Blog #3 in a 4 Blog Series on Attack Tactics that Increase Success Rates… And What You Can Do to Thwart Them
Reputation is everything. A good reputation garners respect – it can open doors and provide a level of immediate trust that makes moving forward easier – while a bad one does the opposite. A good reputation is something that is earned, taking time and effort to build.
Recently, we’ve seen cyber attackers committing themselves to this effort, working hard to create a good reputation with online sites and services, which they hope will allow them to potentially get away with their attack objectives.
This is the third tactic in our four-part blog series on account takeover attack methods and mitigation capabilities.
Tactic #3: Appearing Better – Using Fake Accounts to Improve Reputation
Attackers have started registering fake, ‘canary’ accounts to try to build up the reputation of the IPs they plan to use in their attacks. They use these accounts to login and emulate normal activity for weeks, even months, before an attack. This helps them establish the accounts as ‘good’ and legitimate, in hopes that when they are used during an attack they don’t raise too much suspicion.
During the course of an attack, these accounts give an attacker a window into the site or service they are targeting. They will login with these accounts to try to ensure they maintain a good reputation, so they can be used to better understand how the site’s defenses work. Based on what they learn, they can make modifications during the attack. For instance, these accounts help them:
- Identify whether the site uses blacklists. If the status of any of their canary accounts changes and all of a sudden they are blocked, they know they can’t use certain IPs.
- Test the rate limiting rules of the site to figure out and then stay below thresholds. For example, if the site blocks an IP after 10 failed login attempts over 10 hours, they can stay under that 10/10 threshold and keep their attack going.
- Figure out how IP reputation is set and do what’s necessary to keep the reputation good for their IPs. For example, if the site measures the ratio of successful and failed logins for an IP and blocks that IP when it hits 1∶4, they can constantly log in to keep the ratio good.
We’ve seen these canary accounts improve the overall success rates of account takeover attacks, from .1% to as high as 20-30%. For example, the graph below shows the traffic pattern of an attacker using fake accounts. The blue bars represent the number of login requests per user, while the green and red lines indicate successful and failed logins, respectively. During the attack the attacker uses their fake accounts to login around 50 times per account each hour, as seen in the blue bars. Half way into the attack, the attacker tries to boost their reputation further by using each of the accounts to login up to 300 times instead. By increasing the ratio between successful and failed logins to a more normal level for a couple of hours, the attacker is hoping to build reputation to avoid getting their IPs blacklisted, so they can continue to test credentials at a higher rate later.
Watch a quick 1-minute video that shows how prevalent the use of fake accounts can be in an account takeover attack. If Castle hadn’t been protecting the site, this attack, which used tens of thousands of IPs, from almost 5000 ISPs in over 200 countries, would have successfully breached the credentials of more than 1600 users, allowing them to steal sensitive data, transfer money, or disrupt services.
The key to protecting your site or service from attackers using fake ‘canary’ accounts is to identify and block them. Look for solutions that:
- Use real-time anomaly and attack detection to spot the nuanced activity of canary accounts
- Understand user and device behavior to spot canary account activity. Tip: one thing to look for is spikes in registrations and logins coming from disposable or temporary email domains.
- Offer risk-based authentication to quickly uncover illegitimate users
- Provide pre- and post-login protection to eliminate attack impact