Imperva recently detected and mitigated the largest – and most concentrated – series of brute force ATO (account takeover) attacks in its history. Over the course of 60 hours from midnight on October 28, our ATO team’s monitoring systems detected more than 44 million ATO attempts on the login page of a particular online banking service. We began blocking the attack within 15 minutes of learning of its existence.
In simple terms, ATOs involve a technique known as brute force credential stuffing, in which illicitly obtained credentials are used to gain unauthorised access to online accounts from where attackers are able to carry out malicious actions such as data theft, identity fraud or to carry out fraudulent e-commerce transactions.
Comparing the activity during the attack to a typical 24-hour period shows the sheer scale of the malicious activity.
|Typical 24-hour period||24 hours during attack|
|Number of login attempts||606,000||18,900,000|
|Number of suspected attacks||3,300 (0.5%)||18,700,000 (99%)|
|Number of mitigated attacks||1,700 (52%)||18,600,000 (99%)|
The solid blue portions of the following charts further illustrate the size of the attack, and the extent to which Imperva was able to mitigate its effects.
This first chart shows the login activity over a normal 24-hour period. Of 606,000 login attempts, 3,300 – a negligible 0.5% – were suspected attacks. 1,700 of these were mitigated. The second shows the login activity over 24 hours during the attack. 18.7 million – an incredible 99% – of the 18.9 million login attempts shown were suspected attacks, 18.6 million – 99% – of which were mitigated.
During this attack, a total of over 44.5 million login requests were made – equating to 12,000 requests per second (RPS).Only one percent of these login requests were found to be legitimate – 98 percent were identified as brute force ATO attempts, in which automated software is used to crack an account’s credentials through a process of trial and error.
According to our analysis, 99 percent of the ATO traffic was seen to originate from the US. While this is probably because the bank was based in the US, it also suggested the use of proxies or a US-based botnet. Interestingly, the majority (98%) of the attacks were seen to have been performed by just a third (34%) of the 2,799 attacking IPs.
We also found that, of the 464,886 credentials used in the attack, 2,959 were registered with Imperva as originating from known leaked databases. Our database of leaked credentials actually includes more than a billion records, and continues to grow. It’s not exhaustive, however, and as leaked lists tend to overlap, suggests the attackers may have used a list over which we have only partial visibility. It’s also possible that they may have employed a number of different techniques such as credential stuffing, brute force, and password guessing. This, coupled with the fact that they came from a relatively small number of resources, led us to assume that the attackers had planned the attack. Armed with prior knowledge of publicly available leaked credential stashes, and operating from distributed resources, they’d planned to gain permissions to as many legitimate accounts as possible in a single attack cycle.
Fortunately, the attacks were identified by Imperva’s core ATO detection mechanism, using factors defined within its risk engine, such as the login ratio per device, and the number of usernames and failed logins.
Mitigation was then taken based on the severity of the attack and the customer’s predefined mitigation threshold. Imperva assigns a risk level to every attack based on the accumulated information we have on a specific entity at any given time.
That level of risk is always evolving, however, so our mitigation evolves with it. Customers are therefore able to set different actions for different levels of risk. More stringent mitigation, such as blocking a login attempt, might be selected for higher risk levels, for example, while lower level interventions, such as a CAPTCHA challenge, might be used for lower risks. In this case, a high level of risk was assigned to the attacks, thereby rendering them ineffective.
The size and scale of this attack may be indicative of an emerging trend. Back in July, for example, we published a blog on the largest brute force/DDoS attack we’d ever seen, led by a botnet coordinating 402,000 different IPs, which lasted for 13 days and directed a peak flow of 292,000 RPS (Requests Per Second).
Not long after this, another bank reported an elevation in complaints from its customers about account lockouts and password resets over Labor Day weekend. The bank was seen to be under attack by more than 50,000 unique IPs, with almost 70,000 ATO attempts being made every five minutes during the attack’s peak. Fortunately, we were able to minimize the damage, mitigating more than five million requests and ensuring no further user logins were compromised once the attack had been detected.
Such a high concentration of requests meant that, had they reached the bank’s server, they would have caused serious latency issues – possibly even a denial of service. What’s more, had this been a cloud service with auto-scale policies in place, the spike in logins would have resulted in a significant overcharge in the bank’s monthly bill. But, by detecting abnormal login behavior from suspicious devices, and then assigning a high level of risk to the – predominantly malicious – login requests, Imperva Account Takeover Protection ensured that almost all of them were mitigated, and the attack was ultimately unsuccessful.
There are several steps that both users and vendors can take to minimize the risk of ATO attacks such as that discovered by Imperva.
Users, for example, should avoid reusing credentials and use multi-factor authentication (MFA) tools such as DUO wherever possible, while software vendors and service providers should provide those MFA tools to their users as a matter of course.
Increased visibility over user behavior will offer vendors’ greater insight into potential ATO attempts. Tracking changes in login access patterns – number of attempts, time, success ratio, and device ratio – will help them identify anomalies. At the same time, employing threat intelligence on factors such as IP or credential reputation will enable them to make better decisions around legitimate vs malicious traffic.
All of this – and more – is included in Imperva’s Advanced Bot Protection: ATO, without which it would have taken significantly longer to mitigate these attacks – resulting in more accounts being accessed and used for nefarious means. What’s more, it would have been largely impossible to analyse the attacks in the same level of detail, providing us with valuable insight into the nature of such attacks now and in the future.
ATO Protection as part of Advanced Bot Protection is fully integrated in our single-stack cloud application security solution which also includes WAF, DDoS protection and API security, delivered via our worldwide CDN. Every customer onboarded to the service is constantly monitored for anomalies and irregularities in its data. Not only does this allow us to protect that customer’s assets, but it helps us continue to improve our core ATO detecting mechanisms.
For broader protection against bots, including Account Takeover attacks, Imperva offers its Advanced Bot Protection solution acquired from Distil Networks.