May to June this year saw a 30 percent increase in worldwide malicious login attempts. This amounts to 8.3 billion login threat actions by bots over that time period.
This is according to US-based content delivery network and cloud service provider Akamai’s 2018 State of the Internet report, that discovered more than 30 billion malicious login attempts over an eight month period.
A key concern highlighted in the report is the rise of credential stuffing, a process that involves threat actors who have already obtained the login credentials of users from a previous attack or a simple purchase on the dark web. These stolen credentials are then used in attempts to login into other websites and accounts.
Credential stuffing is made possible due to the fact that many online users still erroneously have the same login details across multiple websites. Once a threat actor has the key to one, they have the key to all. The issue is finding what other accounts are using the same login details. So the simple solution is to automated the process and send in the bots.
Martin McKeay senior security advocate at Akamai commented in the report that: “Every business is impacted by credential stuffing botnets. Many businesses just see the traffic because of scatter shot scans, but financial services and retail sites are prime targets. Account takeover is profitable for attackers, guaranteeing that it will be a threat for the foreseeable future.”
Malicious Login Attempts Cases
As part of their research Akamai looked at a financial service institution in the Fortune 500 which saw its average login attempts jump from 50,000 in an hour to over 350,000.
The report points out that the company was: “Accustomed to having time-related peaks and valleys, but the difference between a daily peak of 100,000 logins per hour and tripling that when traffic should be declining was hard to miss.”
The institution would have an average seven million legitimate logins over a six day period; in sharp contrast the botnet credential stuffing campaign generated over 8.5 million malicious login attempts. With a significant number of these condensed within a 48 hour period.
While the traffic generate in this attack was from global sources, nearly a third of it originated from the United States and Vietnam.
In that attack a single host created nearly 37,000 malicious login attempts over a 48 hour time frame while the botnet was active, this accounted for .7 percent of the traffic.
The report notes that: “While the percentage may not make this seem significant, if all 20,000 nodes of the botnet generated a similar 13 requests per minute, instead of the average of one request per minute, the botnet would have been a crippling attack from the target’s point of view.”