Keeping Up With the Botnets

Financial services firms are facing millions, even billions, of credential stuffing attacks per day, requiring a new security approach.


It’s no secret that the global pandemic increased opportunities for threat actors and cybercriminals to target financial services. Throughout 2020, scammers used the economic tension caused by COVID-19 — the promise of financial assistance, the stress of financial hardship — to target people across the globe via phishing attacks.

Keeping up with the speed at which these attacks have been evolving adds another layer of complexity, especially now that phishing as a service is a turnkey business. For example, criminals — using a kit they’ve purchased on the dark web — even employ fake SMS messages from financial institutions to lure unsuspecting victims into sharing their login credentials. One such kit, Kr3pto, has been linked to 4,000+ SMS phishing campaigns, targeting the customers of major banks in the U.S. and U.K.

In turn, perpetrators of these phishing attacks trade, sell, and exploit stolen credentials, which — combined with data stolen in large-scale breaches — has fueled exponential growth in credential stuffing attacks. Millions of new usernames and passwords, tied to several notable incidents since the start of the pandemic, have started circulating on the dark web on several forums. Once in circulation, they are sorted and tested against major financial institutions and a myriad of brands across the internet. Unfortunately, this method still effectively exploits the fact that most users tend to use the same credentials on more than one platform.

The 2021 Akamai State of the Internet (SOTI) Phishing for Finance report revealed there were 193 billion credential stuffing attacks globally in 2020. In May 2020, two dates stood out: On May 9, credential abuse hit a peak of 786,882,475 attacks globally. Five days later, on May 14, the financial services sector saw its own record peak — 47,698,955 attacks. Credential stuffing data released in our most recent SOTI report showed the volume of attacks remaining steady in 2021, with dips and peaks in the first two quarters, followed by two notable attacks in January and May. On those dates, credential stuffing attack traffic surged past 1 billion attacks for the day (see chart below).

Chart Akamai

Botnets create a global credential stuffing bonanza

For a financial services CSO, two things persist top of mind: the security of customers’ personal identifiable information (PII) and the availability of digital services 24/7. Both are essential to retaining customers and to fulfilling requirements by regulators. Credit stuffing attacks threaten the security of PII and can even evolve into DDoS attacks that disrupt availability.

Take this example from a Global 500 financial services group. One day, its pensions site — which typically processes 20,000 invalid login attempts per day — began receiving 50,000 invalid login attempts every five minutes. During the attack, the firm’s infrastructure struggled, as users experienced session timeouts or were unable to log into their accounts. The worst part was that their customers’ fears were true: They couldn’t log in because someone was in the process of trying to take over their accounts.

As much as banks and other institutions encourage customers to change their password regularly, people resist, and they also persist in using the same login credentials across multiple online accounts (retail, banking, utilities). Even after a data breach announcement, only around a third of users usually change their passwords, according to a 2020 study published by Carnegie Mellon University’s Security and Privacy Institute (CyLab). This apathy plays right into the hands of attackers. Essentially two-thirds of their stolen credentials will likely work on other sites, especially when you consider that criminals will refine the combination list with various sources to generate new passwords if the original combinations don’t work.

Banks are a particularly attractive target for this relentless drive for account takeover. More than 3.4 billion of those 2020 attacks occurred in the financial sector, representing a 45% increase over such attacks in 2019. In one massive credential stuffing campaign, a financial institution was bombarded with 55,141,782 malicious login attempts. This attack was the largest spike in targeted credential abuse Akamai has seen against a financial services organization since we’ve started tracking them.

Choosing a bot management solution to prevent or mitigate attacks

Automated botnets attempt to validate hundreds of thousands of user credentials on banking websites, reusing the ones that work to take over accounts, apply for fraudulent loans, and drain them. (Sometimes they go straight to step three.) Stopping these attacks isn’t straightforward: The login information is legitimate; it’s the entity attempting to authenticate that is not.

As a security provider, we’ve seen as many as 300,000 fraudulent login attempts per hour from a single botnet, potentially resulting in lost money, privacy, and (worst of all) consumer trust. According to research by Ponemon Institute, “the total cost associated with credential stuffing — including fraud-related losses, operational security, application downtime, and customer churn — can range from $6 million to $54 million annually.”

Being able to stop credential stuffing attacks depends largely on the right selection of tools. While most solutions are designed to distinguish bots from legitimate actors, there are two important issues to consider:

  • How effectively the solution keeps pace with the evolution of botnets
  • How effective it is at ensuring minimum disruption to the customer journey

How sophisticated are the bots and how fast do they mutate?

Because of the significant opportunities, credential stuffing attracts some of the most sophisticated hackers, resulting in highly sophisticated bots. It is therefore essential to gain a detailed understanding of the current bot landscape within your industry and the bot detection technologies available. The right solution will be the one that can detect the most sophisticated bots you’re likely to see.

Sophisticated bots mutate. Many bot management solutions can detect most bots initially, but then lose that ability as the bots start mutating. This happens when attackers see that you’ve identified their bot and immediately figure out how to circumvent your solution by updating their software. The mutated bots now can avoid the original detection and be deployed again. Solutions therefore must be equally sophisticated and deploy bot detection technologies such as user behavior analysis, which remains effective as bots mutate.

Reporting capability is another critical factor here. The ability to zoom in on specific bots, botnets, or bot characteristics provides fast and reliable intel about what you’re dealing with. Without clear insight, your responses will be suboptimal.

Deny bot logins without negatively affecting customer logins

There are more banking customers conducting online and mobile transactions than ever before, thanks to the pandemic. Web traffic volumes for one Akamai financial services customer surged dramatically after the March 2020 lockdown, and now more than a year and a half later, digital banking behaviors have become the industry’s new normal. That means it’s even more important to select security solutions that work with the customer journey as seamlessly as possible.

Onerous captcha controls, for example, tend to severely disrupt that journey, creating the kind of frustration that can subtly begin to shift loyalty. (Who likes to be stuck in a loop having to find all the crosswalks after failing to identify all the photos with an airplane?) A user-friendly (multi-factor) authentication solution working in an environment that is protected by an unobtrusive bot management tool works well to positively identify users and weed out bad bots, without adding complexity for the user.

In addition, advanced machine learning technology and behavior anomaly analysis used against these more sophisticated threats will lead to better accuracy. The more finely tuned the algorithm, the more precise the analysis, the greater your ability to prevent performance impacts and eliminate false positives.

Botnets are relentless, but you can win. Learn more about what you need to consider here 

Gerhard Giese is Industry Strategist at Akamai Technologies. He started at Akamai in 2010 and is now manager in the Financial Sector, responsible for customer advisory, information sharing and consulting. With more than 20 years of experience in the security field, Gerd has accumulated in-depth expertise in network security as well as distributed denial of service (DDoS) mitigation and data theft prevention. He continues to interact directly with clients as a trusted security advisor, to identify the most pressing challenges for online businesses. In addition, he regularly delivers talks at industry conferences and works as an independent consultant for federal state authorities such as The German Ministry of IT Defense. Prior to Akamai, Gerd was a senior network engineer at McAfee. Gerd holds CISSP and CCSP certifications and is a certified ethical hacker.


Copyright © 2021 IDG Communications, Inc.