Tag Archives: Credential stuffing

Akamai Says Hackers are Attacking APIs

If you are a crook and you want to break in, you might first try the front door.  If you discover the front door is locked, you might try another door or a window.  Same is true for hackers.

As companies slowly improve their defenses on end user web sites, hackers discovered that the APIs behind those web sites may not be a well protected.

Akamai runs one of the largest content delivery networks in the world, so they have a lot of data and here are some statistics.

* Between November 2017 and December 2019, about 2 years, Akamai observed over 85 billion “credential stuffing” attack attempts.  Credential stuffing is the term that refers to trying, using brute force, credentials obtained from a different hack on another web site.  For example, you have 3 billion userid/password combinations stolen from Yahoo.  Try them on Facebook or Twitter – all three billion.  Then try them on a thousand other sites.

When you do the multiplication between the number of hacked passwords and the number of potential sites, you realize you have hundreds of trillions of combinations.

This means that you need a method to try those hundreds of trillions of combinations without the web site locking the account after a few failed tries.

Enter the API attack.  Most of the time, APIs are used by other programs, so sometimes they have fewer security protections.

* Akamai said that they identified over 16 billion attempts to stuff credentials into something that was OBVIOUSLY an API.  That means that the 16 billion number is probably low, possibly way low.

It is important to understand that only a small fraction of traffic goes through Akamai, so the 16 billion attack attempts represents a small percentage of the total attack volume.

* Then Akamai looked at which of those attacks went after financial industry web resources.  That number was 475 million.  Also probably a low estimate as the financial industry, like everyone else, outsources to a lot of companies and those companies likely serve many industries.

“Security teams need to constantly consider policies, procedures, workflows, and business needs – all the while fighting off attackers that are often well organized and well-funded,” Steve Ragan, Akamai security researcher, said.

While this report focused on the 475 million attacks against financial institution API interfaces, don’t lose track of the rest of the 16 billion attempts – they are dangerous too.

From a business owner’s perspective, this means that you need to make sure that any APIs that you expose are battle ready and have strong detection mechanisms in place to shut down attackers before the attackers are successful.

  Source:  Venturebeat

Security News Bites for Week Ending Sep 21, 2018

New Web Attack Will Crash Your iPhone, iPad or Mac

A new CSS-based web attack will crash and restart your i-device with just 15 lines of code.  The code exploits a weakness in iOS’ web rendering engine WebKit, which Apple mandates all apps and browsers use. Anything that renders HTML on iOS is affected. That means anyone sending you a link on Facebook or Twitter, or if any webpage you visit includes the code, or anyone sending you an email. TechCrunch tested the exploit running on the most recent mobile software iOS 11.4.1, and confirm it crashes and restarts the phone.  Source:  Techcrunch

Ajit Pai Says California Net Neutrality Law Radical and Illegal

Ajit Pai, Chairman of the FCC and the guy who repealed the FCC net neutrality policy said that California’s new bill replacing that repealed FCC policy is illegal.   Why?  Because, he says, that it is preempted by Federal law.  This is the same guy who said the FCC didn’t have the power to regulate net neutrality.  Do they?  Don’t they?  Are you confused too?

If Pai intervenes, I am sure this will go all the way up to the Supreme Court – who may or may not hear the argument.

He said this at a talk conservative think thank in Portland.  Maine, like about 30 other states, is in the process of creating its own net neutrality law.  If he thought that the states would bow down to him when he repealed the FCC policy, apparently, he was wrong.

Also apparently, his beef is with zero rating, a practice where a carrier doesn’t charge you if you use their service or use a service that has paid them a lot of money, but does charge you to use a service who has not written them a big check.  His theory, apparently, is that if poor people must (due to financial constraints) use only those services that write a carrier a big check, that will, somehow, promote an open and innovative Internet.  Source:  Motherboard

Another Day, Another Crypto Currency Exchange Hacked

Japanese crypto currency exchange Zaif was hacked to the tune of $60 Million of Bitcoin, Bitcoin Cash and Monacoin.  About a third of that was owned by the exchange;  the rest owned by customers.

For now, withdrawals and deposits have been halted, with no specified time when it might – or might not – resume.  If ever.

The company says that they will compensate  users who lost $40 million or so and have sold the majority of the company for $5 billion yen (roughly the amount of money not owned by them that was stolen).

Assuming that deal actually closes, they figure out how the attack happened and fix the problem … and, and, and.  Japan’s financial regulator has stepped into the poop pile.

I assume that if and when customers actually get access to their money – the part that wasn’t stolen – they will find someplace else to store their crypto currency.  That likely means the end of Zaif, no matter what.

In the mean time, they will just have to hang out and wait to see what happens.  Source: Bloomberg.

3 Billion Malicious Logins Per Month This Year

According to Akamai, there were over 3 billion malicious logins per month between January and April and over 8 billion malicious logins during May and June at sites that they front end.

Many malicious login attempts come from the technique of credential stuffing where hackers take credentials exposed during hacks and try them on other web sites.  For example, try the 3 billion exposed Yahoo passwords on Facebook or online banking sites.  Even though we tell people not to reuse passwords, they do anyway.

According to Akamai, one large bank was experiencing 8,000 accounts being compromised per month.

One bank experienced over 8 million malicious login attempts in a single 48 hour period.  I bet some of these attempts worked.  A load like that will impact the bank’s ability to serve real customers.  Source:  Help Net Security.