Attackers today have become much more subtle and use a “low-and-slow” approach while planning malicious activity
One major threat looming over almost every online business today is that of credential abuse. Botnets are constantly trying to tap into every entry point using stolen credentials, with the intention of using credentials from other websites, to ascertain if they have the keys to access one’s information.
While this is a prevalent problem, what many organisations don’t realise is that credential abuse and account checkers may actually outnumber legitimate login attempts by a factor of greater than four to one. Hospitality and e-retail industries are probably the most coveted target of these attacks. With 82% of login attempts stemming from malicious botnets, the hospitality industry became the biggest target of fraudulent credential attacks. A report by PwC found that retail customers witnessed the attacks on their website go up by over 30%. As retail e-commerce grows at a CAGR of 26%, it makes India one of the fastest growing e-commerce markets worldwide, thereby also indicating the potential increase in credential attacks.
Evolution of credential abuse bots
As an example, years ago, a secure shell (SSH) server revealed an alarmingly vast number of spurious login attempts within the first few hours of going live. The surge in the username and password dictionaries online along with the frequent security compromises of organisations around the globe have only increased the number of accounts available for exploitation. This is amplified by the number of users who continue to expose themselves by repeating login information across multiple accounts.
The IBM Security: Future of Identity Study states that 41% millennials today, reuse their passwords across websites.
The original credential abuse bots mainly comprised scanners looking for common user accounts like “email@example.com” against any system that would respond. Interestingly, users today can check their own accounts on Troy Hunt’s Have I Been Pwned site.
Credential abuse attacks by botnets are evolving as we speak. One of the first iterations was the move to a bot-based architecture rather than login attempts from a single source. It was easy to block a single IP address that was abusing a site, but when the logins are coming from hundreds or thousands of IP addresses with little or no commonality, it becomes much harder to pinpoint an attack. This has become even more difficult owing to modern bot design, which makes it hard to track the source of the attacks.
Even a few years ago, botnets could take aim at a site and run through every username and password combination as quickly as possible. There are a large number of distributed denial-of-service (DDoS) attacks that became credential abuse attacks
with enough bandwidth to take down their target.
Growth of bot traffic over time
Attackers today have become much more subtle and use a “low-and-slow” approach while planning malicious activity. A single IP address from a botnet might only be seen by a target once, or it might be seen several times over a short period. In reality, the IP address is being used against a long list of victims and slowly churning through its targets over time. When there are thousands of endpoints, the botnet can be kept from being blocked thereby making it significantly more effective by having each one of those hosts check only a few logins. It may mean that the credential abuse bots aren’t quite as quick as a more shotgun approach, but it also means they have a better survival rate.
The Q4 2017 Akamai State of The Internet / Security Report observed that bot traffic accounts for approximately 1.6% of all web-based traffic on the internet1. This may not sound like much, but a look at the terabits per second of traffic flowing around the globe shows how many login attempts it takes to create that traffic. The average webpage takes a few hundred megabytes to download, while the payload required to execute a credential abuse attack is measured in kilobytes, making this a significant number.
A shift to attacks on the application programming interfaces (APIs) enabling computer-to-computer interactions, is one of the latest innovations in credential abuse. Almost every site has an API that allows for health checks or permits other computers to download important data. These accounts are more often than not static and not comprehensively monitored by defenders. At Akamai, we looked into close to 600 million user login events for some of our largest customers across various industries over a 24-hour period and found that almost two thirds of the logins were automated and illegitimate. API endpoints are more targeted with malicious automated login attempts than traditional form based login. Attackers can resort to a compromised API to download the entire data set of a site or establish a foothold on the network.
Protecting your site from credential abuse attacks
The first step towards protection from credential abuse is to increase its awareness across businesses. The solutions which can handle bot and account takeover problems are legion, but if no one in the organisation takes credential abuse seriously, access to these solutions becomes an issue. Awareness also includes knowledge about the changing threat landscape. There might be a dozen different controls to combat today’s account checkers, but the truth is that they’ll be outdated in a year if technology doesn’t keep up with the pace of change. Having a vendor who can spot a single IP address navigating across multiple sites is vitally important. Bot herders are an intelligent, adaptive adversary and will develop methods to evade any protections. This means that the defences would need to adapt constantly as well.
As established earlier, credential abuse as a problem is here to stay. Abusers have little chance of being caught and adding to this; their attacks are low priority for many organisations compared to flashier, more frequent problems such as a DDoS attacks. Account checkers will thrive till the time users reuse the same login and password across multiple sites. It’s an attack that offers little risk for a potentially huge reward.
Threat intelligence analysis can do a great job of finding malicious activities. Considering the evolving threat landscape, it’s now time to extend the paradigm of on-premise security into a multi-layer defensive approach thereby eliminating credential abuse threats.
Martin McKeay is senior security advocate, Akamai Technologies