Reputation is everything. A good reputation garners respect – it can open doors and provide a level of immediate trust that makes moving forward easier – while a bad one does the opposite. A good reputation is something that is earned, taking time and effort to build.
Recently, we’ve seen cyber attackers committing themselves to this effort, working hard to create a good reputation with online sites and services, which they hope will allow them to potentially get away with their attack objectives.
This is the third tactic in our four-part blog series on account takeover attack methods and mitigation capabilities.
Attackers have started registering fake, ‘canary’ accounts to try to build up the reputation of the IPs they plan to use in their attacks. They use these accounts to login and emulate normal activity for weeks, even months, before an attack. This helps them establish the accounts as ‘good’ and legitimate, in hopes that when they are used during an attack they don’t raise too much suspicion.
During the course of an attack, these accounts give an attacker a window into the site or service they are targeting. They will login with these accounts to try to ensure they maintain a good reputation, so they can be used to better understand how the site’s defenses work. Based on what they learn, they can make modifications during the attack. For instance, these accounts help them:
We’ve seen these canary accounts improve the overall success rates of account takeover attacks, from .1% to as high as 20-30%. For example, the graph below shows the traffic pattern of an attacker using fake accounts. The blue bars represent the number of login requests per user, while the green and red lines indicate successful and failed logins, respectively. During the attack the attacker uses their fake accounts to login around 50 times per account each hour, as seen in the blue bars. Half way into the attack, the attacker tries to boost their reputation further by using each of the accounts to login up to 300 times instead. By increasing the ratio between successful and failed logins to a more normal level for a couple of hours, the attacker is hoping to build reputation to avoid getting their IPs blacklisted, so they can continue to test credentials at a higher rate later.
Watch a quick 1-minute video that shows how prevalent the use of fake accounts can be in an account takeover attack. If Castle hadn’t been protecting the site, this attack, which used tens of thousands of IPs, from almost 5000 ISPs in over 200 countries, would have successfully breached the credentials of more than 1600 users, allowing them to steal sensitive data, transfer money, or disrupt services.
The key to protecting your site or service from attackers using fake ‘canary’ accounts is to identify and block them. Look for solutions that:
For more information about Castle's customer identity and access management capabilities or to start a free trial, please go to https://castle.io/.