I’m sorry to say that sound you hear isn’t opportunity knocking. It’s an account checker trying to access your site. Using stolen credentials, botnets are constantly tapping at the entry point to almost every site on the internet trying to see if the information they took from someone else’s site contains the keys they need to access yours.

This is a part of the internet traffic we all have to deal with. What many organizations don’t realize, however, is that credential abuse and account checkers may actually outnumber legitimate login attempts by a factor of greater than 4 to 1. If you work in security for a hotel chain or airline, you probably have some idea of what I’m talking about.

The Evolution of Credential Abuse Bots

When I ran my first secure shell (SSH) server years ago, it was amazing to me how many spurious login attempts there were in the first few hours after it went live. There’s no lack of username and password dictionaries online, and the frequent security compromises of organizations around the globe have only increased the number of accounts available for exploitation.

Additionally, users continue to expose themselves by repeating login information across multiple accounts. The original credential abuse bots were simply scanners looking for common user accounts like “[email protected]” against any system that would respond. It’s always interesting to check your own accounts on Troy Hunt’s Have I Been Pwned site.

Today’s credential abuse bots are much more sophisticated than what hit my SSH server 20 years ago. One of the first iterations was the move to a bot-based architecture rather than login attempts coming from a single source. It was easy to block a single IP address that was abusing your site, but when the logins are coming from hundreds or thousands of IP addresses with little or no commonality, it becomes much harder to pinpoint an attack.

Modern bot designs have made it even harder to track where threats are coming from. Even a few years ago, botnets could take aim at a site and run through every username and password combination as quickly as possible. There have been more than a few distributed denial-of-service (DDoS) attacks that became credential abuse attacks with enough bandwidth to take down their target.

How Bot Traffic Adds Up Over Time

Attackers are now much more subtle and use a low-and-slow approach in their activity. A single IP address from a botnet might only be seen by a target once, or it might be seen several times over a short period. In reality, that IP address is being used against a long list of victims and slowly churning through its targets over time.

When you have a host of thousands of endpoints at your command, you can keep your botnet from being blocked and make it significantly more effective by having each one of those hosts check only a few logins. It may mean that the credential abuse bots aren’t quite as quick as a more shotgun approach, but it also means they have a better survival rate.

Credential abuse is never an isolated incident — it’s a significant portion of all web traffic. In a recent Akamai report, I observed that bot traffic accounts for approximately 1.6 percent of all web-based traffic on the internet. This may not sound like much, but when you look at the terabits per second of traffic flowing around the globe and realize how many login attempts it takes to create that traffic, it’s an incredible amount. It helps to remember that the average webpage can take a few hundred megabytes to download, while the payload required to execute a credential abuse attack is measured in kilobytes.

One of the latest innovations for credential abuse is a shift to attacks on the application programming interfaces (APIs) that enable computer-to-computer interactions on the web. Almost every site has an API that allows for health checks or permits other computers to download important data. Unlike the front door of a site, these accounts are often static and not as rigorously monitored by defenders.

Combined with the fact that many APIs have access to data no user would be allowed to see, they are tempting targets for attackers. Rather than compromise one or several accounts, attackers can use a compromised API to download the entire data set of a site or establish a foothold on the network.

Protecting Your Site From Credential Abuse Attacks

What can an organization do to protect itself from credential abuse attacks? As with anything in the security domain, the first step is to increase awareness. The solutions promising to handle your bot and account takeover problems are legion, but if no one in your organization is taking credential abuse seriously, you won’t have access to any of them.

The next step is to be aware of the changing landscape. I could detail a dozen different controls you need to have in place to combat today’s account checkers, but the truth is that they’ll be outdated in a year if your technology doesn’t keep up with the pace of change. Today, having a vendor who can spot a single IP address jiggling the locks across multiple sites is vitally important. Bot herders are an intelligent, adaptive adversary and will develop methods to evade any protections. This means your defenses have to continue adapting as well.

Credential abuse is not going to stop knocking at your door anytime soon. Abusers have little chance of being caught, and their attacks are a low priority for many organizations compared to flashier, more frequent problems such as a DDoS attacks. But as long as users reuse the same login and password across multiple sites, account checkers will prosper. It’s an attack that offers little risk for a potentially huge reward.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…