The Account Checker Knocking at Your Door

I’m sorry to say that sound you hear isn’t opportunity knocking. It’s an account checker trying to access your site. Using stolen credentials, botnets are constantly tapping at the entry point to almost every site on the internet trying to see if the information they took from someone else’s site contains the keys they need to access yours.

This is a part of the internet traffic we all have to deal with. What many organizations don’t realize, however, is that credential abuse and account checkers may actually outnumber legitimate login attempts by a factor of greater than 4 to 1. If you work in security for a hotel chain or airline, you probably have some idea of what I’m talking about.

The Evolution of Credential Abuse Bots

When I ran my first secure shell (SSH) server years ago, it was amazing to me how many spurious login attempts there were in the first few hours after it went live. There’s no lack of username and password dictionaries online, and the frequent security compromises of organizations around the globe have only increased the number of accounts available for exploitation.

Additionally, users continue to expose themselves by repeating login information across multiple accounts. The original credential abuse bots were simply scanners looking for common user accounts like “admin@domain.com” against any system that would respond. It’s always interesting to check your own accounts on Troy Hunt’s Have I Been Pwned site.

Today’s credential abuse bots are much more sophisticated than what hit my SSH server 20 years ago. One of the first iterations was the move to a bot-based architecture rather than login attempts coming from a single source. It was easy to block a single IP address that was abusing your site, but when the logins are coming from hundreds or thousands of IP addresses with little or no commonality, it becomes much harder to pinpoint an attack.

Modern bot designs have made it even harder to track where threats are coming from. Even a few years ago, botnets could take aim at a site and run through every username and password combination as quickly as possible. There have been more than a few distributed denial-of-service (DDoS) attacks that became credential abuse attacks with enough bandwidth to take down their target.

How Bot Traffic Adds Up Over Time

Attackers are now much more subtle and use a low-and-slow approach in their activity. A single IP address from a botnet might only be seen by a target once, or it might be seen several times over a short period. In reality, that IP address is being used against a long list of victims and slowly churning through its targets over time.

When you have a host of thousands of endpoints at your command, you can keep your botnet from being blocked and make it significantly more effective by having each one of those hosts check only a few logins. It may mean that the credential abuse bots aren’t quite as quick as a more shotgun approach, but it also means they have a better survival rate.

Credential abuse is never an isolated incident — it’s a significant portion of all web traffic. In a recent Akamai report, I observed that bot traffic accounts for approximately 1.6 percent of all web-based traffic on the internet. This may not sound like much, but when you look at the terabits per second of traffic flowing around the globe and realize how many login attempts it takes to create that traffic, it’s an incredible amount. It helps to remember that the average webpage can take a few hundred megabytes to download, while the payload required to execute a credential abuse attack is measured in kilobytes.

Related to this Article

One of the latest innovations for credential abuse is a shift to attacks on the application programming interfaces (APIs) that enable computer-to-computer interactions on the web. Almost every site has an API that allows for health checks or permits other computers to download important data. Unlike the front door of a site, these accounts are often static and not as rigorously monitored by defenders.

Combined with the fact that many APIs have access to data no user would be allowed to see, they are tempting targets for attackers. Rather than compromise one or several accounts, attackers can use a compromised API to download the entire data set of a site or establish a foothold on the network.

Protecting Your Site From Credential Abuse Attacks

What can an organization do to protect itself from credential abuse attacks? As with anything in the security domain, the first step is to increase awareness. The solutions promising to handle your bot and account takeover problems are legion, but if no one in your organization is taking credential abuse seriously, you won’t have access to any of them.

The next step is to be aware of the changing landscape. I could detail a dozen different controls you need to have in place to combat today’s account checkers, but the truth is that they’ll be outdated in a year if your technology doesn’t keep up with the pace of change. Today, having a vendor who can spot a single IP address jiggling the locks across multiple sites is vitally important. Bot herders are an intelligent, adaptive adversary and will develop methods to evade any protections. This means your defenses have to continue adapting as well.

Credential abuse is not going to stop knocking at your door anytime soon. Abusers have little chance of being caught, and their attacks are a low priority for many organizations compared to flashier, more frequent problems such as a DDoS attacks. But as long as users reuse the same login and password across multiple sites, account checkers will prosper. It’s an attack that offers little risk for a potentially huge reward.

Martin McKeay

Security Advocate

Martin McKeay is a Senior Security Advocate at Akamai, joining the company in 2011. As a member of Akamai's Security...