Techniques
Techniques detail the specific actions or methods that may be employed by adversaries during business logic abuse. They are the low level activities that the adversary performs to achieve their tactical goal.
| ID | Name | Description | Tactic(s) | Phase(s) |
|---|---|---|---|---|
| TEQ-001 | Cloning | Cloning is when an adversary copies a website to create a replica of said site. This is generally used when the attacker is trying to impersonate a legitimate site for illegitimate purposes. | Website Creation | Resource Development |
| TEQ-002 | URL Disguise | URL Disguise is where an adversary attempts to make their illegitimate version of a site appear to be the legitimate domain by associating it with a similar URL (such as F0rbes.com or G00gle.com). Traffic to and from this site may thus be mistaken by a human as being associated with... | Website Creation | Resource Development |
| TEQ-003 | Data Dumps | The adversary obtains data, such as credentials or payment details, from previous breaches. | Credential Acquisition | Payment Detail Acquisition | Identity Acquisition | Resource Development |
| TEQ-004 | Infostealer | Infostealers are a class of malware that are used to steal information such as credentials and payment details from the infected device. Keyloggers are a common form of infostealer. | Credential Acquisition | Payment Detail Acquisition | Resource Development |
| TEQ-005 | Person in the Middle | A person in the middle attack is when the attacker intercepts traffic between two hosts; this allows the attacker to listen to the traffic that is being sent from host A to host B and to capture or manipulate the data. | Credential Acquisition | Payment Detail Acquisition | Resource Development |
| TEQ-006 | Social Engineering | Social engineering is the fraudulent attempt to obtain information or data, such as usernames, passwords, credit card numbers, or other sensitive details, by impersonating a trustworthy entity. | Credential Acquisition | Payment Detail Acquisition | Resource Development |
| TEQ-008 | Botnet | A botnet is a number of internet-connected devices, under the control of an adversary. Botnets can be used to perform distributed attacks from many different sources simultaneously. | Infrastructure Acquisition | Resource Development |
| TEQ-010 | Proxies | In preparing for an attack and adversary may seek to acquire proxy servers through which to route traffic. This will allow them to disguise the true source of the traffic, enabling one source to appear as many and/or permitting the bypassing of IP-based blocking of traffic. | Infrastructure Acquisition | Resource Development |
| TEQ-011 | Trusted Infrastructure | The adversary obtains access to inherently trustworthy infrastructure, e.g., trusted third parties. | Infrastructure Acquisition | Resource Development |
| TEQ-012 | Development of Tools | An adversary creates a tool that facilitates a targeted attack on a specific company and/or utilising a specific attack technique, depending on the adversary's intent and the chosen attack methodology. | Tool Development | Resource Development |
| TEQ-013 | Testing of Tools | An adversary tests the tools that they have acquired, developed, or purchased for their effectiveness and utility in the intended attack. This may also include learning how the tool functions in a live exercise. | Tool Development | Resource Development |
| TEQ-014 | Campaign Reuse | The adversary reuses previously seen campaign elements or tools in a new campaign. | Tool Development | Resource Development |
| TEQ-015 | Continual Content Scraping | Scraping the same webapp or API continuously without breaks in the run time. This is usually performed to check for the exact moment when something becomes available (such as a new limited-run product the attacker wishes to be amongst the first to acquire). | Specific Target Scraping | Loose Target Scraping | Attack Execution |
| TEQ-016 | Periodic Content Scraping | Scraping a webapp or API in periodic bursts with breaks between each run. This is generally performed to acquire information without generating a pattern of continuous activity that is likely to be blocked by vigilant defenders or risk putting undue strain on the webapp or API. | Specific Target Scraping | Loose Target Scraping | Attack Execution |
| TEQ-018 | CAPTCHA Farm | When challenged by CAPTCHA, a bot may hand-off the session to a human operator who completes the challenge and sends the session back to the bot to continue its activities. | CAPTCHA Bypass | Defence Bypass |
