Automated hacking tools swarm Web site login pages

You may think most visitors to a Web site login page are people, but the reality is the vast majority are automated tools used by criminals looking for weak passwords.

[Twitter’s latest login security feature may be too complex for most users]

Over a recent 90-day period, Incapsula monitored access attempts at 1,000 client Web sites and found that 94 percent were by malicious automated tools. The remaining attempts were either by people or what the Web site security vendor called “benevolent bots,” such as search engines, legitimate crawlers and RSS readers.

On average, 15 of every 16 visitors at the sites Incapsula monitored were attempting to break in. Overall, Incapsula recorded 1.4 million unauthenticated access attempts and roughly 20,000 authenticated logins.

While acknowledging that the study is biased toward Incapsula customers, the company believes its findings are indicative of what many Web sites experience.

“We definitely believe that this is a good representation, or an accurate representation, of what’s going on out there,” Marc Gaffan, co-founder and vice president of marketing and business development at Incapsula, said.

Malicious login scanners typically look for application vulnerabilities and try numerous commonly used passwords in what experts call a brute-force attack.

In August, Arbor Networks identified such an attack that had broken into 6,000 sites using the Joomla, WordPress or Datalife Engine blogging and content management systems. Dubbed Fort Disco, the attack started in late May and stemmed from a half dozen command-and-control sites that ran a botnet of more than 25,000 infected Windows computers.

The top 10 passwords used to crack the sites were “admin,” “123456,” “123123,” 12345,” “pass,” “123456789,” {domain}, “1234 150,” “abc123” and “123321.”

Enforcing strong passwords is the first line of defense against such attacks, experts agree. For example, a 12-character password changed every 30 days, coupled with allowing only four login attempts every 15 minutes, would make a successful brute-force attack “improbable,” Paul Henry, forensic analyst for Lumension, said.

A site can simply lock out visitors after several login attempts, but doing so can burden help desk and can also be exploited to launch a denial of service attack, Henry said.

[Save your Internet bacon with two factor authentication]

Using two-factor authentication, such as a password and random number sent to a mobile phone, is another option. “I am a big fan of two-factor authentication and I think it solves this problem quite nicely,” Wolfgang Kandek, chief technology officer for Qualys, said.

However, such mechanisms can be difficult to deploy and be a hassle for site visitors. So another option would be to use a CAPTCHA challenge, if repeated attempts are detected from an IP address, Kandek said.