Akamai Diversity

The Akamai Blog

Web Application Defender's Field Report: Account Takeover Campaigns Spotlight

I am scheduled to give a security talk next week at the Gartner Security Summit entitled: Web Application Defender's Field Report.  In the talk, I will be covering statistics and technical details of web application attacks from our just released State of the Internet (SOTI) Report for Q1 2016.  One of the more interesting details of the report centers around the analysis of massive Account Takeover (ATO) attack campaigns that targeted two of our customers.

ATO attacks (also known as credential stuffing) use previously breached username and password pairs to automate login attempts.  This data may have been previously released on public dumpsites such as Pastebin or directly obtained by attackers  through web application attacks such as SQLi. The goal of the attacks is to identify valid login credential data that can then be sold to gain fraudulent access to user accounts. ATO may be considered a subset of brute force attacks, however it is an increasing threat because it is harder to identify such attacks through traditional individual account authentication errors. The Akamai Threat Research Team analyzed web login transactions for one week across our customer base to identify ATO attack campaigns.

In ATO attacks, malicious actors typically try to obtain credentials via a direct SQLi attack, a website breach, or even a password dumpsite, as shown in Figure 3-14.

Thumbnail image for WAF1.png

The attacker uses an account checker to test the stolen credentials against popular websites such as social media sites or online marketplaces). Most of these account-checking tools have proxy capabilities, which distribute the load across many different source IP addresses. This approach makes rate limiting and blacklisting defenses less effective. An example account-checking tool is shown in Figure 3-15.


Once the attacker has validated the credentials, they are typically offered for sale on underground forums and markets, as shown in Figure 3-16. Or, depending on the account and what value it has, the attacker may attempt to cash out value from reward programs and gift cards.


 ATO Attack Statistics

We analyzed two ATO attack campaigns that took place February 10-17, 2016. During this time, many domains were attacked, however 93% of the attacking IPs were part of a campaign that targeted two specific customers and three domains. These two targeted campaigns were many orders of magnitude greater than all the other ATO attacks combined.

In the repeated attacks against a customer in the financial services industry, 999,980 IPs were e involved in the attacks against the customer's login page. One campaign was responsible for more than 90% of the total attack volume. Here is a closer look at this campaign:

  • 993,547 distinct IPs
  • 427,444,261 accounts checked
  • 22,555 IPs previously blocked based on WAF event logs

The rate of the attack was steady as 75% of attackers participated for multiple days, as shown in Figure 3-17. 


Entertainment Vertical Customer

During this same timeframe, 1,127,818 different IPs were involved in attacks. These IPs performed 744,361,093 login attempts and checked 220,758,340 distinct email addresses. The attacks were evenly distributed between two customer sub-domains.

One campaign was responsible for ~50% of the total login attempt attack volume.

This campaign lasted all week long, all day long. Here is a closer look:

  • 817,390 distinct IPs
  • 388,674,528 login attempts
  • 65,556,491 email addresses checked

The attacking IP persistency is shown in Figure 3-18.


Finance/Entertainment Campaign Overlap

When cross-referencing the attacking sources from both of these targeted campaigns, we identified that 778,786 IPs (more than 70% of the campaign participants) were attacking both customer sites. This implies that our finance and entertainment customers were both targets of a monstrous credential abuse campaign by the same attacking entity, employing the same gigantic botnet.

Botnet Analysis

While many of the participants were proxy servers, we did identify an interesting new element: compromised home routers. We clustered the attack IP addresses by geolocation. We noticed a cluster of attacking IPs based out of Mexico and identified that many of the abused systems were Arris cable modems, as shown in Figure 3-19.


The Arris modem product line has some known backdoors, where it uses a rotating password of the day and the algorithm has been publicly leaked. We also identified other networking products that were compromised and participating in these ATO attacks including ZyXel routers/modems, as shown in Figure 3-20.


While we can not confirm 100% that all of these home network devices were compromised or that this traffic was not originating from behind these devices, there is sufficient circumstantial evidence related to known public vulnerabities in these products.  When combined in a global view it becomes evident that attackers are targeting these devices for usage in Botnet attacks.


As this analysis demonstrates, ATO campaigns are massively distributed and extremely persistent. Organizations need to have an active defense for identifying and mitigating ATO campaigns.  The Bot Manager product can aid in defenses as many ATO attacks include automated bot programs as part of the overall campaign.  Additionally, the Client Reputation product can also provide some level of protections as we have seen that many of the attacking soure IP addresses are also conducting other attacks besides ATO traffic.