| TEQ-019 | Automated CAPTCHA Bypass | An adversary equips their bot with the capability to automatically bypass CAPTCHA challenges without human interaction. | CAPTCHA Bypass | Defence Bypass |
| TEQ-020 | Token Bypass | The adversary abuses token based mitigation mechanisms, for example, by reusing cross site request forgery tokens to successfully authenticate. | Session Manipulation | Defence Bypass |
| TEQ-021 | Cookie Abuse | The adversary abuses cookies, for example by reusing valid session cookies or spoofing the contents expected by a cookie based protection mechanism. | Session Manipulation | Defence Bypass |
| TEQ-022 | Accessibility Feature Abuse | The adversary abuses inbuilt accessibility tools, options or features to accelerate their attack or bypass defences. | Accessibility Options Abuse | Defence Bypass |
| TEQ-023 | MFA Bypass | The adversary circumvents multi-factor authentication (MFA) mechanisms, such as by using accessibility options to interact with MFA notifications. | Impersonation | Defence Bypass |
| TEQ-024 | Credential Pinning | The adversary abuses credential stores, for example by hard-coding valid credentials into an application. | Impersonation | Defence Bypass |
| TEQ-025 | Certificate Abuse | The adversary abuses certificates and certificate services, for example by pinning certificates to applications or browsers with the intention of impersonating a legitimate user. | Session Manipulation | Defence Bypass |
| TEQ-026 | Mouse Usage | A bot may emulate human-like mouse usage on a webpage in order to impersonate a human visitor. | Human Emulation | Defence Bypass |
| TEQ-027 | User Agent Spoofing | User-agent spoofing is when an adversary replaces the user agent string that identifies the browser with another string. This disguises the adversary's browser and device, allowing them to impersonate other devices. | Device Emulation | Defence Bypass |
| TEQ-028 | Device Configuration Emulation | The adversary mimics the hardware and software configuration of a device hoping bypass detection mechanisms. For example, an attacker may emulate an operating system version, or hardware fingerprint. | Device Emulation | Defence Bypass |
| TEQ-029 | Notification Hijack | The adversary changes notifications or interacts with notifications to trick the end user or fake an interaction. | Human Emulation | Defence Bypass |
| TEQ-030 | IP Rotation | Adversaries employ IP rotation to conceal the fact that suspiciously high numbers of connections are all coming from a single point. In IP rotation the adversary rotates their traffic through multiple different proxies in order to give each connection (or group of connections) a new IP address. | Proxying | Geolocation Spoofing | Defence Bypass |
| TEQ-031 | IP Spoofing | IP spoofing allows an adversary to create Internet Protocol (IP) packets with a false source IP address for the purpose of impersonating another computing system and obfuscating the origin of the traffic. | Proxying | Defence Bypass |
| TEQ-032 | Domain Fronting | The adversary uses different domain names to hide the intended source and/or destination of a request, for example by sitting behind a content distribution network. | Proxying | Defence Bypass |
| TEQ-033 | Multi-Accounting | The adversary hides their true identity by performing actions through multiple accounts. | Proxying | Defence Bypass |
| TEQ-034 | Volumetric Traffic Disguise | An adversary directs a large volume of traffic at the victim. The true attack is hidden within this traffic. The intention is to make the legitimate attack less likely to be noticed amongst the "noise" generated by the large volume of traffic. | Smokescreening | Defence Bypass |
| TEQ-035 | Target Diversification | The adversary seeks to reduce the footprint of their attack by spreading it across multiple intermediary targets and thereby reduce the likelihood of being detected. | Smokescreening | Defence Bypass |
| TEQ-036 | Social Media Creation | The adversary creates social media accounts to facilitate various activities including reconnaissance, social engineering, anonymity preservation and influencing operations. | Identity Acquisition | Resource Development |
| TEQ-037 | Email Generator | An email generator is a temporary electronic mailbox that provides an adversary the ability to send and receive messages. This allows the adversary to conceal their true identity and contact details, impersonate others, bypass blocks placed on specific emails, and to bypass restrictions based around limiting activities on a site... | Identity Acquisition | Resource Development |
