Blog, Events & News
Crackers Aren’t Hackers – But They Are Extremely Dangerous
By Gareth Kitson / 07th Sep 2018
Another Day, Another Data Breach
Poor password hygiene aside, the amount of compromised user credentials that are being sold, traded and shared in online forums, file repositories and the Dark Web is astounding. Of course, regular password rotation, combined with not using the same password across multiple websites and web applications will help, but only a minority of internet users adhere to such practices. For the rest, their accounts are at risk and if you’re an online business, you are responsible.
The ease with which usernames and password flow across the internet puts an alarming number of users’ personal information at risk. Yet, not only do individuals suffer when their credentials are compromised, but compromised credentials are often used to easily bypass existing cybersecurity solutions.
According to Verizon’s latest data breach study, “63% of confirmed data breaches involved leveraging weak/default/stolen passwords.” Cybercriminals utilise reused, stolen or default passwords to launch credential stuffing operations to take over customer accounts.
Security and data breaches were more common than ever in 2017. High profile companies from Yahoo to Equifax all suffered breaches, leaking millions of usernames and passwords onto the internet. While the breaches themselves are terrible, what happens next can be even more damaging – automated account takeovers (ATOs).
Automated Account Takeover Tools
A common method used to gain access to an account is a credential stuffing attack. Easy to use tools like Sentry MBO or STORM stuff a large number of compromised usernames and password combinations aiming to establish a legitimate match in order to successfully take over an account.
Credential stuffing/cracking tools are extremely effective against standard security devices such as Web Application Firewalls (WAFs), but, arguably more concerning is how easy they are to operate. Even low-tech criminals can profit from automated attacks with little more than a few mouse clicks. This means anyone with intent could take over your customers’ accounts with little to no knowledge of traditional hacking techniques.
Former Facebook CSO Alex Stamos, believes password reuse is the single biggest cybersecurity risk to customers and organizations. He thinks crackers can’t go wrong with a credential stuffing tool as they are free, simple to use, efficient, and extremely effective.
Furthermore, tools such as Sentry MBA and STORM even have inbuilt capabilities to bypass login form security controls such as IP rate limits and CAPTCHA checks, making it even easier for crackers to take over accounts. There are even services to bypass stronger forms of CAPTCHA at a low price, some using humans to physically pass the check.
Hackers vs Crackers
Wikipedia defines the term hacker as “any skilled computer expert that uses their technical knowledge to overcome a problem”.
Professional hackers with advanced knowledge and skills look down on crackers, thinking of them as less educated versions of themselves. Hackers are very proud of the bespoke hacking tools and utilities they create for their specific attacks and refer to crackers as script kiddies or newbies because they do not create their own attack tools.
Hackers constantly seek out new vulnerabilities to exploit to achieve whatever malicious activity they are performing, whereas crackers continue to exploit the same known vulnerability to access user accounts. The vulnerability is known as the Insufficient Anti-Automation Vulnerability, it presents itself when a web application allows the cracker to automate a process that was originally designated only for manual users.
Proactive Protection From Credential Stuffing & Account Takeover Attacks
Unfortunately, many organizations can’t distinguish between an automated attack and regular user login activities, some also do not fully appreciate how widespread the problem space is. The Open Web Application Security Project (OWASP) see credential stuffing as one of the most common cyber-attacks and is capable of compromising websites that do not have the traditional security vulnerabilities. Therefore, this puts all at risk; the account owner consumers and the organizations.
While the development of these automated cracking tools cannot be stopped, you can protect your customer accounts and web login forms to reduce the likelihood of ATO from happening to your organisation.
Password Rotation and Multi-Factor Authentication
Enforcing a password rotation policy is an effective way to improve security and ensure previously compromised credentials cannot be re-used. Likewise, Two-Factor Authentication (2FA) is an effective defence against attacks. However, such controls are typically only used in personal banking or corporate environments as there are high deployment costs and usability impacts which make them unsuitable for online shopping and gambling customers.
Login History Tracking and Limiting Login Attempts
Allowing your applications to store the history of a given user’s addresses, locations, devices, cookies and browsers can help identify compromised accounts. These data-driven insights can also trigger challenges of login requests where the attempt does not match the user’s known data profile.
You can also limit the number of failed login attempts, although even trustworthy customers may need more attempts if they have forgotten a password. Limiting login attempts will not help protect against credential stuffing where the hacker cycles through one email address with one password.
IP and User Agent Black Listing
Many businesses can blacklist IP Addresses and User Agents if malicious behaviour is identified. Unfortunately, crackers have become savvy to this tactic and now rotate IP Ranges daily.
Monitoring network traffic for spikes in requests from a single IP Address or IP Range can be used to identify simple credential cracking behaviour. However, sometimes these ATO attacks can take the form of a ‘low and slow attack’, with login attempts spanning several days or even weeks, making rate limiting difficult.
Dedicated Bot Identification & ATO Prevention
Over 50% of all website traffic is made up of automated traffic. Standard security solutions and practices are no longer robust enough to protect against sophisticated malicious bots and cracking tools.
Dedicated bot management solutions leverage the power of shared intelligence, specialist data scientists, customised rules and machine learning to stay one step ahead. Deploying these solutions will help your business identify and tackle ATO and, protect you against many of the other issues caused by a much wider range of non-human traffic.
Introducing NETACEA - The world’s most advanced Bot Management & ATO solution.
Radically different from traditional 'black box' solutions, Netacea is an agile and intelligent new layer of security that adapts to changing threats.
The Netacea layer of protection should be your first line of defence. It complements existing controls, such as WAF rulesets, rate limiting and threat databases.
It provides deep, actionable analysis of all internet traffic, web reconnaissance, automated bots and legitimate website visitors and manages those journeys accordingly in real time.