I’m sorry to say that sound you hear isn’t opportunity knocking. It’s an account checker trying to access your site. Using stolen credentials, botnets are constantly tapping at the entry point to almost every site on the internet trying to see if the information they took from someone else’s site contains the keys they need to access yours.

This is a part of the internet traffic we all have to deal with. What many organizations don’t realize, however, is that credential abuse and account checkers may actually outnumber legitimate login attempts by a factor of greater than 4 to 1. If you work in security for a hotel chain or airline, you probably have some idea of what I’m talking about.

The Evolution of Credential Abuse Bots

When I ran my first secure shell (SSH) server years ago, it was amazing to me how many spurious login attempts there were in the first few hours after it went live. There’s no lack of username and password dictionaries online, and the frequent security compromises of organizations around the globe have only increased the number of accounts available for exploitation.

Additionally, users continue to expose themselves by repeating login information across multiple accounts. The original credential abuse bots were simply scanners looking for common user accounts like “admin@domain.com” against any system that would respond. It’s always interesting to check your own accounts on Troy Hunt’s Have I Been Pwned site.

Today’s credential abuse bots are much more sophisticated than what hit my SSH server 20 years ago. One of the first iterations was the move to a bot-based architecture rather than login attempts coming from a single source. It was easy to block a single IP address that was abusing your site, but when the logins are coming from hundreds or thousands of IP addresses with little or no commonality, it becomes much harder to pinpoint an attack.

Modern bot designs have made it even harder to track where threats are coming from. Even a few years ago, botnets could take aim at a site and run through every username and password combination as quickly as possible. There have been more than a few distributed denial-of-service (DDoS) attacks that became credential abuse attacks with enough bandwidth to take down their target.

How Bot Traffic Adds Up Over Time

Attackers are now much more subtle and use a low-and-slow approach in their activity. A single IP address from a botnet might only be seen by a target once, or it might be seen several times over a short period. In reality, that IP address is being used against a long list of victims and slowly churning through its targets over time.

When you have a host of thousands of endpoints at your command, you can keep your botnet from being blocked and make it significantly more effective by having each one of those hosts check only a few logins. It may mean that the credential abuse bots aren’t quite as quick as a more shotgun approach, but it also means they have a better survival rate.

Credential abuse is never an isolated incident — it’s a significant portion of all web traffic. In a recent Akamai report, I observed that bot traffic accounts for approximately 1.6 percent of all web-based traffic on the internet. This may not sound like much, but when you look at the terabits per second of traffic flowing around the globe and realize how many login attempts it takes to create that traffic, it’s an incredible amount. It helps to remember that the average webpage can take a few hundred megabytes to download, while the payload required to execute a credential abuse attack is measured in kilobytes.

One of the latest innovations for credential abuse is a shift to attacks on the application programming interfaces (APIs) that enable computer-to-computer interactions on the web. Almost every site has an API that allows for health checks or permits other computers to download important data. Unlike the front door of a site, these accounts are often static and not as rigorously monitored by defenders.

Combined with the fact that many APIs have access to data no user would be allowed to see, they are tempting targets for attackers. Rather than compromise one or several accounts, attackers can use a compromised API to download the entire data set of a site or establish a foothold on the network.

Protecting Your Site From Credential Abuse Attacks

What can an organization do to protect itself from credential abuse attacks? As with anything in the security domain, the first step is to increase awareness. The solutions promising to handle your bot and account takeover problems are legion, but if no one in your organization is taking credential abuse seriously, you won’t have access to any of them.

The next step is to be aware of the changing landscape. I could detail a dozen different controls you need to have in place to combat today’s account checkers, but the truth is that they’ll be outdated in a year if your technology doesn’t keep up with the pace of change. Today, having a vendor who can spot a single IP address jiggling the locks across multiple sites is vitally important. Bot herders are an intelligent, adaptive adversary and will develop methods to evade any protections. This means your defenses have to continue adapting as well.

Credential abuse is not going to stop knocking at your door anytime soon. Abusers have little chance of being caught, and their attacks are a low priority for many organizations compared to flashier, more frequent problems such as a DDoS attacks. But as long as users reuse the same login and password across multiple sites, account checkers will prosper. It’s an attack that offers little risk for a potentially huge reward.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today