Akamai Diversity

The Akamai Blog

Defending Credentials From Automated Attack Tools

By Danny Wasserman

The folks on the Akamai Professional Services team are the people who help implement, configure, and tune the cloud security products that protect our customers' web applications from the daily onslaught of bots blasting login attempts against their websites, mobile apps, and APIs. We decided to take a look at some popular tools used by threat actors to launch these credential abuse attacks and what can be done to defend against them.

First, we examined Cr3d0v3r, which is a Python script that helps with credential reuse attacks and finding passwords from known security breaches. Next, we looked at Sentry MBA, an infamous point-and-click tool for Windows that has been around for years. Finally, we examined SNIPR, an emerging and powerful GUI tool with a robust community and frequent updates and support. We ran all three tools against one of our test websites that was protected by Akamai's Bot Manager Premier solution to evaluate its detection capabilities and defenses.

Our findings were recently published in the Akamai white paper "Hidden in Plain Sight: The Tools and Resources Used in Credential Abuse Attacks." Right now we will focus on some recommendations that both web defenders and end users can follow to help mitigate the credential abuse problem.

 

A primer on credential abuse

In an ideal web world, all users on the Internet would choose strong and unique passwords for every website they visit. Better yet, we would remove the need to expose users' passwords to the website they are logging in to, and the websites themselves would have strong defenses in place against malicious login attempts. Users would also use multi-factor authentication, such as a smartphone app to help prove their identity, when logging in. Also, the web application would store their passwords securely and be designed to handle the inevitability of credential compromise. These practices are certainly not ubiquitous, and thieves are profiting from the poor security hygiene of the web masses.

The type of attack is known by a few different names: account checking, credential abuse, credential stuffing, or password stuffing. However, the premise is the same; malicious actors take pairs of stolen usernames and passwords in attempt to log in to websites they target, relying on the fact that people use the same passwords across multiple websites. It doesn't help that most sites use the person's email address as the username, by default. That is a recipe for taking advantage of the practice of credential reuse. Check out this video by Akamai's Chief Security Officer Andy Ellis explaining the password stuffing threat.

The result of a successful credential stuffing attack is usually account takeover, where the stolen, but valid, credentials may be sold to other threat actors, used to drain the account of stored value, or used to steal data.


Figure 1: Overview of credential abuse and account takeover attacks

Credential stuffing can cost organizations millions of dollars in fraud annually, according to Ponemon Institute's "The Cost of Credential Stuffing" report. One financial institution reported that the cost of an account takeover, resulting from credential stuffing, can range from $1,500 to $2,000 per account. However, attackers are hitting more than just Financial Services, and the popular credential abuse tools we analyzed can easily target websites in many different industry verticals, ranging from Retail, Gaming, and Travel to Pornography and Gambling. Credential abuse is a very lucrative business for hackers and there is a thriving market for tools, support services and knowledge, and the rewards reaped from a successful attack.

These attacks are on the rise worldwide, especially as we are in the thick of the holiday shopping season. According to recent Akamai research, Akamai detected approximately 3.2 billion malicious logins against customer websites per month from January through April 2018, and over 8.3 billion malicious login attempts from bots in May and June 2018 - a monthly average increase of 30 percent. In total, from the beginning of November 2017 through the end of June 2018, Akamai researcher analysis shows more than 30 billion malicious login attempts during the eight-month period. Clearly, the malicious login attempts outweigh the legitimate ones and they're continuing to occur every day.

How do we fight back?

All is not lost when it comes to protecting your (or your customers') online accounts from compromise.

Suggestions for end users

There are a number of things end users can do to avoid becoming victims of credential abuse and account takeover attacks, and they all revolve around practicing good Internet hygiene. The more people that follow these recommendations will result in less impact of collateral damage from a 3rd party data breach.

  • We know good passwords are hard to remember and that passphrases are preferable for remembering something secure you made up, but never use the same password twice and never on more than one website or application. We showed in the white paper how the bad guys rely on people using the same password across different sites to compromise accounts.

