Credential stuffing, and the botnets behind this activity, is the primary focus of the State of the Internet Security Report, Issue 4, 2018. Credential stuffing, the use of botnets to try to login to a site with stolen or randomly created login information, isn’t a new phenomenon, but it is one that is having a growing impact, especially on financial services organizations. Our latest report takes a deeper look at attacks against a two North American organizations and a brief examination of where bot traffic is being generated.
How often are organizations really looking at the history of their logins to detect long term activity against their site? Our first example highlights a credit union that was encouraged to give their logs a deeper look when a botnet made a lot of noise during a credential stuffing attack. What they originally thought was a single botnet, actually turned out to be three separate attackers. What was especially concerning about one of the botnets was the longevity of the attack and how the attacker had used a “low and slow” strategy to remain below any default alerting thresholds that a normal business might have in place.
Our second example highlights a botnet at the other end of the spectrum ― one that created so much traffic, it dwarfed normal login attempts. It was a sudden spike two to three times their normal traffic that caused this financial services company to examine the incoming login traffic. Real customers were experiencing significant login issues, which is always a guaranteed way to get attention. Unluckily, it appears that is typically the only time many organizations think about credential stuffing.
In the final section of the report, we look at who the sources and targets of botnet attacks are. Akamai saw over 8.3 billion malicious login attempts in May and June alone. The majority of this traffic is coming from the U.S. (2.82 billion attempts) and Russia (1.55 billion attempts). But because the traffic is being created by botnets, it is nearly impossible to determine where the actual attackers are, just where the compromised systems making up the botnet are.
Credential stuffing may not be a new problem, but it is a growing one. Every time the user database of a site is compromised, the list of usernames and passwords available to botnet owners grows. Earlier this year, at least one such list topped 1.4 billion records. If even a tiny percentage of these accounts are reusing their logins and passwords, it makes credential stuffing at the volumes we’re seeing worth the risk to attackers. Awareness of the threat is the first step in making credential stuffing less profitable for botherders.