I’m sorry to say that sound you hear isn’t opportunity knocking. It’s an account checker trying to access your site. Using stolen credentials, botnets are constantly tapping at the entry point to almost every site on the internet trying to see if the information they took from someone else’s site contains the keys they need to access yours.

This is a part of the internet traffic we all have to deal with. What many organizations don’t realize, however, is that credential abuse and account checkers may actually outnumber legitimate login attempts by a factor of greater than 4 to 1. If you work in security for a hotel chain or airline, you probably have some idea of what I’m talking about.

The Evolution of Credential Abuse Bots

When I ran my first secure shell (SSH) server years ago, it was amazing to me how many spurious login attempts there were in the first few hours after it went live. There’s no lack of username and password dictionaries online, and the frequent security compromises of organizations around the globe have only increased the number of accounts available for exploitation.

Additionally, users continue to expose themselves by repeating login information across multiple accounts. The original credential abuse bots were simply scanners looking for common user accounts like “[email protected]” against any system that would respond. It’s always interesting to check your own accounts on Troy Hunt’s Have I Been Pwned site.

Today’s credential abuse bots are much more sophisticated than what hit my SSH server 20 years ago. One of the first iterations was the move to a bot-based architecture rather than login attempts coming from a single source. It was easy to block a single IP address that was abusing your site, but when the logins are coming from hundreds or thousands of IP addresses with little or no commonality, it becomes much harder to pinpoint an attack.

Modern bot designs have made it even harder to track where threats are coming from. Even a few years ago, botnets could take aim at a site and run through every username and password combination as quickly as possible. There have been more than a few distributed denial-of-service (DDoS) attacks that became credential abuse attacks with enough bandwidth to take down their target.

How Bot Traffic Adds Up Over Time

Attackers are now much more subtle and use a low-and-slow approach in their activity. A single IP address from a botnet might only be seen by a target once, or it might be seen several times over a short period. In reality, that IP address is being used against a long list of victims and slowly churning through its targets over time.

When you have a host of thousands of endpoints at your command, you can keep your botnet from being blocked and make it significantly more effective by having each one of those hosts check only a few logins. It may mean that the credential abuse bots aren’t quite as quick as a more shotgun approach, but it also means they have a better survival rate.

Credential abuse is never an isolated incident — it’s a significant portion of all web traffic. In a recent Akamai report, I observed that bot traffic accounts for approximately 1.6 percent of all web-based traffic on the internet. This may not sound like much, but when you look at the terabits per second of traffic flowing around the globe and realize how many login attempts it takes to create that traffic, it’s an incredible amount. It helps to remember that the average webpage can take a few hundred megabytes to download, while the payload required to execute a credential abuse attack is measured in kilobytes.

One of the latest innovations for credential abuse is a shift to attacks on the application programming interfaces (APIs) that enable computer-to-computer interactions on the web. Almost every site has an API that allows for health checks or permits other computers to download important data. Unlike the front door of a site, these accounts are often static and not as rigorously monitored by defenders.

Combined with the fact that many APIs have access to data no user would be allowed to see, they are tempting targets for attackers. Rather than compromise one or several accounts, attackers can use a compromised API to download the entire data set of a site or establish a foothold on the network.

Protecting Your Site From Credential Abuse Attacks

What can an organization do to protect itself from credential abuse attacks? As with anything in the security domain, the first step is to increase awareness. The solutions promising to handle your bot and account takeover problems are legion, but if no one in your organization is taking credential abuse seriously, you won’t have access to any of them.

The next step is to be aware of the changing landscape. I could detail a dozen different controls you need to have in place to combat today’s account checkers, but the truth is that they’ll be outdated in a year if your technology doesn’t keep up with the pace of change. Today, having a vendor who can spot a single IP address jiggling the locks across multiple sites is vitally important. Bot herders are an intelligent, adaptive adversary and will develop methods to evade any protections. This means your defenses have to continue adapting as well.

Credential abuse is not going to stop knocking at your door anytime soon. Abusers have little chance of being caught, and their attacks are a low priority for many organizations compared to flashier, more frequent problems such as a DDoS attacks. But as long as users reuse the same login and password across multiple sites, account checkers will prosper. It’s an attack that offers little risk for a potentially huge reward.

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…