| TEQ-038 | Call/SMS Generator | A Call/SMS Generator allows an adversary to make and receive calls and text messages online, while obfuscating the true identity of the adversary behind fake contact details. This allows an adversary to impersonate multiple others from a single point by pretending to have multiple different phones. | Identity Acquisition | Resource Development |
| TEQ-039 | Virtual Wallet Creation | The adversary creates a virtual wallet in the form of a crypto wallet or standard currency accounts in order to facilitate online transactions that are difficult to trace. | Identity Acquisition | Resource Development |
| TEQ-040 | Credential Cracking | Credential cracking is when an adversary attempts to identify valid login credentials by guessing different values for usernames and/or password combinations. In some cases the adversary will guess both usernames and passwords, and in others will have some part of the credentials (such as the username) and will try to... | Account Takeover | Attack Execution |
| TEQ-041 | Credential Stuffing | An adversary who has a list of credential pairings (i.e. usernames and passwords) will inject them into website login pages in the effort to determine which ones are accepted as legitimate login credentials. The target of such an attack may not be the organisation from which the credentials were initially... | Account Takeover | Account Enumeration | Attack Execution |
| TEQ-042 | SSO Compromise | The adversary abuses single sign on mechanisms to gain unauthorised access to a user's account. | Account Takeover | Attack Execution |
| TEQ-044 | Click Interaction | An adversary's bot interacts with a webpage by clicking on it. This may be for such purposes as upvoting/downvoting particular content, or clicking on adverts to either generate advertising revenue or 'burn' a competitor's Pay Per Click advertising budget. | Fake Interaction | Attack Execution |
| TEQ-045 | Content Posting | The bot automatically generates written posts on a public medium that convey the message the adversary desires, and/or 'buries' other opposing posts. | Fake Interaction | Attack Execution |
| TEQ-046 | Play Media | An adversary employs a bot to complete the runtime of media (such as video) for the benefit of the adversary (for example the bot may impersonate a human watching adverts on a webpage in order to generate revenue for the adversary from marketing initiatives). | Fake Interaction | Attack Execution |
| TEQ-047 | Form Submission | The adversary automatically fills out forms on a site. | Fake Interaction | Attack Execution |
| TEQ-049 | Automated Add to Cart | An adversary employs automated means to add an item to a digital cart, generally far faster than any human could do so. This is typically used with scalper bots when targeting a desired product or service. | Add to Cart | Attack Execution |
| TEQ-050 | Automated Purchase | An adversary uses automated means to complete a purchase, generally far faster than any human could do so. | Purchase | Attack Execution |
| TEQ-051 | Price Manipulation | The adversary emulates legitimate user behaviour on one or more markets to influence prices. | Purchase | Attack Execution |
| TEQ-053 | Inventory Hoarding | An adversary will reserve the product or service within their cart without completing the purchase. They will either hold it indefinitely to deny legitimate customers access to purchase it or advertise the stock for sale elsewhere. | Inventory Manipulation | Actions on the Objective |
| TEQ-054 | Transfer of Cart | The adversary hands over a digital cart (containing a desired service or product) to another individual for them to complete the transaction. This will often involve the adversary selling the cart to a third party who is eager to acquire the service or product contained therein. | Session Transfer | Attack Execution |
| TEQ-055 | Automated Sale | The adversary uses automation to advertise stock of a particular item on a third party website either before, at the time of, or after purchasing the desired item from the target site. | Sale | Post-Attack |
| TEQ-056 | Automated Bid | An adversary uses automated means to make a bid on a digital marketplace, generally far faster than any human could do so. | Purchase | Attack Execution |
| TEQ-058 | Limitation Policy Bypass | The adversary attempts to bypass numerical based restrictions, for example limits on the amount of stock purchases. | Policy Abuse | Attack Execution |
