Akamai observed attackers using a technique dubbed, Cipher Stunting, or using advanced methods to randomize SSL/TLS signatures in an attempt to evade detection attempts.
Researchers noted spikes in distinct fingerprints in August 2018 with 18,652 distinct fingerprints globally but at the time there was no evidence of any tampering with Client Hello or any other fingerprint component, according to a May 15 Akamai blog post.
In early September 2018 researchers began observing TLS tampering via cipher randomization across several verticals with many instances targeted towards airlines, banking, and dating websites and by the end of October, the TLS tampering had climbed to 255 million and hit more than 1.3 billion instances by February 2019.
“Over the last few months, attackers have been tampering with SSL/TLS signatures at a scale never before seen by Akamai,” researchers said in the post.
“The TLS fingerprints that Akamai observed before Cipher Stunting was observed could be counted in the tens of thousands. Soon after the initial observation, that count ballooned to millions, and then recently jumped to billions.”
Researchers said 82 percent of the malicious traffic witnessed including application attacks, web scraping and credential abuse, are carried out using secure connections over SSL/TLS.
The technique isn’t anything new as and researcher, Ivan Ristić developed an Apache module to passively fingerprint clients based on cipher suites and came up with a signature base that identifies many browsers and operating systems back in 2008.
Other researchers have since found additional information that can be taken from other fields including Client Hello, developed open source tools for TLS fingerprinting, and methods for server fingerprinting.