Every Login Page Has a Bad Bot Story
WIthin our new Threat Research report on The Anatomy of Account Takeover Attacks, we see bad bot traffic on 100% of all monitored login pages. This indicates that every website is being hit by account takeover attempts.
But when you look at what are some of the characteristics of those attacks, a subtle difference is evident. Account takeover (ATO) attacks are evenly split into two groups. Referring to the definitions found in OWASP Automated Threat Handbook, half were targeted Volumetric Credential Stuffing attacks and half were the Low and Slow Credential Cracking and Credential Stuffing variety.
The key differences being:
Volumetric Credential Stuffing - Bad bot requests are attempted in bursts. Easily identifiable, they typically look like a spike of requests above the baseline.
Low and Slow Credential Cracking and Credential Stuffing - Bad bot requests are consistent, continuous login requests evenly distributed 24x7. These attacks are slow paced, don’t have spikes, so they’re difficult to spot.
How do you know if you are the victim of account takeover attacks? We recommend you monitor for failed login attempts. For “volumetric” attacks, define your failed login attempt baseline, then monitor for anomalies or spikes. Set up alerts so you’re automatically notified if any occur. Advanced “low and slow” attacks don’t trigger user or session-level alerts, so be sure to set global thresholds.
The report includes deep analysis including:
- Patterns found in ATO attacks, and the one day a week you must be on high alert
- The most popular tools used to commit these attacks, and their achilles heels
- The contrasts between simple, moderate and sophisticated attacks, and how to detect and prevent each type of attack
Download your copy of The Anatomy of Account Takeover Attacks.
About the AuthorMore Content by Edward Roberts