| TEQ-059 | Terms of Use Abuse | The adversary violates the terms of use/service agreements that they are party to. | Policy Abuse | Attack Execution |
| TEQ-060 | Returns Abuse | The adversary abuses the return or refund policy of a merchant for their financial gain, for example by claiming a refund but returning a similar but less valuable item than the original purchase. | Policy Abuse | Attack Execution |
| TEQ-061 | Credit/Debit Card Abuse | The adversary uses compromised payment card information in order to complete an action (often a purchase). | Payment Detail Abuse | Attack Execution |
| TEQ-062 | Gift Card Abuse | The adversary uses compromised gift card information to complete transactions on a site. | Payment Detail Abuse | Attack Execution |
| TEQ-063 | Loyalty Points Abuse | Targeting an organisation that has a loyalty or bonus points scheme, an adversary steals or otherwise illegitimately uses loyalty or bonus points to perform transactions either on the targeted site. | Payment Detail Abuse | Attack Execution |
| TEQ-064 | Buy Now Pay Later Abuse | The adversary makes a purchase using buy now pay later services. | Policy Abuse | Payment Detail Abuse | Attack Execution |
| TEQ-065 | Bank Transfer | The adversary uses automatic transfer services to withdraw funds or make financial transactions, often without the knowledge or informed permission of the account owner. | Cashout | Actions on the Objective |
| TEQ-066 | Inventory Information Release | Having identified the availability of a desired product or service, an adversary employs an automated means of reposting this onto a third party site or forum. | Information Release | Post-Attack |
| TEQ-067 | Credential Dumping | The adversary releases credentials that should not be made publicly available. | Information Release | Post-Attack |
| TEQ-069 | Payment Detail Dumping | The adversary releases or sells payment details that should not be made publicly available, such as credit card information. These are normally stolen from a system or victim and advertised on the open web or the dark web. | Information Release | Post-Attack |
| TEQ-070 | PII Dumping | The adversary releases or sells private personal identifiable information that should not be made publicly available. This is normally stolen from a system or victim and advertised on the open web or the dark web. | Information Release | Post-Attack |
| TEQ-071 | PO Box Obfuscation | The adversary will place an order on a site setting the delivery preferences to a PO box rather than a legitimate address. This will allow for the receipt of the product without revealing the adversary's true address and/or allow the bypassing of address-based restrictions. | Invoice Abuse | Post-Attack |
| TEQ-072 | Address Manipulation | The adversary will modify the address and personal information enough to avoid automated controls for detecting a single address being used multiple times (a common defensive measure used to limit the number of times a specific individual can purchase a specific item). The address will nonetheless be written in a... | Invoice Abuse | Post-Attack |
| TEQ-073 | Fake Identity | The adversary will hide their true identity by providing fake details to the invoice process, such as name, phone number, etc. | Invoice Abuse | Post-Attack |
| TEQ-074 | Driver Redirect | Driver Redirect is used once an order has been placed and shipped for delivery. The adversary will contact the delivery organisation and redirect the delivery to a different location such as an alternative address, PO Box, or Amazon secure locker. Alternatively they may use a reshipping company to redeliver the... | Delivery Redirect | Post-Attack |
| TEQ-075 | Redelivery Abuse | The adversary obtains a redelivery card and uses for their own benefit. | Delivery Redirect | Post-Attack |
| TEQ-076 | Manual Sale | The adversary manually sells the acquired product or service. | Sale | Post-Attack |
| TEQ-077 | New Site Creation | The adversary creates an original website to support their operations, for example, to host advertisements or malicious content. | Website Creation | Resource Development |
| TEQ-078 | Valid Accounts | The adversary obtains access to valid user accounts on their target webservice or API. | Credential Acquisition | Resource Development |
| TEQ-079 | Account Balance Withdrawal | The adversary withdraws monetary balances from their target to an account in their control. | Cashout | Actions on the Objective |
