Skip to content

Shape Security Blog

Highlighting breaking news, events, and analyst commentary on cyber security from around the world

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter

Tag: account checkers

Hijacking 1 million accounts for $3

Our last post covered how credential stuffing poses a significant danger to consumer and enterprise websites.

But how much does it cost to actually execute this powerful attack?

Learn about how an adversary can hijack one million accounts for less than a fast food meal.

Credential stuffing is a dangerous threat. Using simple mathematics and publicly available data we’ve been able to show how attackers are using botnets to try to hijack 1 million online accounts for just $3. Assuming a 1% success rate, attackers are still netting 10,000 accounts for $3.

The economics of botnet technology makes credential stuffing a growing threat for consumers and enterprises.

To highlight the economics of credential stuffing, let’s compare labor costs between a single human, a bot, and a botnet to test 1 million credentials. According to WSJ, a botnet costs $2 to rent.

Using a botnet, an attacker can test 1 million accounts in a matter of hours (100 minutes to be exact). Credential stuffing is a web threat enabled by the rise of cheap botnets. In years past, testing 10 million passwords against a given website was both expensive to do, and easy to detect. Today, cheap botnets consisting of end-user machines have turbocharged credential stuffing. Now, the attack is cheap to perform and very hard to detect. Attackers regularly cycle through 10,000 to 100,000 IP addresses a day, making detection challenging.

Prior to the development of these technologies, the cost and time commitment required to launch this kind of brute force attack was prohibitive to attackers. The advent of botnets allowed credential stuffing attacks to be done in as little as a few days, while avoiding the IP reputation and throttling controls that prevent repeated login attempts. Cheap, easy-to-use botnets are plentiful on the black market, and potential attackers are more comfortable with using technology than ever before.

Market-Driven Attackers

The attackers who control these botnets are still held to the same economics as white-market products and services. Criminal entrepreneurs need to weigh the costs of infrastructure, labor, and profits to justify testing millions of credentials. And as they race against the clock for consumers to change their passwords, criminals become desperate for tools that make account takeover easier, faster, and more profitable for their enterprise.

In the last 5 years, bot technology has innovated the black market economy. As a result, we have seen a dramatic increase in automated, scripted attacks amongst our customers. If you would like to read more about the lifecycle of an automated attack, you can read our previous blog here.

Contact us to learn how Shape Security can protect your site.

[update] In this updated version of this blog post we refer to a single node bot. In a previous version of the same blog post we referred to a click-farm.

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...
Author Shape SecurityPosted on February 19, 2015December 22, 2018Categories Credential Stuffing, Threat LabTags account checkers, credential stuffing, economics, Security TrendsLeave a comment on Hijacking 1 million accounts for $3

3 Steps for CISOs to Protect Login Accounts

Tweets like the one below are becoming more and more common. This frustrated consumer lost $100 from a gift card account he had with his favorite retailer. Besides the direct financial loss in replacing these stolen funds, the retailer also incurred call center costs and brand damage (this tweet represents just one of many related to hijacked accounts).

As web security moves from an IT problem to a C-Level and board problem, CISOs should create a strategy for protecting their customers and their enterprise from account hijackers. Below we provide 3 easy checks that companies can use to secure their customer credentials.

If 2014 was the year of the breach, then 2015 will be the year of account hijacking at a scale we’ve never seen before. The huge sets of credentials stolen in the past will be tested on just about every major website (and lots of minor ones), and roughly 0.1% to 20% of them will be valid. A Microsoft study found the typical consumer has terrible password hygiene and re-uses the same username / password combination across sites. Specifically, the study found the typical user has 6.5 passwords per 25 accounts, meaning that each user password is shared across 3.9 different sites. Due to frequent password reuse, credentials stolen during the breach of one site are also likely to be valid on 3.9 other unrelated sites. Each breach is also a breach of other sites on which the same credentials are valid.

Why is this so important? According to the 2014 Verizon Data Breach Investigations Report, compromised credentials are now the most commonly-used threat action. Almost every major website, including those with fully-patched, up-to-date security, is susceptible to account takeover and the use of account checker scripts to hijack accounts. Attackers use scripts to take over an account, drain its funds or other assets, and resell the drained account so it can be used for spam, money or reputation ‘laundering’. On our customers’ sites, an average of 60% of login page traffic is caused by malicious bots testing stolen credentials, up 10% from the same time last year.

Here’s a 3-step approach which SysAdmins can implement to help mitigate this vulnerability and protect user accounts.

Step 1. Diagnose if the site already has account hijackers

The first step is to measure whether criminals are actively testing stolen credentials against your website. The easiest metrics to deploy is to inspect failed logins versus successful logins over a typical one-week window. For most enterprises, the graph should have the following characteristics:

  • Failed logins should be a small percent of successful logins, typically under 10% (this varies widely, but if failed logins are over 100% of successful logins there is a very strong probability of a serious problem).
  • Failed logins should follow roughly the same pattern as successful logins.
  • Failed logins should not have large bursts of activity.

