According to Akamai’s latest “State of the Internet” report, attackers set the credential filling knob to 11 in 2020, flooding the website, but 193 billion attempts to access the target user’s account using stolen or reused credentials have failed.
In fact, the number of login attempts using credentials has increased by more than 310% from 47 billion in 2019, although Akamai attributed the unspecified sharp increase to more customers and increased visibility to such attacks. Overall web attacks (such as SQL injection attacks) showed only moderate growth, from 6.2 billion in 2019 to 6.3 billion in 2020.
Akamai’s chief security researcher Steve Ragan (Steve Ragan) said that this increase is not only because attackers send more requests on the site to see where the problem is, but it also indicates that the threat is increasing.
He said: “When the numbers increase, it shows that there are more threats.” “We are just at the tip of the iceberg. We only see a small number of attacks. We don’t see what we see-that’s the problem. If our numbers are right We are seeing an increase, then you know that the problem is developing.”
In the past year, more and more companies have moved a larger part of their infrastructure to the cloud to allow new remote employees to access company applications and data. By using a combination of username and password to access many cloud services, attackers will devote more energy to these services and virtual private network (VPN) gateways.
Akamai pointed out that millions of new usernames and passwords were leaked at the beginning of 2020, which is one of the reasons for the sharp increase in credential filling in the second half of the year.
Akamai researchers said in a report released today: “Once these compromised credentials are distributed, they will be classified and tested by brands on the Internet, including several financial institutions.” “There is a crazy and confusing way to do it. Drive the abuse of credentials in the criminal economy.”
Although Akamai prevents smaller web application attacks, such attacks can be more dangerous. SQL injection (SQLi) attacks against website databases accounted for more than two-thirds of overall web application attacks, and local file inclusion (LFI) attacks were second only to 22%. Overall, cross-site scripting dropped to third place, with a share of 6%.
The latest incarnation of the Akamai report also broke out attacks on financial services companies. The study found that by 2020, voucher filling attempts for the financial sector have increased by 45% year-on-year to 3.5 billion. Different from the general attack trend, LFI attacks accounted for the largest share of web attacks against financial services companies, accounting for 52%. SQLis accounted for one-third of the attacks, and cross-site scripting accounted for 9%.
The report cited a threat actor named Kr3pto who used phishing tools to attack the brand of a British financial company.
Akamai’s report said: “The goal of the Kr3pto phishing kit is the victim’s username and password, as well as any auxiliary authentication methods used, such as security questions and answers and SMS-based PINs.” The work used by these kits The process is seamless and can dynamically adapt to the victim’s login experience at his bank. “
Ex-Robotos, another phishing toolkit introduced in the report, targets companies and employees using brands such as Dropbox, Office 365, OneDrive, and SharePoint. The toolkit is the latest product of the developers of the phishing toolkit, mixing other criminal tools into the criminal software-as-a-service product.
SMS phishing has also become a major threat. Because users tend to perform less review of URLs in text messages (usually opening about 98% of text messages), users are more likely to click the link.
Lagan said: “Phishing is still a digital game-throw as much bait as possible and see what you get.” “But more focused phishers, especially those who run phishing as a service. Phishers, because they have backup data, they almost exclusively target bait or spear phishing.”
Akamai recommends using a time-based one-time password (OTP) (such as Google Authenticator or Duo two-factor authentication) for multi-factor authentication (MFA), which is the best way to prevent successful credential stuffing and phishing attacks. In addition, universal second factor (U2F) methods (such as YubiKey) allow most applications to adopt this stronger form of authentication.
A senior technical reporter for more than 20 years. Former research engineer. Wrote for more than twenty publications, including CNET News.com, “Dark Reading”, “MIT Technology Review”, “Popular Science” and “Cable News”.Won five awards in journalism, including the best deadline…View full bio