via a search engine. Defence Bypass
TAC-10 Proxying The adversary seeks to obfuscate the origin of their activity and bypass IP and geo-blocking by using a server application or appliance that acts as an intermediary for requests from clients to the web app. Defence Bypass
TAC-11 Smokescreening The adversary seeks to disguise their true attack with diversionary measures, or to hide their actual attack amongst other activity (which may appear/be legitimate, malicious, or noise). Defence Bypass
TAC-12 Account Creation Fake Account creation is the automated or manual creation of a large number of user accounts that are not associated with a real person or are created with a real person’s details without their knowing consent. Attack Execution
TAC-13 Account Takeover An adversary seizes control of an account, giving them the ability to use it, manipulate it, and/or extract information from it as though they were the legitimate owner of the account. Attack Execution
TAC-14 Fake Interaction The adversary interacts with a website or API in a manner intended to imitate human interactions to achieve their objective. This may include interacting with media (such as comment boxes, other users, up/downvote buttons, etc.) Attack Execution
TAC-15 Stock Purchase The bot performs a fully automated completion of a transaction procedure (such as a checkout or refund) on behalf of the adversary. Generally this will take place at speeds far greater than those at which a human could perform the same actions. It is most commonly seen in use by... Attack Execution
TAC-16 Spinning Items are added to a basket and held there until the adversary completes the checkout process; the adversary will only do so after confirming a Sale of the item(s) in the cart or the cart itself, at an acceptable profit margin. Alternatively, they will hold the items for a sustained... Attack Execution
TAC-17 Sniping The adversary monitors time-based activity and submits information at the very last moment, removing the opportunity for other people to respond to that action. This is most commonly seen in time-based auctions. Attack Execution
TAC-18 Policy Abuse The adversary violates the terms of service/terms and conditions to attain their objective. This may include the Sale of digital assets, or the use of bonuses or loyalty points outside of their intended functionality. It specifically refers to where an adversary violates the terms of an agreement (such as a... Attack Execution
TAC-19 Payment Detail Abuse The adversary uses stolen or cracked payment credentials (such as credit card details or loyalty points), to make a purchase without the consent of the owner of those payment details. Attack Execution
TAC-20 Transaction Redirect The adversary will transfer money or Loyalty points from a user account on a web application to another account elsewhere (such as a bank account) to which the adversary(/ies) alone has access. Actions on the Objective
TAC-21 Exfiltration Information gathered during the attack is provided to the adversary and/or another interested party. This information may be used to inform future attacks or decision-making. Actions on the Objective
TAC-22 Invoice Abuse The adversary will use PO Boxes, fake addresses, and/or fake identities to bypass restrictions that limit services or purchases to a limited number per individual or address. Post-Attack
TAC-23 Delivery Redirect The adversary changes the delivery instructions after the product has been shipped. Post-Attack
TAC-24 Sale Having acquired their target (e.g. via Account Takeover or Sniping), the adversary will then sell or resell the targeted objective on a 3rd party site (generally either a forum or ecommerce platform depending on the nature of the acquired objective). Post-Attack