- Joined
- Mar 3, 2018
- Messages
- 1,713
Credential stuffing attacks, which companies used to treat as "annoying background noise", are turning into something more closely resembling a DDOS attack. This kind of attack uses bots to test credential pairs stolen from data leaks, and relies on the bad habit of users sharing login names and passwords across multiple accounts. Companies traditionally "ignore" these attacks, simply absorbing the bandwidth they use, but the rising volume means that approach might not work for long. Akamai Technologies told SecurityWeek that "in March and April 2018 we logged over 6 billion malicious login attempts. By May and June, this had risen to more than 8 billion attempts."
"I think the real impact to an institution is twofold," explained Bolstridge. "Firstly, it's the sheer volume of the attacks. For example, with the large financial institution, the volume got so high that it impacted the performance of the website as a whole; and therefore the user experience for all genuine users. In some cases, our customers have reported that it can actually impact availability when things get really out of hand. In a sense, these attacks are getting like a DDoS." So, user experience and availability are problems from major stuffing attacks. "The second problem," he continued, "is the potential impact to the organization as a whole. If fraudulent money movement follows a successful malicious login, incident detection, remediation and response become a huge distraction to the business as a whole."
"I think the real impact to an institution is twofold," explained Bolstridge. "Firstly, it's the sheer volume of the attacks. For example, with the large financial institution, the volume got so high that it impacted the performance of the website as a whole; and therefore the user experience for all genuine users. In some cases, our customers have reported that it can actually impact availability when things get really out of hand. In a sense, these attacks are getting like a DDoS." So, user experience and availability are problems from major stuffing attacks. "The second problem," he continued, "is the potential impact to the organization as a whole. If fraudulent money movement follows a successful malicious login, incident detection, remediation and response become a huge distraction to the business as a whole."