Credential stuffing attacks are a growing problem, particularly in the financial sector, where botnets can initiate so many fraudulent login attempts that the wave has the effect of a distributed denial-of-service (DDoS) attack.
The attack consists in trying to log into multiple online services using username and password combination compiled from data breaches. The success of the endeavor depends on the common practice of users having the same password for multiple accounts.
Cybercriminals automate these attacks and use botnets that distribute the login activity among compromised systems. The end goal is to log into a target site and assume the identity of the account owner, steal money or gather information.
General statistics from one company that offers DDoS mitigation services are staggering: over 30 billion malicious login attempts recorded in less than one year, from November 2017 to June 2018.
In the last two months of the interval, bots generated about 8.3 billion attempts to sign in with stolen credentials.
The latest State of the Internet report from Akamai describes credential stuffing attacks targeting two companies in the financial sector, with one of them hit by three botnets at the same time.
In the first case, the attackers produced a significant increase in the network traffic of a large credit union in North America.
Over the course of one week, Akamai noticed 315,178 fraudulent login attempts from about 20,000 IP addresses of 1,750 Internet Service Providers (ISPs). 4,382 different user agents were observed in the attack.
The first botnet running a credential stuffing attack was responsible for a third (94,2296) of the malicious login attempts. Akamai labeled it a "dumb botnet" because its traffic came from two IP addresses and all requests had the same user agent, making it easy to identify and stop.
The second adversary was more complex, sending traffic from 10,000 different IP addresses and using 695 user agents.
"Over three days, the botnet averaged 59 requests per second and was responsible for 190,487 malicious login attempts," Akamai writes in the report.
The third botnet was the toughest to defend against because it took the "low and slow" approach, with only one malicious login attempt happening every two minutes, totaling 5,286 malicious login attempts in a week. It used 188 unique user agents and 1,500 IP addresses.
The low activity from this botnet made it more difficult to spot and permitted the attacker to run their game for a longer period.
The second organization hit by credential stuffing attacks is also a financial service. Its normal traffic recorded 7 million legitimate logins in six days, but when the botnet activity started, there were over 8.5 million fraudulent logins, most of them occurring over 48 hours.
Akamai says that a third of the traffic came from Vietnam and the US. The total size of the botnet was 20,000 endpoints with IP addresses from 4,933 ISPs.
What gave away the fraudulent activity was that 95% of the traffic appeared to come from the same type of device, Samsung Galaxy SM-G531H smartphone, making the bad requests easier to identify and stop.
Credential stuffing attacks are easy to orchestrate due to automated tools available as a service. The main requirement is to have a large enough database of usernames and cracked passwords to feed into the login fields of various services.
As data breaches are frequent and users tend to recycle their passwords, there is no shortage of fodder for credential stuffing.