Light Dark
March 29, 2018 By Martin McKeay 4 min read
Fraud Protection
Identity & Access

I’m sorry to say that sound you hear isn’t opportunity knocking. It’s an account checker trying to access your site. Using stolen credentials, botnets are constantly tapping at the entry point to almost every site on the internet trying to see if the information they took from someone else’s site contains the keys they need to access yours.

This is a part of the internet traffic we all have to deal with. What many organizations don’t realize, however, is that credential abuse and account checkers may actually outnumber legitimate login attempts by a factor of greater than 4 to 1. If you work in security for a hotel chain or airline, you probably have some idea of what I’m talking about.

The Evolution of Credential Abuse Bots

When I ran my first secure shell (SSH) server years ago, it was amazing to me how many spurious login attempts there were in the first few hours after it went live. There’s no lack of username and password dictionaries online, and the frequent security compromises of organizations around the globe have only increased the number of accounts available for exploitation.

Additionally, users continue to expose themselves by repeating login information across multiple accounts. The original credential abuse bots were simply scanners looking for common user accounts like “admin@domain.com” against any system that would respond. It’s always interesting to check your own accounts on Troy Hunt’s Have I Been Pwned site.

Today’s credential abuse bots are much more sophisticated than what hit my SSH server 20 years ago. One of the first iterations was the move to a bot-based architecture rather than login attempts coming from a single source. It was easy to block a single IP address that was abusing your site, but when the logins are coming from hundreds or thousands of IP addresses with little or no commonality, it becomes much harder to pinpoint an attack.

Modern bot designs have made it even harder to track where threats are coming from. Even a few years ago, botnets could take aim at a site and run through every username and password combination as quickly as possible. There have been more than a few distributed denial-of-service (DDoS) attacks that became credential abuse attacks with enough bandwidth to take down their target.

How Bot Traffic Adds Up Over Time

Attackers are now much more subtle and use a low-and-slow approach in their activity. A single IP address from a botnet might only be seen by a target once, or it might be seen several times over a short period. In reality, that IP address is being used against a long list of victims and slowly churning through its targets over time.

When you have a host of thousands of endpoints at your command, you can keep your botnet from being blocked and make it significantly more effective by having each one of those hosts check only a few logins. It may mean that the credential abuse bots aren’t quite as quick as a more shotgun approach, but it also means they have a better survival rate.

Credential abuse is never an isolated incident — it’s a significant portion of all web traffic. In a recent Akamai report, I observed that bot traffic accounts for approximately 1.6 percent of all web-based traffic on the internet. This may not sound like much, but when you look at the terabits per second of traffic flowing around the globe and realize how many login attempts it takes to create that traffic, it’s an incredible amount. It helps to remember that the average webpage can take a few hundred megabytes to download, while the payload required to execute a credential abuse attack is measured in kilobytes.

Related: The Weaponization of IoT: Rise of the Thingbots

One of the latest innovations for credential abuse is a shift to attacks on the application programming interfaces (APIs) that enable computer-to-computer interactions on the web. Almost every site has an API that allows for health checks or permits other computers to download important data. Unlike the front door of a site, these accounts are often static and not as rigorously monitored by defenders.

Combined with the fact that many APIs have access to data no user would be allowed to see, they are tempting targets for attackers. Rather than compromise one or several accounts, attackers can use a compromised API to download the entire data set of a site or establish a foothold on the network.

Protecting Your Site From Credential Abuse Attacks

What can an organization do to protect itself from credential abuse attacks? As with anything in the security domain, the first step is to increase awareness. The solutions promising to handle your bot and account takeover problems are legion, but if no one in your organization is taking credential abuse seriously, you won’t have access to any of them.

The next step is to be aware of the changing landscape. I could detail a dozen different controls you need to have in place to combat today’s account checkers, but the truth is that they’ll be outdated in a year if your technology doesn’t keep up with the pace of change. Today, having a vendor who can spot a single IP address jiggling the locks across multiple sites is vitally important. Bot herders are an intelligent, adaptive adversary and will develop methods to evade any protections. This means your defenses have to continue adapting as well.

Credential abuse is not going to stop knocking at your door anytime soon. Abusers have little chance of being caught, and their attacks are a low priority for many organizations compared to flashier, more frequent problems such as a DDoS attacks. But as long as users reuse the same login and password across multiple sites, account checkers will prosper. It’s an attack that offers little risk for a potentially huge reward.

 |  |  |  |  |  |  |  |  | 
Martin McKeay
Security Advocate

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature