Credential Stuffing Attacks Generate Billions of Login Attempts

Credential stuffing is a type of cyber attack where stolen account credentials consisting of lists of usernames and email addresses with corresponding passwords are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

Akamai researchers reported an increase in credential stuffing attacks, primarily targeting the financial industry, observing over 30 billion malicious login attempts from November 2017 to June 2018. Credential stuffing is a technique that involves the use of botnets in an automated injection attack to access online services using stolen credentials. The attack technique results in business losses from fraud, downtime caused by crashing the network, response and customer notification, system remediation, and damage to the reputation. The financial and retail industries remain primary targets for these attacks. As seen, end users whether they are consumers or employees tend to recycle their email and password combinations across multiple accounts. We have also seen organizations continue to use non-supported versions of operating systems or they have pending critical security patches as released by the relevant software vendors.

As reported by Akamai, a spike of 8,723 attempts per hour immediately caught the attention of the site administrators. Over a weeks’ time, there were about 315,178 malicious login attempts from 19,992 IP addresses containing 4,382 different user agents from nearly 1,750 Autonomous System Numbers (ASNs).

Image Source:  Akamai – State of the Internet / Security: Credential Stuffing Attacks (volume 4: issue 4)

Many organizations will tag these as DDoS (Distributed Denial of Service) attack. However, during the investigation, it was realized that there were two new botnets.

1. A botnet was responsible for 94,296 requests, like normal traffic, and it hit peaks at regular intervals. It acts as an example of the “background radiation” mimicking the site experience,
24 hours a day, 365 days a year.

2. The second botnet is also classified as a “dumb” botnet. But the size of this botnet was much more significant, generating traffic from over 10,000 different IP addresses with 695 different user agents contained in the traffic.

3. A third botnet was also detected during this time. It was the most dangerous and challenging of all to identify. The bot used a “low and slow” approach to attacking the site, averaging one malicious login attempt every other minute.

The report recounts the issues faced by a Fortune 500 financial services institution where attackers used a botnet to conduct 8.5 million malicious login attempts within 48 hours against a site that typically only sees 7 million login attempts in a week. More than 20,000 devices were involved in this botnet, which can send hundreds of requests a minute. Akamai research identified that nearly one-third of the traffic in this attack was generated from Vietnam (VN) and the United States (US).

The second case from the report states a “low and slow” type of attack. There was a significant spike in malicious login attempts, which ultimately revealed a trio of botnets targeting its site. Particularly, a noisy botnet caught the researchers attention. This botnet had been very slowly and methodically trying to break in thus creating a much bigger concern for the researcher.

As data breaches are frequent and users tend to recycle their passwords, there is no shortage of fodder for credential stuffing. We recommend implementing solutions like dual or multi factor authentication to help reduce credential theft including conducting regular on-going social engineering phishing and vishing campaigns for your organization.

Lumen21 along with its products such as PhishPro, SecureFileHub and Repulsa can help make sure your organization is secure when you are in regulated industries like financial and healthcare.