Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • After the credentials from a data breach have been made publicly available, websites experience a 300% increase in volumetric attacks. — Distil Networks, 2018
  • 20% of ATO attacks are preceded by a smaller scale test attack a few days prior. — Distil Networks, 2018

All websites with login pages have been hit with bad bot traffic and face Account Takeover (ATO) attempts, according to a Tuesday report from Distil Networks.

Researchers examined data from 600 domains that included login pages. They found that hackers use bots to execute ATO attacks for a number of malicious purposes, including validating sets of login credentials, gaining access to credit card data, and selling personally identifiable information (PII) on the dark web. Stolen account data can also be used to transfer money, make purchases, or spread a political message, the report noted.

Bot operators carry out ATO attacks in two ways, the report found. About 50% of ATO attacks come in the form of volumetric credential stuffing–where bad bot requests are attempted in bursts and are easy to identify by a spike in requests. The other half come through low and slow credential stuffing and credential cracking, which can be identified by consistent, continuous login requests that bad bots run 24/7, and often fly under the radar due to their slower pace, the report noted.

SEE: Incident response policy (Tech Pro Research)

After the credentials stolen in a data breach have been made publicly available, websites experience a 300% increase in volumetric attacks, the report found. They also experience three times more credential stuffing attacks in the days after a public breach.

Bad bot actors are also testing their attempts before launching a full attack, according to the report. Nearly 20% of all attacks analyzed were preceded by a smaller scale “test round” a few days prior–a reminder to organizations to investigate any anomalies, even if they are small.

In terms of attack times, websites are most likely to experience ATO attacks on Fridays and Saturdays, which is when 39% of volumetric ATO attacks occur. This suggests that hackers schedule attacks when they believe fewer security professionals will be working to detect them.

“Every time a breach comes to light and consumer credentials are exposed, any business with a login page should prepare themselves for a swell of volumetric credential stuffing attacks,” Anna Westelius, senior director of security research at Distil Networks, said in a press release. “While bot operators may be purposeful in their strategy of carrying out ATO attacks, this data also renders them predictable. Organizations must educate themselves in order to identify the warnings signs, and be prepared for times when an attacker may strike.”

The report offered the following nine recommendations for detecting bad bot activity:

1. Block or captcha outdated user agents/browsers

2. Block known hosting providers and proxy services

3. Block all access points, including exposed APIs and mobile apps

4. Carefully evaluate traffic sources

5. Investigate traffic spikes

6. Monitor for failed login attempts

7. Monitor increases in failed validation of gift card numbers

8. Pay close attention to public data breaches

9. Evaluate a bot mitigation solution