Distil Networks released the 2018 Anatomy of Account Takeover Attacks Report, based on data from 600 domains that include login pages. The study revealed that all monitored login pages were hit with bad bot traffic, indicating that every website with a login page faces account takeover (ATO) attempts.
Hackers and fraudsters use bots to execute ATO attacks for a variety of nefarious purposes. They can validate sets of login credentials, gain access to credit card data, and sell personally identifiable information on the dark web. They can also use stolen account data to transfer money, purchase goods, or spread a specific political agenda.
Bot operators are evenly split in how they carry out ATO attacks
Fifty percent of ATO attacks come in the form of volumetric credential stuffing, where bad bot requests are easily identifiable and attempted in bursts, typically looking like a spike of requests above the baseline. The other half of ATO attacks are through low and slow credential stuffing and credential cracking, identified by consistent, continuous login requests that bad bots run 24×7, often flying under the radar due to its slow pace.
Surge in volumetric attacks
After the credentials from a data breach have been made publicly available, websites experience a 300 percent increase in volumetric attacks. In the days following a public breach, websites experience 3X more credential stuffing attacks than the average of 2-3 attacks per month.
Almost 20 percent of all analyzed attacks were preceded by a smaller scale “test round” a few days prior. Some perpetrators test their bad bots a few days before a large-scale account takeover attack. While such tests are smaller in scale, any baseline anomaly from failed logins should be investigated.
Websites are most likely to experience ATO attacks on a Friday or Saturday. 39 percent of volumetric ATO attacks occur on a Friday or Saturday. This indicates that bot operators schedule attacks when it is presumed that fewer security professionals will be around to notice anomalies.
“Every time a breach comes to light and consumer credentials are exposed, any business with a login page should prepare themselves for a swell of volumetric credential stuffing attacks,” said Anna Westelius, senior director of security research at Distil Networks. “While bot operators may be purposeful in their strategy of carrying out ATO attacks, this data also renders them predictable. Organizations must educate themselves in order to identify the warnings signs and be prepared for times when an attacker may strike.”