Distil Networks, the San Francisco-headquartered bot detection and mitigation specialists, today issued The 2018 Anatomy of Account Takeover Attacks Report focused on ATOs (account takeovers). The report draws on data from 600 domains, including login pages; 100 of which that had the largest bad bot traffic datasets were then analyzed. All the monitored login pages were hit with bad bot traffic, suggesting that every single website that has a login page faces Account Takeover (ATO) attempts.
The report analyses patterns discerned in ATO attacks, lists the most popular tools used to carry out the attacks, and creates categories for the three primary types of ATO bot attack profiles. It also outlines the differences between simple, moderate and advanced attacks, and puts forward methods for how to detect and mitigate each attack type.
ATOs conducted by bots on behalf of hackers or fraudsters are undertaken for a range of purposes, from attempting to validate sets of logins to gaining access to an account and information within, such as credit card details. Stolen account data can also be put to use in transferring money, purchasing goods, selling it on the dark web or spreading a specific agenda.
Key Findings from the Distil report include:
- Following a data breach when credentials have been made publicly available, websites typically undergo a 300% increase in volumetric attacks; and in the following days, websites experience 3X more credential stuffing attacks than the norm of 2-3 attacks per month. This is significant as data breach frequency has significantly increased over the last two years – in March of 2017, Distil reports that 13 major incidents were reported.
- ATO attacks happen most frequently on a Friday or Saturday (39% of volumetric ATOs take place on a Friday or Saturday). This suggests that bot operators schedule attacks outside of regular working hours when there may be fewer security professionals around.
- Test rounds frequently precede a genuine attack. Bad bots are often used to test a website a few days before a large-scale account takeover attack occurs. Distil found that around 20% of all analyzed attacks worked in this way, leading the firm to recommend that any baseline anomaly from failed logins should be investigated.
- ATOs are evenly split into groups: half were targeted ‘Volumetric Credential Stuffing’ attacks (credential stuffing involves mass login attempts used to test the validity of stolen username/password pairs) and half were ‘Low and Slow Credential Cracking and Credential Stuffing’ (credential cracking involves attempting to identify legitimate login credentials by testing different values for usernames and/or passwords).
“Every time a breach comes to light and consumer credentials are exposed, any business with a login page should prepare themselves for a swell of volumetric credential stuffing attacks,” said Anna Westelius, senior director of security research at Distil Networks. “While bot operators may be purposeful in their strategy of carrying out ATO attacks, this data also renders them predictable. Organizations must educate themselves in order to identify the warnings signs, and be prepared for times when an attacker may strike.”
A full copy of the Distil Networks The Anatomy of Account Takeover Attacks Report can be downloaded here.