View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 19, 2018updated 08 Jul 2022 7:30am

Bots Using Credential Stuffing to Launch Billions of Attacks

“One of the world’s largest financial services companies was experiencing over 8,000 account takeovers per month"

By CBR Staff Writer

May to June this year saw a 30 percent increase in worldwide malicious login attempts. This amounts to 8.3 billion login threat actions by bots over that time period.

This is according to US-based content delivery network and cloud service provider Akamai’s 2018 State of the Internet report, that discovered more than 30 billion malicious login attempts over an eight month period.

A key concern highlighted in the report is the rise of credential stuffing, a process that involves threat actors who have already obtained the login credentials of users from a previous attack or a simple purchase on the dark web. These stolen credentials are then used in attempts to login into other websites and accounts.

Credential stuffing is made possible due to the fact that many online users still erroneously have the same login details across multiple websites. Once a threat actor has the key to one, they have the key to all. The issue is finding what other accounts are using the same login details. So the simple solution is to automated the process and send in the bots.

Martin McKeay senior security advocate at Akamai commented in the report that: “Every business is impacted by credential stuffing botnets. Many businesses just see the traffic because of scatter shot scans, but financial services and retail sites are prime targets. Account takeover is profitable for attackers, guaranteeing that it will be a threat for the foreseeable future.”

Malicious Login Attempts Cases

As part of their research Akamai looked at a financial service institution in the Fortune 500 which saw its average login attempts jump from 50,000 in an hour to over 350,000.

The report points out that the company was: “Accustomed to having time-related peaks and valleys, but the difference between a daily peak of 100,000 logins per hour and tripling that when traffic should be declining was hard to miss.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

See Also: Top 10 Malware Families in 2018: Botnet Analysis

The institution would have an average seven million legitimate logins over a six day period; in sharp contrast the botnet credential stuffing campaign generated over 8.5 million malicious login attempts. With a significant number of these condensed within a 48 hour period.

While the traffic generate in this attack was from global sources, nearly a third of it originated from the United States and Vietnam.

In that attack a single host created nearly 37,000 malicious login attempts over a 48 hour time frame while the botnet was active, this accounted for .7 percent of the traffic.

The report notes that: “While the percentage may not make this seem significant, if all 20,000 nodes of the botnet generated a similar 13 requests per minute, instead of the average of one request per minute, the botnet would have been a crippling attack from the target’s point of view.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.