Akamai InfoSec continues to monitor repeated attempts to hijack the accounts of those doing business with our customers. In this attack, the bad guys reuse credentials they've stolen from other sites to fraudulently acquire merchandise.
Attackers use automated tools commonly referred to as account checkers to quickly determine valid user ID and password combinations across a large number of ecommerce sites. The tools help the attackers identify valid accounts quickly so they can gain access and acquire names, addresses and credit card data from user profiles.
--More on this and other security threats in Akamai's latest State of The Internet report, available for download HERE.
"We first started getting help requests last year from customers who noticed unusual activity," said Akamai CSIRT Director Michael Smith. "In March another customer reported strange activity."
Michael Kun, a security response engineer with Akamai's CSIRT team, said carder gangs acquire lists of user IDs and passwords from SQL injection and from online forums. They exploit users who are sloppy with their credentials, identifying those who use the same passwords for multiple commerce sites.
"They log in and use stolen credit cards to fraudulently buy, for example, a $200 gift card they can either sell for a profit or use themselves," Kun said. They also store cards in merchant shopping carts for future use.
--Please join us on Sept 26th at 11 AM ET for our next "Crush the Rush" holiday readiness webinar to learn more about how to protect your site and holiday season revenue. Mike Smith, director of our CSIRT Team, and Daniel Shugrue will be detailing the types of attack trends that Akamai is seeing and ways in which other customers have mitigated the latest threats. Click here for more details.
Red flags indicating an account checker has been used against an ecommerce site include the following:
• User complains that their account mailing address has been altered.
• Multiple other users altered in a similar time frame.
• Many failed logins detected in a short period of time from a small number of IP addresses.
• Locked accounts.
• Higher than normal rate of fraud activity.
Kun said many retailers have been affected. Fortunately, though, Akamai has prevented attackers from succeeding in attempts against its customers. "Every couple weeks we get a message from a customer who has seen strange behavior and wants to know if we've encountered this before. We immediately recognize the activity and direct them to our advisory and set up their WAF configuration to block the activity," Smith said.
Companies can protect their customers in several ways. The use of a CAPTCHA or other validation steps requiring user intervention will defeat the authentication-checking tools.
Rate controls are particularly useful, specifically to count requests to the login page. Rate controls work by counting the number of requests from an individual IP address. "We scope down the rate control just to the login page and then we can set a threshold of 'if you send 10 login requests in 5 seconds, you're an automated login program not a human being behind a browser and we can safely block you,'" Smith said.
If the customer base is primarily from a known country or region, geoblocking may be an option to minimize the locations an attack can originate from.
Careful review of authentication logs can identify likely proxy servers being used by the attackers. Sequences of different logins from the same IP may be an indication.
In the end, the best defense is smarter user behavior. They can start by ending their habit of reusing user names and passwords. By using different credentials for every site, the attackers won't stand a chance.
Meanwhile, Akamai's User Validation Module (UVM) will confirm that the login is coming from a browser and will defeat these tools. Organizations that are on the Akamai platform and are using Kona Site Defender can readily block these kinds of attacks by using a combination of rate controls and IP blocklists.
Akamai also recommends that ecommerce customers configure a bucket for the path to their login page.