| TEQ-080 | Information Brokerage | The adversary sells information they have gathered as a result of the operation, for financial gain. | Sale | Post-Attack |
| TEQ-081 | Accessibility Downgrade | The adversary uses accessibility as an excuse to downgrade a control from a higher security version to one easier to bypass. For example, an adversary may request an easier challenge for accessibility reasons. | Accessibility Options Abuse | Defence Bypass |
| TEQ-082 | Session Persistence | The adversary forces the connection to a site or API to remain open so that the session persists. This often includes forcing the session time out to reset or fooling the endpoint into thinking the session is continually active. | Session Manipulation | Defence Bypass |
| TEQ-083 | Session Reassumption | An adversary may reassume the session they had if they had used 3rd party defence evasion or monitoring tools. The adversary may also sell their session to another party as well, often in terms of queueing. | Session Manipulation | Defence Bypass |
| TEQ-084 | Queue Flooding | The adversary creates various sessions to flood the queue system, hoping to improve their odds of obtaining the limited-inventory releases. | Queue Bypass | Defence Bypass |
| TEQ-085 | Queue Position Tracking | The adversary monitors the position of their sessions in the virtual queue. | Queue Bypass | Defence Bypass |
| TEQ-086 | Queue Jumping | The adversary seeks to advance in a virtual queue ahead of others. This can be achieved through session manipulation or exploiting weaknesses in queue management systems. | Queue Bypass | Defence Bypass |
| TEQ-087 | Queue Evasion | The adversary bypasses the virtual waiting systems entirely to gain priority access to limited-inventory releases. | Queue Bypass | Defence Bypass |
| TEQ-088 | Session Spoofing | The adversary clones, hijacks, or fabricates valid session identifiers or tokens to impersonate legitimate users. | Queue Bypass | Session Manipulation | Defence Bypass |
| TEQ-089 | Queue Position Transfer | An adversary with an advantageous position in a queueing system, hands over their session, and with it their queue position to another individual for them to use. | Session Transfer | Attack Execution |
| TEQ-090 | Referral Program Exploitation | Adversaries will often use a referral link given to them to spam social media in the hopes of users clicking on the link. This technique may also be used in conjunction with fake account creation to spike the monetary awards or discounts given to the adversary. | Bonus Farming | Post-Attack |
| TEQ-091 | Clickjacking | Adversaries may use the forwarding feature of websites to force a user to go through various referral links before redirecting them to the site the user intended to visit. Adversaries may also use false links on pages to forward a user to a referral link. | Bonus Farming | Post-Attack |
| TEQ-092 | Bonus Clipping | Adversaries may use data mining or extraction tools to monitor the numerous fake accounts they created to see if the targeted company gives discount codes or discount days. This is often seen in food delivery services with "Tasty Tuesday" discounts. | Bonus Farming | Post-Attack |
| TEQ-093 | LLM Training Data | The data gathered in the attack is incorporated into datasets used for training Large Language Models (LLMs). | ||
| TEQ-094 | LAM Training Data | The data gathered in the attack is incorporated into datasets used for training Large Action Models (LAMs). | ||
| TEQ-095 | GPS Spoofing | The adversary changes their perceived geolocation by spoofing GPS sensor data. | Geolocation Spoofing | Defence Bypass |
| TEQ-096 | Mobile Network Spoofing | The adversary uses characteristics of a mobile network (e.g., country code) to make it look like they are based in a specific geolocation. | Geolocation Spoofing | Defence Bypass |
| TEQ-097 | Accept-Language Manipulation | The adversary modifies the accept-language headers on requests to imply that the requests are being sent from a specific geolocation. This is often used in conjunction with other geolocation spoofing techniques to prevent inconsistencies in the spoofed location. | Geolocation Spoofing | Defence Bypass |
| TEQ-098 | TLS Spoofing | The adversary modifies TLS (Transport Layer Security) handshake attributes to evade detection or mimic legitimate traffic. For example, attackers can spoof JA3 or JA4 fingerprints to make automated traffic appear as if it originates from a real browser. | Device Emulation | Defence Bypass |
| TEQ-099 | Header Spoofing | The adversary manipulates HTTP headers to disguise a request's origin, intent, or client identity. | Device Emulation | Defence Bypass |
