Botnet-powered credential stuffing still a problem: Report

Phishing is one of the most successful ways attackers get past an organization’s network defences. But credential stuffing –backed by the power of botnets and millions of stolen usernames and passwords — is still a potent weapon.

According to a report issued last week by Akamai, it’s network detected 8.3 million malicious login attempts between May and the end of June.

One botnet made 300,000 attempts an hour over a series of targets.

Many attacks are “spray and pray,” hoping to find passwords that are being used across many sites.

Gangs have learned that firing thousands of attempts a minute at one site is a tip-off of an attack, so many have adopted a  “low and slow” technique — perhaps one attempt every other minute, perhaps only using a particular IP address once a day — to hide their work.

One unnamed credit union only realized three botnets had been trying to slip past its defences when there was a sudden spike in attempted malicious logins, says the report.

One problem is that some businesses — like the credit union — may see thousands of legitimate logins an hour, which could disguise an attack. Under normal conditions, that institution might see 800 malicious login attempts per hour. It was only when there was a ten-fold leap in attempts from thousands of IP addresses that the security staff were alerted.

The U.S. is by far the largest target of credential stuffing attacks, with Canada, China and India tied for a distant second.

As for what CISOs should do, Akamai says fighting between the security team — which wants to boost controls looking for credential stuffing — and the Web team — which wants to limit problems real customers have logging in — is a problem. “Clearly, credential stuffing defenses need to able to function without introducing user lag to be successful,” says the report.

“Because credential stuffing is still no one’s responsibility at many organizations, it will almost certainly continue to be profitable for the attacker. Until we can raise the negative consequences of these types of attacks, there’s no reason for bot herders to do anything else,” the report concludes.

You can read the report here. Registration required.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now