Phishing is one of the most successful ways attackers get past an organization’s network defences. But credential stuffing –backed by the power of botnets and millions of stolen usernames and passwords — is still a potent weapon.
According to a report issued last week by Akamai, it’s network detected 8.3 million malicious login attempts between May and the end of June.
One botnet made 300,000 attempts an hour over a series of targets.
Many attacks are “spray and pray,” hoping to find passwords that are being used across many sites.
Gangs have learned that firing thousands of attempts a minute at one site is a tip-off of an attack, so many have adopted a “low and slow” technique — perhaps one attempt every other minute, perhaps only using a particular IP address once a day — to hide their work.
One unnamed credit union only realized three botnets had been trying to slip past its defences when there was a sudden spike in attempted malicious logins, says the report.
One problem is that some businesses — like the credit union — may see thousands of legitimate logins an hour, which could disguise an attack. Under normal conditions, that institution might see 800 malicious login attempts per hour. It was only when there was a ten-fold leap in attempts from thousands of IP addresses that the security staff were alerted.
The U.S. is by far the largest target of credential stuffing attacks, with Canada, China and India tied for a distant second.
As for what CISOs should do, Akamai says fighting between the security team — which wants to boost controls looking for credential stuffing — and the Web team — which wants to limit problems real customers have logging in — is a problem. “Clearly, credential stuffing defenses need to able to function without introducing user lag to be successful,” says the report.
“Because credential stuffing is still no one’s responsibility at many organizations, it will almost certainly continue to be profitable for the attacker. Until we can raise the negative consequences of these types of attacks, there’s no reason for bot herders to do anything else,” the report concludes.
You can read the report here. Registration required.