Credential Stuffing Attacks are Growing

AlphaAtlas

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Credential stuffing attacks, which companies used to treat as "annoying background noise", are turning into something more closely resembling a DDOS attack. This kind of attack uses bots to test credential pairs stolen from data leaks, and relies on the bad habit of users sharing login names and passwords across multiple accounts. Companies traditionally "ignore" these attacks, simply absorbing the bandwidth they use, but the rising volume means that approach might not work for long. Akamai Technologies told SecurityWeek that "in March and April 2018 we logged over 6 billion malicious login attempts. By May and June, this had risen to more than 8 billion attempts."

"I think the real impact to an institution is twofold," explained Bolstridge. "Firstly, it's the sheer volume of the attacks. For example, with the large financial institution, the volume got so high that it impacted the performance of the website as a whole; and therefore the user experience for all genuine users. In some cases, our customers have reported that it can actually impact availability when things get really out of hand. In a sense, these attacks are getting like a DDoS." So, user experience and availability are problems from major stuffing attacks. "The second problem," he continued, "is the potential impact to the organization as a whole. If fraudulent money movement follows a successful malicious login, incident detection, remediation and response become a huge distraction to the business as a whole."
 
One down side to fast networks is it allows bad folks to 'war dial' fairly efficiently. Back when dial up ruled, you might get 1 or 2 tries per minute and could be easily thwarted by a too many tries from that phone number check. Now the bad folk can have hundreds of thousands of zombie units all on different IPs making thousands of attempts per zombie per hour.

Perhaps part of the cost of defending against that should be billed back to the folks that let the data be breached in the first place.
 
they really should be blocking at their firewall level all IP's that fail X many auth attempts. Set it to a decently high number, and have the block auto expire after Y amount of time.
 
Who's fault is this? Companies like LinkedIn and Equifax. If we actually properly equipped and listened to our IT departments, this wouldn't be a thing.

Pay peanuts and you get monkeys.
 
You must log in or register to reply here.
Back
Top