Tactics
Tactics describe the strategies that may be employed by adversaries during specific phases of business logic abuse. They are the high level activities that the adversary performs during each phase.
| ID | Name | Description | Phase |
|---|---|---|---|
| TAC-01 | Website Creation | The adversary creates a website to support their operations. This may be a duplicate or typo-squat of a legitimate website, or a wholly new one. The details are often faked to give the impression of legitimate activity occurring on it. | Resource Development |
| TAC-02 | Credential Acquisition | Adversaries may purchase or otherwise obtain accounts. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. Methods used to get credentials include phishing, keylogging and extracting from dumped credentials. | Resource Development |
| TAC-03 | Infrastructure Acquisition | Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating operations. Infrastructure solutions include physical or cloud servers, proxies, domains, and third-party web services. Additionally, botnets are available for theft, rent or purchase (other adversaries may build... | Resource Development |
| TAC-04 | Payment Detail Acquisition | The adversary is trying to acquire financial information that can be used to make payments in another name, for example bank account or credit card details. This information is most commonly acquired from keylogging, phishing and data dumps, and may contain either, or a mixture of, complete and partial payment... | Resource Development |
| TAC-05 | Tool Development | Adversaries will develop tools to help facilitate their intent and planned attack process. This can be in the form of a fully automated computer program or a simple script that is designed for basic web interactions. | Resource Development |
| TAC-08 | CAPTCHA Bypass | The adversary attempts to bypass CAPTCHA-based defensive measures through either automated or manual methods. | Defence Bypass |
| TAC-09 | Human Emulation | The bot imitates human behaviour in order to bypass User Behaviour Analytics-based defensive measures. This may include moving the mouse, browsing between random pages, scrolling, pausing between actions, and/or fake navigating to a web app via a search engine. | Defence Bypass |
| TAC-10 | Proxying | The adversary seeks to disguise their true attack with diversionary measures, or to hide their actual attack amongst other activity (which may appear/be legitimate, malicious, or noise). | Defence Bypass |
| TAC-11 | Smokescreening | The adversary seeks to disguise their true attack with diversionary measures, or to hide their actual attack amongst other activity (which may appear/be legitimate, malicious, or noise). | Defence Bypass |
| TAC-12 | Account Creation | The adversary creates accounts on the target site that are not associated with a real person, use a mix of real or fake details, or are created with a real person’s details without their knowing consent. | Attack Execution |
| TAC-13 | Account Takeover | An adversary seizes control of an account, giving them the ability to use it, manipulate it, and/or extract information from it as though they were the legitimate owner of the account. | Attack Execution |
| TAC-14 | Fake Interaction | The adversary interacts with a website or API in a manner intended to imitate human interactions to achieve their objective. This may include interacting with media (such as comment boxes, other users, up/downvote buttons, etc.) | Attack Execution |
| TAC-15 | Purchase | The adversary attempts to purchase goods or services. | Attack Execution |
| TAC-18 | Policy Abuse | The adversary violates the terms of service/terms and conditions to attain their objective. This may include the Sale of digital assets, or the use of bonuses or loyalty points outside of their intended functionality. It specifically refers to where an adversary violates the terms of an agreement (such as a... | Attack Execution |
| TAC-19 | Payment Detail Abuse | The adversary uses stolen or cracked payment credentials (such as credit card details or loyalty points), to make a purchase without the consent of the owner of those payment details. | Attack Execution |
| TAC-20 | Cashout | The attacker seeks to extract financial value from the target either monetarily or through offerings such as loyalty schemes. | Actions on the Objective |
| TAC-21 | Data Extraction | Information gathered during the attack is provided to the adversary and/or another interested party. This information may be used to inform future attacks or decision-making. | Actions on the Objective |
| TAC-22 | Invoice Abuse | The adversary will use PO Boxes, fake addresses, and/or fake identities to bypass restrictions that limit services or purchases to a limited number per individual or address. | Post-Attack |
| TAC-23 | Delivery Redirect | The adversary changes the delivery instructions after the product has been shipped. | Post-Attack |
| TAC-24 | Sale | Having acquired their target (e.g. via Account Takeover or Sniping), the adversary will then sell or resell the targeted objective on a 3rd party site (generally either a forum or ecommerce platform depending on the nature of the acquired objective). | Post-Attack |
| TAC-25 | Accessibility Options Abuse | The adversary takes advantage of accessibility features, processes and technology | Defence Bypass |
| TAC-26 | Impersonation | Impersonation involves an adversary pretending to be someone else or a trusted entity to deceive business tools or the defensive tools into allowing access to applications, sites or information that they should not be allowed to access. | Defence Bypass |
| TAC-27 | Session Manipulation | Session Manipulation is the process of manipulating or abusing technical processes to fool defensive tooling into trusting the session or assuming the session of another user. | Defence Bypass |
| TAC-28 | Queue Bypass | Queue Bypass is a tactic used to evade virtual waiting lines and gain priority access to limited goods or services. | Defence Bypass |
| TAC-29 | Session Transfer | The adversary transfers a valid user session to another individual (or receives one). This allows multiple adversaries to collaborate on an attack. | Attack Execution |
| TAC-30 | Bonus Farming | Bonus farming is the process of gathering additional bonuses from sites or using referral links to gain more monetary or discount gain from a site | Post-Attack |
| TAC-31 | AI Model Training | The data gathered in the attack is incorporated into datasets used for training AI models. | Post-Attack |
| TAC-32 | Geolocation Spoofing | The adversary seeks to obfuscate the origin of their activity, access geo-fenced resources or bypass geo-blocking by spoofing their geolocation | Defence Bypass |
| TAC-33 | Device Emulation | The adversary emulates device attributes, such as user agents or hardware fingerprints. They do this to simulate the behaviour of another device. | Defence Bypass |
| TAC-34 | Attack Surface Identification | An adversary seeks technical and defensive information related to the target (bot management provider, defences in place or asset information) to better inform later stages of the attack. | Reconnaissance |
| TAC-35 | Fake Credibility Generation | The adversary seeks to establish their credibility by building a false reputation. Some sites may limit certain interactions or activities to those accounts that have performed certain actions or been active on the site for a certain length of time. | Defence Bypass |
| TAC-36 | Specific Target Scraping | Specific Target Scraping is performed on a single or clearly defined small set of targets, such as a product or individual. | Attack Execution |
| TAC-37 | Loose Target Scraping | Loose Target Scraping is performed to gather data from a wide range of targets, for example an entire product range or all articles posted on a news site. | Attack Execution |
| TAC-38 | Identity Acquisition | The adversary obtains a digital identity to use in subsequent attacks. | Resource Development |
| TAC-39 | Inventory Manipulation | The adversary manipulates the target's available inventory. | Actions on the Objective |
| TAC-40 | Add to Cart | The adversary adds a product or service to their cart. | Attack Execution |
| TAC-41 | Account Enumeration | The adversary attempts to identify accounts that exist in the target platform/system by guessing usernames against a login or registration path and interpreting the response message. | Attack Execution |
| TAC-42 | Payment Card Enumeration | The adversary attempts to identify credit, debit or gift cards details by guessing different values. | Attack Execution |
| TAC-43 | Information Release | The adversary publicly releases private information gathered during the attack. | Post-Attack |
| TAC-44 | Vulnerability Identification | An adversary seeks information about the target's weaknesses or vulnerabilities to better inform later stages of the attack. | Reconnaissance |