| TEQ-100 | Path Enumeration | An adversary will attempt to map out the target sites paths to reveal potential vulnerabilities. They can do this by crawling through the paths or scraping the site map. | Attack Surface Identification | Reconnaissance |
| TEQ-101 | Endpoint Enumeration | An adversary will attempt to identify APIs or other endpoints that are public facing to understand the attack surface and build up a plan of attack. | Attack Surface Identification | Reconnaissance |
| TEQ-102 | Fake Account Creation | The adversary creates one or more user accounts using fabricated personal details. | Account Creation | Attack Execution |
| TEQ-103 | Queue Exhaustion | The adversary floods a virtual waiting system with fake entries to overload or stall it. | Inventory Manipulation | Actions on the Objective |
| TEQ-104 | Queue Entry | The adversary joins digital waiting queues to gain access to limited-inventory releases, which can either be preformed manually or automated by bots. | Purchase | Attack Execution |
| TEQ-105 | Account Ageing | The adversary gradually conducts activities on accounts to make them appear legitimate over time. They do this to build credibility and avoid suspicions, making their activities harder to detect. | Fake Credibility Generation | Defence Bypass |
| TEQ-106 | Fuzzing | Fuzzing or Fuzz Testing is a testing method that injects invalid, malformed or unexpected inputs into a system to gain information or reveal defects and vulnerabilities. Fuzzing against a specific target would be a concerted effort to find a vulnerability on an asset known to the adversary. | Vulnerability Identification | Reconnaissance |
| TEQ-107 | Synthetic Account Creation | The adversary combines real and fake information to generate one or more new accounts. | Account Creation | Account Enumeration | Attack Execution |
| TEQ-108 | Impersonated Account Creation | The adversary uses stolen personal data to create an account impersonating another person's identity. | Account Creation | Account Enumeration | Attack Execution |
| TEQ-109 | Inventory Exhaustion | The adversary attempts to hold enough items in the cart to prevent legitimate users from purchasing from the primary seller. | Inventory Manipulation | Actions on the Objective |
| TEQ-110 | Mass Add to Cart | The adversary adds as many of the target item(s) or service(s) as possible to their cart(s). | Add to Cart | Attack Execution |
| TEQ-111 | Loyalty Points Redemption | The adversary converts loyalty point balance from the target to funds within an account under their control. | Cashout | Actions on the Objective |
| TEQ-112 | Deepfakes | The adversary uses synthetic video, images or audio to represent a human and bypass biometric challenges. | Human Emulation | Defence Bypass |
| TEQ-113 | Credit/Debit Card Cracking | The adversary attempts to identify valid payment card details by guessing different values. In some cases the adversary will guess the entire set of data, and in others will have some part of the data (such as BINs) and will try to guess the missing details (such as the CVV).... | Payment Card Enumeration | Attack Execution |
| TEQ-114 | Gift Card Cracking | The adversary attempts to identify valid gift card details by guessing different values. In some cases the adversary will guess the entire set of data, and in others will have some part of the data (such as the first few digits) and will try to guess the missing details. Adversaries... | Payment Card Enumeration | Attack Execution |
| TEQ-115 | Intellectual Property Leak | The adversary leaks intellectual property into the public sphere by making it freely available. | Information Release | Post-Attack |
| TEQ-116 | Inventory Information Extraction | The adversary exfiltrates inventory information from the target. | Data Extraction | Actions on the Objective |
| TEQ-117 | Credential Extraction | The adversary exfiltrates credential details from the target. | Data Extraction | Actions on the Objective |
| TEQ-118 | Payment Detail Extraction | The adversary exfiltrates payment card details from the target. | Data Extraction | Actions on the Objective |
| TEQ-119 | PII Extraction | The adversary exfiltrates Personally Identifiable information (PII) from the target. | Data Extraction | Actions on the Objective |
| TEQ-120 | Intellectual Property Extraction | The adversary exfiltrates intellectual property details from the target. | Data Extraction | Actions on the Objective |