According to Akamai’s latest State of the Internet report published this Wednesday, credential stuffing is occurring at an alarming rate and is on the rise worldwide. Akamai’s security team saw 30 billion malicious login attempts from the start of November 2017 until the end of June 2018. Akamai noted approximately 3.2 billion malicious login attempts per month between January and April 2018, and more than 8.3 billion malicious login attempts from bots in May and June 2018 alone, a sharp rise from the previous months. Fortunately, there is a low success rate for most credential stuffing campaigns; however, as Akamai note, when they are successful, they can be extremely damaging both for the businesses targeted and their customer base.
Credential stuffing is a kind of cyberattack in which botnets attempt to log into a website in order to assume another person’s identity, gather personal information or steal money and goods. The way this kind of cyberattack works is the gathering of lists of usernames and passwords gathered from other breaches, often via the dark web then using them to gain unauthorized access to user accounts via large-scale automated login requests aimed at a particular web application. The attack type is low risk for the attacker as all they need to do is automate the logins for already discovered credential pairs using standard web automation tools such as Selenium or Phantom JS, or using tools specifically designed for these kinds of attacks such as Sentry MBA.
Credential stuffing is possible as many people use the same username and password pairs across different accounts. As Akamai’s Editorial Director and Senior Security Advocate, Martin McKeay notes in the Report’s Letter from the Editor, “They’re one of the main reasons you should be using a password manager to create unique and random strings for your passwords. Yes, remembering that “*.77H8hi9~8&” is your password is difficult, but having your login at the bank compromised is a much bigger hassle”.
Although many businesses are targeted, unsurprisingly, the finance industry and retailers are the most frequently singled out for such attacks as the gains are most attractive. In its report, Akamai accordingly focuses on two attacks they successfully combatted targeted towards high-value financial services sites, both of which are under constant pressure from credential stuffing botnets.
The first real-world example revealed a “low and slow” type of cyberattack aimed at a large U.S. credit union earlier this year. The credit union’s IT team noted a large spike in malicious login attempts, which revealed a trio of botnets targeting its site. Although an especially noisy botnet had been the one to initially catch their attention, the discovery of a different botnet that had been slowly, methodically attempting to break in created a bigger concern for the financial institution because it had been able to stay under the radar for so long.
In the second instance noted in the report, a Fortune 500 financial services institution experienced 8.5 million malicious login attempts within 48 hours against their site that normally only sees seven million login attempts in a week. Over 20,000 devices were used within this botnet, which sent hundreds of requests a minute. Akamai research identified that nearly one-third of the traffic in this attack stemmed from Vietnam and the United States.
Akamai used two different internal sources to gather its intelligence for the annual report:
Bot Manager Premier – an Akamai product, which gathers intelligence about bots sourced from Akamai’s many tools and offers a customized framework to manage bot traffic dependent on the individual company’s online business strategy;
Cloud Security Intelligence (CSI) platform – a data processing engine within Akamai’s platform used to continuously analyze over two Petabytes of data linked to web security threats.
Akamai’s Vice President of Web Security, Josh Shaul, shared an example of the company successfully overcoming credential abuse on behalf of a customer. “One of the world’s largest financial services companies was experiencing over 8,000 account takeovers per month, which led to more than $100,000 per day in direct fraud-related losses,” said Shaul. “The company turned to Akamai to put behavioural-based bot detections in front of every consumer login endpoint and immediately saw a drastic reduction in account takeovers to just one to three per month and fraud-related losses down to only $1,000 to $2,000 per day.”
Despite the fact that credential stuffing attacks are on the rise and represent a large potential risk to high-value targets, many companies don’t realize that an attack has occurred until after the event. According to the report, this is in part because some 40% of finance organizations do not have a designed point person or department prepared to address credential attacks. The other main reason is that botnets are becoming increasingly adept at staying below the radar, allowing them more time to attack before being detected. Either way, this combination of craftiness by the attackers and negligence by companies not putting in the necessary time, specific protocols or specialized technology to detect credential stuffing threats, enterprises are at risk of losing both credibility and revenue.
According to the Ponemon Institute’s The Cost of Credential Stuffing” report published late last year (sponsored by Akamai), credential stuffing can cost organizations millions to tens of millions of dollars annually in losses due to fraud. The Ponemon Institute surveyed almost 600 IT security practitioners familiar with credential stuffing attacks who are responsible for the security of their organizations’ websites. The responses proved that “these attacks cause costly application downtime, loss of customers and involvement of IT security that can result in an average cost of $1.7 million, $2.7 million and $1.6 million annually, respectively.” Furthermore, the respondents estimated that the monetary cost of fraud due to credential stuffing attacks can range from more than $500,000 if 1% of all compromised accounts lead to monetary loss to over $54 million if 100% of all compromised accounts lead to monetary loss.
Back to the recent State of the Internet report, between May and June of 2018, Akamai collected data on 8.35 billion credential stuffing attempts worldwide. Its research team then applied a set of post-processing heuristics on the logs to determine login attempts over multiple organizations. They found that overall the biggest two sources of credential stuffing botnet attacks are the U.S. (representing 2.82 billion attempts) and Russia (representing 1.55 billion credential stuffing attempts). The other countries from the top 10 offenders were responsible for between 250 million to 165 million malicious login attempts each.
The U.S. also represents the largest target of credential stuffing attacks by a considerable margin, partly as Akamai suggests, this is due to the number of businesses relying on cloud services that have their primary login sites located in the U.S. It’s also to do with the fact that Akamai is an American company, as it notes; and another factor is the makeup of the usernames and passwords contained in the dictionaries that criminals use. According to Symantec, in 2016 90% of all breaches targeted U.S. companies. This is slowly changing as credential stuffing becomes a worldwide trend and international data breaches continue to rise in volume.
Akamai concludes its report by reminding readers that more attention needs to be given to credential stuffing as while it continues to be profitable for the attacker, “there’s no reason for bot herders to do anything else”.