Look out for hijackers guessing at your usage bursts and trying to hide within that. Also, look for DDOSing attackers who hide within a large amount of fake web traffic that they create. There are many patterns and signs to evaluate. The techniques above can help you determine whether you have a problem.

Step 2. Recognize that old traps don’t stop new login attackers

The traditional approaches to stopping account takeover (throttling, reputation, and CAPTCHA) are not current. They are outdated and ineffective. Don’t get caught deploying a solution easily defeated by criminals.

  1. Throttling solutions: Throttles won’t help, but they can hurt.

    Brute force throttling solutions will not reliably protect your website because determined adversaries will reduce the speed of their attack to fall below the threshold for detection, or source the attack from a diverse set of source IPs to spread out their traffic. Even unsophisticated crooks will quickly realize that web security throttles initially let the attack go unabated, typically for the first 60-90 seconds. Typical customers using rate-limiting heuristics find that 5,000 login attempts can occur in the first 90 seconds. If we assume a 1% success rate, which is conservative, each IP address used for the 90 second window will give the attacker access to 50 accounts. If we assume an average loss of $200 per account, the crook will net an estimated $10,000 per incident, with no real limit on the number of incidents beyond the availability of credentials to test.

  2. Reputation solutions: Reputation isn’t what it used to be.

    Reputation solutions, especially IP-based products, are increasingly easy to circumvent given rentable legal (like Rackspace and Amazon) and illegal infrastructure (from crimeware-as-a-service botnet creators who, according to Gartner, rent 10,000 clean IP nodes for $1.50 per hour). Botnets are especially damaging to the efficacy of IP reputation services, since botnets are comprised of zombified computers and therefore appear to be valid residential IPs. We can expect the botnet problem to get worse with the end of support for Windows XP.

  3. CAPTCHA solutions: This antiquated method disrupts customers, not fraudsters.

    CAPTCHA is disintermediated by commercial bypass services. Search for “CAPTCHA bypass service” to find a list of services that provide 1000 solved CAPTCHAs for as little as $1.39, with 95% accuracy. As the average user is only 71% accurate when solving CAPTCHAs, bypass services are 25% more accurate than legitimate users. This is equally true for niche CAPTCHAs like Confident Technologies’ implementation, mainstream CAPTCHAs like Google’s reCAPTCHA, and even reCAPTCHA v2.

Step 3. Implement user interface security on the login page

To protect user login accounts from being hijacked, we propose a solution that has been long-theorized but undeployable till now. We suggest that sites make critical elements of the underlying code dynamic, rendering machine automated attacks impractical to implement. We call this “user interface security” because it protects the user interface’s HTML, DOM, CSS and JavaScript from attack. This new method of defense defeats script attacks on web applications, and can be home-grown or purchased from Shape Security as a network appliance.

Malware has long used polymorphic code to hide itself from antivirus products by looking unique every time it infects a new machine. SysAdmins can invert this concept and use polymorphism to disable an attacker’s capability to script commands against targeted sites.

This technique is both cutting-edge and effective. Our chief scientist, Xinran Wang, Bob Blakley of Citibank, and Professor Tadayoshi Kohno of the University of Washington authored an academic paper on making web elements dynamic to defeat web automation. The paper was presented at the 2014 International Conference on Applied Cryptography and Network Security.

You can read it here.

Keep an eye out for forthcoming articles where we will categorize threats that rely on automation and the appropriate anti-automation control.

Contact Shape to protect your web application’s user interface.

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...
Author Shape SecurityPosted on February 2, 2015December 21, 2018Categories Best Practices, Shape PerspectivesTags account checkers, account hijacking, account takeover, botnet, captcha, IP reputation, polymorphism, Security TrendsLeave a comment on 3 Steps for CISOs to Protect Login Accounts

Most Popular Posts

  • Intercepting and Modifying responses with Chrome via the Devtools Protocol
  • How Cybercriminals Bypass CAPTCHA
  • What Your Login Success Rate Says About Your Credential Stuffing Threat
  • Detecting PhantomJS Based Visitors

Categories

  • Events (8)
    • 2015 (5)
    • 2016 (1)
    • 2018 (2)
  • Products (6)
    • Blackfish (3)
    • Shape Enterprise Defense (3)
  • Shape Buzz (4)
  • Shape Engineering (20)
    • Attacks (4)
    • Browsers (4)
    • Open-source (9)
    • Reverse engineering (2)
  • Shape Perspectives (23)
    • Best Practices (5)
    • Security Trends (19)
  • Threat Lab (14)
    • Credential Spill (2)
    • Credential Stuffing (6)
    • Shape Network (6)

Archives

  • LinkedIn
  • Twitter
  • LinkedIn
  • Twitter
Shape Security Blog
%d bloggers like this: