Botnets Hitting Financial Institutions With Credential Stuffing Attacks

The rise in botnet-aided credential stuffing attacks and the threat they present to financial services is the emphasis of Akamai’s research, “The State of the Internet / Security Report for 2018.”

Cambridge, Mass.-based Akamai, found what it described as a significant amount of credential stuffing traffic — over 30 billion malicious login attempts from the beginning of November 2017 until the end of June 2018.  This study covered attacks against two financial institutions that experienced tens and hundreds of thousands of attempts to log into their sites from credential stuffing botnets.

“The term ‘botnet’ covers a lot of ground, from web crawlers to site scrapers to account takeover tools or even DDoS tools,” Martin McKeay, senior security advocate, Akamai, said in the report. Credential stuffing botnets attempt to log into a target site in order to assume an identity, gather information, or steal money and goods. They use lists of usernames and passwords gathered from breaches. Akamai maintained it is one of the main reasons individuals should use a password manager to create unique and random strings for your passwords. “Yes, remembering that “*.77H8hi9~8&” is your password is difficult, but having your login at the bank compromised is a much bigger hassle.”

The Cambridge, Mass. content delivery network and cloud security solutions provider, noted credential stuffing botnets affect every business. “But financial services and retail sites are prime targets. Account takeover is profitable for attackers, guaranteeing that it will be a threat for the foreseeable future.”

Patrick Sullivan, Akamai global director of security, said, “it’s not economically viable for the adversary to run through a list of a billion credentials and just try to enter them manually. The attacks only work really well when they have bots that will go in and attempt to use attacks at a massive scale.”

Akamai chose to highlight two attacks on financial services sites, because they represented high value targets that are constantly under pressure from credential stuffing botnets. “A successful compromise of a bank account or stock portfolio could easily net an attacker thousands, if not hundreds of thousands, of dollars.”

Each of these attacks highlighted several common themes in credential stuffing attacks. Akamai observed too often, administrators see failed login attempts as a low-risk threat until a major change in traffic patterns occurs.

The first example highlighted the traffic a large North American financial services institution sees daily. It learned a trio of botnets targeting its site after it saw a large spike in malicious login attempts. “While it was the noisy botnet that caught their attention, the discovery of a botnet that had been very slowly and methodically trying to break in was a bigger concern, because of its ability to stay below the radar for long periods of time,” Akamai said in its report.

Over the seven-day period examined, there were 4.2 million legitimate login requests by the financial services institution’s customers. “At the same time, there was also a steady cadence of credential stuffing attempts, with an attempt rate hovering at 1.5% of legitimate logins. However, one botnet generated enough traffic to get itself noticed and alerted the organization to two other botnets in the process.”

The report indicated, the second example showed a sudden tripling in account logins created by a single botnet. “Rather than trying to be quiet, this botnet’s owner decided to try as many attempts as possible before defensive actions kicked in.” Another possibility, Akamai suggested, is that the botnet owner did not understand how to configure its tool and accidentally created a DDoS-like condition. “The resultant traffic is functionally identical to a defender.”

“So much of the fraud and attack methodology depends on automation to get the economics to work out for the attacker,” Sullivan, Akamai global director of security, said, “The headline numbers for financial services, over the period we looked at, we saw more than a billion credential stuffing attacks.” They came from bots attempting to reuse credentials located somewhere on a login interface with the goal of taking over that account to commit some type of monetization or fraud. Sullivan held that could be a retail banking, brokerage, mutual fund, 401(k) and asset management account. “Any of those would be a really valuable target for an adversary.”

Sullivan explained, “In financial services it is a pretty significant number to observe.” However, one of Akamai’s key observances recently is that no organization is too small to attack. “In 2019, we’re getting phone calls from organizations that are not as large as four or five years ago. Smaller organizations are seeing this for the first time.”

Sullivan also pointed out, “What’s unique about these attacks is your financial organization can be exposed because of no imperfection on your site. Your weakest link in this case are customers with poor credential hygiene.” That means cybercriminals can leverage the same username/password credentials, gathered from breaches, across multiple sites.

The data used to create the report came from two primary sources: Akamai’s Bot Manager Premier, designed to use intelligence gathered to classify bots and help customers; and Cloud Security Intelligence platform, which collects data from multiple products to help feed intelligence to other Akamai products.