The Growing Threat of Account Takeover Attacks
7 minutes read
Why should you care about bot traffic? A new approach to account takeover threats
As featured at the Future of Cyber Security event in Manchester, UK.
Bots have been around for years. This isn’t the “future?” Surely there are more innovative or emerging threats to talk about? I say not. The use of bots within cyber-attacks has become significantly more sophisticated over the last 18/24 months in particular and bots represent a much bigger threat than they have previously. I hope to shine a spotlight on that and explain why I believe a new approach or a new defensive layer is urgently needed.
It was actually 2016 when automated traffic overtook humans as the larger percentage of total internet traffic. And whilst there are some good bots operating out there, the rise of bad bots or automated traffic with malicious intent is growing the most every year.
The importance of preventing account takeovers
Data breaches are now very much your problem. By that I mean, you as both an individual and you (the company you work for and represent).
Let me explain. I have a Marriot Starwood Alliance Account, I have a Twitter, Facebook and Instagram account, I have a MyFitnessPal account, although admittedly I don’t log into that one quite as often as my wife would like me to.
I log in to all of these accounts in the same way, a username which is an email address and a password, which is a strong, secure password, because I work in Security. Except, it doesn’t matter how strong the password is, because it’s been stolen along with my matching username.
We all know we should be using a password manager to improve our security online. But the majority of the population will never do it, they will rely on you and your businesses to protect their PII data, so these breaches are now very much your problem.
Just a few weeks into the start of 2019 and Troy Hunter, announced he found 770 million matching username and passwords available to buy online. 140million of those he had never seen before so they were fresh from the latest breaches towards the end of last year. If your details weren’t already available to hackers, the probability keeps rising every month. This problem is getting worse.
The basic laws of supply and demand dictate that if supply is high then the price of obtaining them comes down. This is exactly what’s happening. The ease and low cost of obtaining stolen credentials combined with the ease of downloading off-the-shelf bots and tools like Storm or Sentry MBA means that this form of attack is mainstream and the majority of companies have been completely blindsided by the speed and ferocity of the account takeover threats.
This form of attack is mentioned by Troy. It’s called Credential Stuffing and your business must have a conscious plan to mitigate against it.
Some 3rd parties have noticed the rise and are writing about this emerging threat but in truth I expect 2019 to see a lot more articles and recommendations made around it.
The rise of sophisticated bots
The use of bots in such attacks has evolved dramatically over time. The ease of accessing credentials and off-the-shelf tools meant that it was no longer the domain of the highly skilled few. Then they programmed bots to closely mimic human behaviors to avoid detection. For example, we’ve seen bots mimic and install fake mouse movements just as a human would. The absence of mouse movements (or erratic mouse movements) was historically a signal that traffic was not legitimate. These are known as imitation attacks.
What we’ve seen most recently though is that bots are able to adapt in real-time, so if they are blocked they simply mutate, rotate IP address and come back in a different form and keep repeating this until they’re successful. So how do we stop them? I’ll come to that in just a moment but before that, I’d like to speculate what it is they are after.
Intent behind BOT TRAFFIC
This blog doesn’t even come close to capturing all of the intent but it’s a sample of the problem we see. In truth, there are too many use cases to fit onto one post and every sector we speak to seems to have subtly different bot challenges.
For example, we work a lot with Gaming and Gambling companies and when we first began with them, we assumed that client Account Takeover was the main goal. To be clear, it was, and bots were swarming around their client’s accounts. Just think, people treat Gambling accounts like mini bank accounts, often leaving balances in there over a long period of time for ease of access
Whilst Account Takeover threats was the main target, the industry faced many other bot problems that we’ve helped them address.
Basic bot detection is not enough
What we have seen is that when first attacked, people assumed it’s a DDoS attack and they can be forgiven for this because in truth it has many characteristics of Denial of Service. So they turn to their DDoS mitigation vendor which tends to be a Web Application Firewall like F5 or Imperva or a CDN Provider like Akamai or Cloudlfare. However, this isn’t DDOS and whilst many WAF’s and CDN’s have Bot Management Plug-In Modules they haven’t been able to eradicate the threat.
A bot is still a bot
These solutions will deal with basic bots and therefore show that they are stopping bots and are worthy of buying, but their approaches which include serving Captcha, IP whitelisting or static rules are a long way from stopping the latest bots which are dancing around these controls.
Many companies are realizing the limitations of these approaches so are turning to a dedicated bot management solution to help them. These solutions all have certain approaches in common, including an over-reliance on JavaScript and Digital Fingerprinting. There are problems with these. No matter how much they tell you that their Javascript is obfuscated, it can be cached and reverse engineered to the bot writers’ advantage. What we have seen is that out of the box, Javascript-based approaches can have a great impact but that this approach blocks less over time as bots mutate to get around the problem. Yes, the vendor can then update the script and block again, but this constant race to update defenses takes us back to the dark ages of Anti-Virus signatures and playing catch up to evade known threats. This is surely not the answer.
So what is the answer?
Block bots, not humans
We believe we have a different mindset and a different approach to the problem.
It’s true that all of the approaches I have mentioned, Captcha, IP Whitelisting, Rate Limiting, JavaScript, Digital Fingerprint, etc. all form part of our solution. We take a multi-layered approach which is common best practice. But the difference is that at the heart is an approach and architecture built around Machine Learning and Behavioural Analysis.
This data-centric approach gives us the ability to test thousands of features in real-time rather than hundreds, with models and algorithms trained across different verticals and these can be customized to match a client’s individual risk appetite if needed.
Using behavioral analysis alongside the other signals is the way in which we quickly and accurately tag whether it’s a bot or not. No matter how well they try to imitate humans, a bot will always act like a bot and reveal itself.
Back at our booth, we ran a survey to understand how concerned the event attendees are of suffering from account takeover threats and how important a dedicated bot mitigation strategy is to their organization in 2019. The results confirm what we see on a daily basis; 79% of respondents are either concerned or very concerned about suffering an attack and 37% value a bot mitigation strategy as very important to their cybersecurity investment in 2019.
If this is a concern for you or if you have received any account takeover threats, let us show you how our approach to account takeover prevention can work for your business.
Subscribe and stay updated
Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.
By registering, you confirm that you agree to Netacea's privacy policy.