  • Are you using a password manager yet? Use a password manager such as LastPass or 1Password to generate strong unique passwords for every website that requires authentication. The idea with most of these is that it should be the only or the last password you will need to remember and all of your other credentials should be randomly generated and stored securely inside its "vault."

    • Furthermore, password managers could help deter phishing attacks since the password manager would only fill in a username and password for a previously saved legitimate website. In other words, your password manager should not automatically fill in your credentials to the login form on the page when you visit a phishing site or fake site impersonating your bank, for example.

    • Migrating all logins for the sites you visit into a password manager may be tedious, but the result pays off since you will be better protected against the possible compromise of your data. See "What is the best password manager and how can I migrate my passwords to it?" or "The Best Password Managers of 2018" for more info. Note that using the free version of a password manager is typically sufficient and you don't have to purchase anything to be secure.

  • End users can reduce the risk of being victims of account takeover attacks by enabling multi-factor authentication (MFA) where possible. This presents a roadblock to the credential abuse tools we researched, and could stop account takeover attacks dead in their tracks.

    • Security researchers have demonstrated how to intercept multi-factor authentication SMS messages by exploiting known flaws in cellular networks. See "This is why you shouldn't use texts for two-factor authentication" for more info.

    • An alternative is to send the MFA verification challenge to your email address instead of over SMS, given that email communication is likely more secure.

    • A better option than SMS or email is to use a hardware authentication device like Yubico's Yubikey or an authenticator app such as Google Authenticator to securely handle MFA. Many popular websites support these enhanced security features for logging in.

Suggestions for website owners and defenders

For those of us working behind the scenes of websites to keep them secure and up and running, there are different ways to limit the impact of credential abuse resulting from a security breach or credential compilation dump on the dark web.

  • Organizations should have robust identity and access management solutions.

  • There are two sides to the MFA coin, and the flip side is that web applications must support multi-factor authentication and implement it properly in order to have an additional layer of protection against credential abuse attacks.

    • Making MFA mandatory yet offering a variety of options for verification would be a secure and flexible option for improving login security.

    • Sending an authentication push via SMS text message is not a secure way to handle multi-factor authentication. Instead, organizations should rely on email messages, or better yet, a secure smartphone app or hardware authentication device for MFA verification challenges.

  • Organizations should not use email addresses as usernames for authentication. Many leaked credential lists contain email address/password pairs and thus are easy to validate across many websites, especially when end users reuse the same password on multiple websites.

    • Users should be required to create a unique user ID specific to the website and provide a second factor of authentication like a one-time code or via out of band push authentication via smartphone, in addition to their user ID and password, when logging in.

    • This can also help protect both the user and the organization from ripple effects due to third-party data breaches.

  • Adding a third informational proof element to login pages, such customer ID or last name, has proven to be very effective for several companies in the Hotel & Travel industry. This makes it harder for automated tools to work effectively because it would require they maintain this third element, along with the username and password pair.

  • Malicious actors create configurations or "configs," which are like recipes that tell the credential abuse tool how to break into your website. Akamai strongly suggests customers review the tools' target website config files of the tools we covered in the white paper to see if their websites are included as potential targets and take measures to avoid further abuse.

    • Evasive measures could include changing something in the web application's authentication workflow to "break" the tool's config or perhaps identifying characteristics in the config, like the headers configured to be sent, and creating a signature or rule to flag potential requests from the tools.

  • Deploy Akamai's Bot Manager Premier cloud security solution and leverage Behavioral Controls in Deny Mode to protect sensitive transactional URLs such as login, account creation, or payment data entry to block this malicious activity at the edge of the Internet. Contact your Akamai Representative for more information.

Conclusion

The cat and mouse game of defending against hackers trying to break into online accounts is made easier for the bad guys due to the availability of innovative and easy to use credential abuse tools like Cr3d0v3r, Sentry MBA, and SNIPR, poor Internet hygiene by end users, and the lack of sufficient defenses on web applications. However, there are several things everyone can do to help win the battle, from the end users, to the websites they visit, and to the companies like Akamai that protect these websites from intrusion. Please see the Akamai white paper "Hidden in Plain Sight: The Tools and Resources Used in Credential Abuse Attacks" for more details about this topic.

Leave a comment