Volumetric vs. Low and Slow Account Takeover Attacks

Every Login Page Has a Bad Bot Story

WIthin our new Threat Research report on The Anatomy of Account Takeover Attacks, we see bad bot traffic on 100% of all monitored login pages. This indicates that every website is being hit by account takeover attempts.

But when you look at what are some of the characteristics of those attacks, a subtle difference is evident. Account takeover (ATO) attacks are evenly split into two groups. Referring to the definitions found in OWASP Automated Threat Handbook, half were targeted Volumetric Credential Stuffing attacks and half were the Low and Slow Credential Cracking and Credential Stuffing variety.

The key differences being:

  • Volumetric Credential Stuffing - Bad bot requests are attempted in bursts. Easily identifiable, they typically look like a spike of requests above the baseline.

  • Low and Slow Credential Cracking and Credential Stuffing - Bad bot requests are consistent, continuous login requests evenly distributed 24x7. These attacks are slow paced, don’t have spikes, so they’re difficult to spot.

 

How do you know if you are the victim of account takeover attacks? We recommend you monitor for failed login attempts. For “volumetric” attacks, define your failed login attempt baseline, then monitor for anomalies or spikes. Set up alerts so you’re automatically notified if any occur. Advanced “low and slow” attacks don’t trigger user or session-level alerts, so be sure to set global thresholds.

The report includes deep analysis including:

  • Patterns found in ATO attacks, and the one day a week you must be on high alert
  • The most popular tools used to commit these attacks, and their achilles heels
  • The contrasts between simple, moderate and sophisticated attacks, and how to detect and prevent each type of attack

Download your copy of The Anatomy of Account Takeover Attacks.

About the Author

Edward Roberts

Edward Roberts leads Product Marketing and has over twenty years experience in technology marketing. Previously he worked for Juniper Networks, heading up Product Marketing for the Counter Security team. Before that he ran marketing for Mykonos Software, a web security company.

More Content by Edward Roberts
Previous Article
Russia is the Most Blocked Country
Russia is the Most Blocked Country

With most bad bot traffic emanating from data centers, it’s no surprise that the US remains the bad bot sup...

Next Article
PSD2's API Wave Will Pump up the Security Risk
PSD2's API Wave Will Pump up the Security Risk

Banks are digitizing at a rapid pace to catch up with upstart fintech providers. Such rapid evolution can r...