Ryan Barnett, Principal Security Researcher, Akamai
Elad Shuster, Senior Security Researcher, Akamai
During its research into Credential Abuse attack campaigns, Akamai's threat research team conducted an analysis of web logins to gain insights into how widespread the adoption of API-based logins is and whether or not this trend also affects attackers and attack campaigns. It will come as no surprise that API-based logins are highly targeted by credential abuse attackers for a variety of reason.
- 30% of all API authentication attempts are fraudulent.
- Credential abuse campaigns launched at API authentication endpoints process four times as many user credentials vs. normal form-based authentication applications
- Credential abuse campaigns launched at API authentication endpoints may employ 4.75% more botnet clients.
Credential Abuse Background
As a part of a continuous effort to protect its customers from cyber attacks, Akamai has been monitoring and analyzing malicious login requests across all of its Kona security customer base. Such attacks are known as Credential Abuse (also known as "Credential Stuffing"), and we already published several articles on this topic, such as the Web Application Defender's Field Report: Account Takeover Campaigns Spotlight and SSHowDowN: Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns.
Application Log In Method Statistics
During this research, we analyzed a day's worth of data from our Cloud Security Intelligence (CSI) platform. Our data corpus included a total of 413,392,955 daily login requests originating from 27,882,776 IP addresses, and targeting 48,702 Internet hosts. Our research showed that at least 42% of the monitored applications were strictly using Web and mobile API Calls for performing logins. These applications were using JSON, XML, SOAP and other API-related message formats to transmit user credentials to the web applications. Only 55% of the applications were strictly using standard form-based authentication, while merely 3% were using both approaches.
According to our research, 78% of all API-based login requests were done by mobile clients. These include native mobile apps, HTML rendering components within mobile apps, and mobile browsers. The other 22% were divided between standard desktop browsers, as a part of AJAX API calls and IoT devices, which were mostly gaming consoles.
Credential Abuse Campaign Statistics
Out of the total logins that were analyzed, a whopping 30% were identified as fraudulent logins, submitted as a part of massive Credential Abuse campaigns. This data is simply mind boggling: almost one out of every three login attempts were identified as being fraudulent!
When it comes to massive (millions of unique attack sources a day) Credential Abuse attack campaigns, our data reveals that 88% of the attackers targeted API calls at some point during their campaign. In contrast, only 22% of the attackers abused only standard web forms authentication. Naturally, some attackers target both, depending on the application they are attacking at the moment.
One of the most obvious differences between API-based Credential Abuse campaigns and those targeting web forms was the average number of attempted accounts tested per application in each campaign; standard web forms received 1,000,000 abuse attempts each, while API application logins saw four times as much, nearly 4,000,000 attempts per application!
Some vendors in this space (including Akamai) provide solutions that are capable of differentiating between humans and bots in mobile applications. Such detections require mobile application developers to include in their mobile app code a special SDK provided by the vendor, which collects and analyzes mobile device-based metrics and telemetry. This includes measurements such as global positioning data, touch screen gestures, screen resolution and orientation, and connectivity type, to name a few.
A key factor in API based attacks is the ability to easily distribute the attack workload among thousands of bot nodes. Since API based logins were meant to be consumed programmatically, it is extremely simple for an adversary to build a distributed botnet, which will divide the work among thousands of nodes. This approach is critical in Credential Abuse campaigns: any application blocks a user after three failed attempts, forcing campaigns to perform "low & slow" attacks, where each node sends about 3-5 login requests in the span of 24 hours.
This theory is strongly supported by our research. On average an API-based attack campaign will involve 19,000 unique IP addresses, while campaigns that target standard web forms login involved only 4,000 IP addresses. That's 4.75 times more bot nodes per campaign in API-based logins.
Credential Abuse Tools
There is a multitude of automated tools for performing credential stuffing campaigns, some of which maintain a large and active community for selling pre-canned credential stuffing campaign configuration files. The most popular credential abuse tool is called SentryMBA.
SentryMBA Tool Screenshot
While going through these underground web sites and looking at the pre-canned configuration files that are on sale, we noticed that campaign configuration files for API logins seem to have a higher price than those that target web based forms, as shown in the Figure below.
SentryMBA Configuration Pricing on Credential Abuse Forum
The rationale for the higher price point is related to the increased velocity supported by authentication APIs coupled with the challenges of utilizing the traditional anti-automation mechanisms.
Authentication APIs are a ripe target for credential abuse attackers. Organizations that are looking to defend against such attacks across their entire API portfolio should make sure that whatever solution they choose, it handles the following areas properly:
Ability to parse and understand Web and mobile API call messages, and to apply proper protections and detection techniques on them, in the most granular way possible. This includes XML based messages, JSON messages, and RESTful services.
Ability to differentiate between automatic and malicious attacks, such as those performed by bots, in an API environment, which is not necessarily consumed by web browsers (e.g. native mobile apps, gaming consoles and other IoT devices).
Provide a proper logging and visibility into security events in APIs. Visibility should be granular and provide insights on specific API endpoints and methods.
Provide clean and simple API security management solution, which allows the organization to assign different security policies to different API endpoints, apply granular application layer protections as well as rate limiting, and provide visibility into all of the APIs that are exposed to external users.
Provide a feed of client reputation and intelligence, which includes visibility to malicious actors specifically performing Credential Abuse campaigns over API calls such as those used by mobile, web and IoT applications. Such a feed can serve as a safety net or a final line of defense in situations where previous protections provide partial coverage.
The research and data presented in this document was originally drafted by Ory Segal, with data collected and analyzed together with Or Katz and Aharon Fridman.