Massive account takeover attacks

The massive account takeover attacksreported by Akamai recently illustrate what corporations are up against when it comes to cyberattacks.

Account takeover attacks are when cyber-attackers obtain credentials from a stolen password dump or through a SQL injection attack. They then try to validate the usernames and passwords that have been stolen by logging into a corporate website. Once validated, the credentials are listed for sale.

Of course, if attacks came from just a few IP addresses, these would be quickly autobanned by firewalls, or in the case of secure servers such as CompleteFTP, by their own autobanning capabilities. But these attacks are generally distributed over many IP addresses, so it is not easy to detect them. Autobanning works by detecting failed login attempts from the same IP, so these checks can be avoided by cycling through large numbers of IP addresses.

How do attackers obtain so many IP addresses to launch attacks from? From botnets compromised of machines that have had malware installed and are under the attackers' control. These botnets are often rented out, so the attackers may not have established the botnet themselves.

In one recent attack against a financial services customer, 993,547 distinct IP addresses were used to attack their website. The attackers tried 427,444,261 different account credentials, and 75% of the attack IP addresses were used for multiple days! Interestingly, in this attack many of the IP addresses could be traced to compromised routers that have known backdoors - vulnerabilities that can be exploited to gain access.

In another attack on a Chinese online market place 20 million accounts were compromised!

Mitigating attacks

How can such attacks be prevented or mitigated? Using autobanning techniques is problematic given the huge variety in IP addresses used. Here are the most effective strategies:

  • Limiting the number of login attempts per user. IP addresses should immediately be banned for a temporary period if this is exceeded
  • Sophisticated CAPTCHA challenges. This helps prevents automated attacks. If the CAPTCHA is effective, attacks can't succeed.
  • Two factor authentication. If a second authentication method in addition to a password is required, this type of attack is ineffective - no accounts can be breached automatically.
  • Prevent recycled credentials. It matters little how secure a corporate website is if a customer uses the same credentials for a different site with poor security. Email addresses are widely used for usernames, particularly for free websites, so they should be avoided.