Site Logo

Reviewing our 2019 AppSec predictions: Account takeover

Topics:
Dec. 17, 2019
|
Tushar Richabadas

At the start of the year, I made three predictions on attacks vectors that would become big problems over the year and beyond. This is the look at where the three are, now, at the end of the year. Starting with #1 – Account Takeovers.

Prediction:

Organizations will see a significant uptick in these attacks. Defenses, including two-factor authentication, attack detections and more need to be planned, and put in place with proper alerting systems to detect and block these attacks.

Zynga, EatStreet, Coinmama, Canva, Flipboard, DockerHub, Intuit.

These are some of the many companies that either lost user credentials in a data breach or were victims of a credential stuffing attack.

This year has been quite a massive year when it comes to credential attacks – be it stealing them or using them for account takeover. Early in the year, the massive Collection #1- #5 dump with over 2.2 billion unique credentials. We acquired the database and ran it against our existing credential dump, and a significant bit of the dump was previously leaked credentials. The dump itself easily dwarfed 2018’s Pemiblanc, and as the name suggests, it is mostly a collection of old data put together.


Source + larger image
Collection was followed by the GnosticPlayers dumps. GnosticPlayers as the hacker called themselves, started releasing previously unseen data dumps, including Canva and EatStreet. For the most part, these dumps seem to be valid and unique user credentials, and the dumps have been quite massive – Dubsmash, MyFitnessPal, Houzz, ClassPass and more. The images below give you an idea of the number of dumps they have posted.


Source
 

 

Typically though, we don’t really hear much about the effects of these data branches. Those following the data breach news closely hear about the breaches, and some of the effects. That said, one event brought out the risks of these data breaches and credential reuse out quite massively –


Source
Let’s get one thing clear right at the start: there is no evidence of a Disney+ data breach. Not even the person/s, who, within days of the launch, managed to dump thousands of valid credentials claim that there was a data breach.

What seems to have happened is, however, credential reuse. The malicious actors seem to have taken previously dumped data and validated it against Disney+ to see which ones were in use. When they got valid data, they proceeded to lock the users out of their accounts and sell their credentials. Users could no longer login to their accounts and are presumably working with Disney to reset their account credentials. This attack is a little concerning – over the last few years, there have been a variety of effective products to guard against such attacks. These include products that can detect such low and slow attacks and alert the application owners or block the attacks. In this case, we don’t know yet if this was identified but not blocked, or if it was not identified at all while in progress. We await more information.

Since last year, credential attacks have become more and more prevalent. Folks like Troy Hunt, who runs haveibeenpwned, have been trying to get everyone to start safeguarding their credentials. However, given the long history of painful password policies (something even NIST has acknowledged and is moving on from), it looks like it will take some time.

When it comes to organizations, there are a few things they can do to recede the impact of such attacks.

  • Impose sane password guidelines to reduce password reuse. For employers, it may make a lot of sense to provide password managers. Apple is rumored to have done so, and actually provided employees with family plans for the password management tool.

  • Implement multi-factor authentication

  • Secure all applications against credential (and other) attacks –

    • Ensure you have sufficient protections against all app attacks, including the OWASP Top 10

    • Have systems in place to detect and block low and slow bots (Slow bots are attackers/bots who come in from different regions over a longer period to avoid detection)

    • Ideally, implement a solution that can check all incoming credentials against known leaked credentials. This is not a 100% solution, but along with #2, it can help you identify and block these attacks quite early on




At Barracuda, we’ve launched the Advanced Bot Protection (ABP) product earlier this year. ABP is part of our Cloud Application Protection (CAP) platform and works together with our WAF product line to detect and block all types of advanced bot attacks. A big part of this product is Credential Stuffing security. With a large database of known leaked credentials, we can detect incoming account takeover/brute force attacks with ease. As part of the ABP product, this feature can take advantage of our Cloud Machine Learning Layer to identify the most advanced attackers. For a no-risk 30-day trial, visit our corporate site at www.barracuda.com/waf.

Tushar Richabadas

Tushar Richabadas is Senior Product Marketing Manager, Applications and Cloud Security, Barracuda.  Prior to this role, Tushar was a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC, with a focus on cloud and automation.  Tushar has a wide range of experience, from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.

Connect with him on LinkedIn here.

Related Posts:
e-book: The new ABCs of application security
e-book: The new ABCs of application security
 Understanding coming application security trends and the new OWASP Top 10
Understanding coming application security trends and the new OWASP Top 10
 The alphabet soup of cloud protection
The alphabet soup of cloud protection
 Secured.21: Threat trends and the future of application security
Secured.21: Threat trends and the future of application security