Weak Passwords Continue To Be 2023’s Biggest Threat
Account theft represents one of the most ruthless forms of cybercrime: almost invisible to the naked eye, it allows a malicious actor to seamlessly disguise themself as a legitimate user. Account takeover’s importance to attacks across the complexity spectrum has led to increasing commodification via the black market. Now, credential dumps from large scale breaches are easily purchasable via the web, and automated bots are available for rent. These factors have combined to see the largest-ever automated account takeover campaigns. Account takeover prevention needs to be as automatic – and boast higher pinpoint accuracy – than modern bots.
Table of Contents
Insecure Passwords are Everywhere
The average person maintains a lot of online accounts – between 30 and 70 is normal for now, though this number continues to swell even greater year after year. Expecting the average person to remember that many individual passwords is an exercise in futility. Studies such as the Psychology of Passwords have shown that – even though 91% of people know password reuse is risky – almost half of all respondents stated that having a password that’s easy to remember is more important than having one that is secure. A total of 66% of all respondents have the same – or very similar – passwords across the full range of their online accounts.
Insecure and guessable passwords represent a key flaw in even mature organizations. It drastically increases the blast radius of brute force and credential stuffing attacks, with the infiltration of one password suddenly exposing a person’s entire stack of online assets. Account takeover isn’t just responsible for large-volume attacks on individuals; it’s also claimed many victims via key political cyberattacks. Colonial Pipeline operates one of the largest fuel pipelines in the US, providing roughly 45% of fuel to the East Coast, including gasoline, diesel, jet fuel, home heating oil, and military supplies. In 2021, attackers mysteriously gained access to the company’s IT network. Within a two-hour window, attackers stole over 100 gigabytes of enterprise data, before unleashing ransomware that tore through the billing and accounting systems at Colonial. To stop its spread, Colonial had to temporarily shut down all operations, and pay the attacker’s ransom demand of $4.4 million.
In the days following the attack, it became clear that Russian-backed threat actors DarkSide had launched the attack, gaining initial network access thanks to an exposed password for a single VPN account. This account belonged to an employee who had previously left the company.
The SolarWinds attack that unfolded throughout 2021 cost US companies an average of 11% of their annual turnover. It represented the first major supply chain attack that was taken advantage of by state-funded cyber attackers. The hackers somehow replaced SolarWinds’ legitimate update tool with one that also downloaded a backdoor for spyware. This gave them swathes of information from key SolarWinds clients, which included the vast majority of the US’ Fortune 500, and key departments within the government itself.
In much the same way as the Colonial Pipeline attack, researchers began searching for how the advanced threat actor could pull off such a complex and difficult-to-find attack. Eventually, it was found that a key component to the enterprise software’s build environment may have been compromised. The culprit? A password ‘solarwinds123’. This single password existed on a private Github account from 2018 to 2019; this account was granted access to the company’s update server at some point preceding the attack.
Passwords Pave the Way for Automated Attacks
Password reuse – alongside data breaches – make up one of today’s largest attack surface. The problem is so chronic that, in 2021, the RockYou21 file was leaked – this is a .txt file that is over 100 gigabytes in size, containing a large portion of all credentials ever leaked in a data breach. There’s 8.4 billion entries, with every login credential representing one more impacted individual. Cases such as these highlight the true danger of password reuse.
To test the credential stuffing attacks currently being pelted at organizations and individuals alike, security researchers at Rapid7 set up two honeypot servers. The researchers then monitored every attempt that attackers took at compromising these servers, which numbered over half a million in just 12 months. Almost every single attempted breach used credentials that stem from the RockYou21 file.
This means that now, it’s possible to prove with absolute certainty that automated attacks do not rely on any form of creativity. Unfocused and untargeted attacks that occur across the internet rely almost entirely upon opportunistic, already-breached credential data. Attackers are consistently taking the easy road. Even worse, basic economics suggests that the operators of these brute force bots must be seeing at least occasional wins via their millions of attacks per year.
The good news? It is incredibly easy to avoid this type of untargeted attack. As long as your data isn’t contained in the RockYou21 file, then it’s feasible this specific type of account takeover attack won’t catch you.
How Account Takeover Attacks Can be Stopped
Whether bottom-of-the-barrel automated attacks, or a high-end laser-focused breach, account takeover continues to cause significant security headaches. If the very authentication process is broken – thanks to a data leak, or dedicated attacker – how can you still maintain your organization’s security posture, and protect consumers from fraudulent account activity?
The prevention of account takeover fraud requires intent-based detection. This multi-layered solution identifies malicious bots before the relentless credential stuffing campaign begins. By collecting and analyzing all bot traffic, it becomes possible to detect any suspicious anomalies. Inbuilt machine learning models can identify bad bot behavior in real time, before feeding it through a malicious bots database and making the call to block or allow. From your perspective, you’re granted deep insight into which user accounts are under attack, and what techniques these bots are using.
Finally, you’re able to place customer security at the forefront of your operations by informing customers of potential malicious bot activity on their account; the solution will also double-check to see whether the attempts used any publicly-leaked credentials. By doing so, not only are your customers protected from large scale account takeover attacks, but they also benefit from education on how to strengthen their own security.