Leaf-tailed geckos know their chance of survival goes way up, if they can’t be found. They have perfected the art of blending in, making themselves hard to spot amongst the flora and fauna of their home in Madagascar.
Attackers are much the same. They know that if they can blend into normal traffic patterns, they have a better chance of not just surviving, but thriving. It’s why they target your users – if they can takeover a user’s account, they can camouflage all their activities under that user’s identity. They can login and operate undetected, which means they can do almost anything:
Gartner estimates online fraud costs organizations over $5 billion. The first step to identifying and stopping these attacks is understanding how they are perpetrated. We’ve uncovered four tactics attackers are increasingly using to try to fly under the radar and increase the success rates of their account takeover attacks.
This is the first in a four-part blog series that will look at each of these tactics and provide tips to mitigate the risks they introduce.
Attackers are spreading out their activity, using large number of IPs to disguise who they are and what they are doing. In essence, they appear to come from everywhere, so they are noticed by no one.
Watch the below quick 1-minute video to see an example of this type of attack.
Typically, one IP address corresponds with one user. Sometimes, an IP can be traced down to the street-level of a particular user. Thanks to IPv6 and the proliferation of cloud services, IPs are easier and cheaper than ever to get, enabling an attacker to use many different IPs, in many different locations, to look like many different users.
These IPs come from a couple of sources:
For example, a site that usually has 2000 to 5000 events an hour (blue trend lines in the graph on the right), will notice if all of a sudden there are 900K login attempts (red trend lines in the graph on the right), coming from two IPs and two datacenters. This obvious spike is easy to identify and shut down, using:
But, when an attacker spreads out their traffic, such as the attack depicted on the right, it is much more difficult to spot. This attack used 60K IPs in 210 countries to complete 700K login attempts over 10 hours. Even though the site saw upticks in failed logins over the course of the attack, three failed login attempts per hour, per IP didn’t raise much suspicion in isolation. Normal rate limiting and blacklisting mechanisms didn’t have any affect because the attack was spread over so many unique IPs – many of which were being used for the first and last time. It was only when the site looked in aggregate at all the traffic they were able to spot what was happening. Ultimately, the attacker got more than 700 validated credentials, which they can use to perpetrate an attack.
Because attackers are distributing their activity over thousands of IPs located around the world, they are much harder to spot and harder to stop with traditional rate limiting and blacklisting techniques. It takes finesse and sophisticated technologies (because it’s not practical to rely on manual intervention) to prevent. Look for solutions that can:
To learn more about this account takeover tactic and several others that we uncovered, download our ebook “Evolution of Attacks on Online Users.”
For more information about Castle's customer identity and access management capabilities or to start a free trial, please go to https://castle.io/.