Name:Web Fraud - Password Sharing Across Accounts id:31337a1a-53b9-4e05-96e9-55c934cb71d3 version:3 date:2024-10-17 author:Jim Apger, Splunk status:deprecated type:Anomaly Description:This search is used to identify user accounts that share a common password. Data_source:
search:`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost* | rex field=form_data "login\[username\]=(?<Username>[^&|^$]+)" | rex field=form_data "login\[password\]=(?<Password>[^&|^$]+)" | stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password|where UniqueUsernames>5 | `web_fraud___password_sharing_across_accounts_filter`
how_to_implement:We need to start with a dataset that allows us to see the values of usernames and passwords that users are submitting to the website hosting the Magento2 e-commerce platform (commonly found in the HTTP form_data field). A tokenized or hashed value of a password is acceptable and certainly preferable to a clear-text password. Common data sources used for this detection are customized Apache logs, customized IIS, and Splunk Stream. known_false_positives:As is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamoluous behavior. References: -https://en.wikipedia.org/wiki/Session_ID -https://en.wikipedia.org/wiki/Session_(computer_science) -https://en.wikipedia.org/wiki/HTTP_cookie -https://splunkbase.splunk.com/app/1809/ drilldown_searches:
: tags: analytic_story: - 'Web Fraud Detection' asset_type:Account confidence:50 impact:50 message:tbd observable: name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'http_content_type' - 'uri' risk_score:25 security_domain:threat
