Akamai's Ryan Barnett reports on two attacks against the service's financial customers last year: attackers used nearly 1m compromised systems to attempt to log in to users' accounts using logins and passwords from earlier breaches.
Many of the attacks originated from proxies, but the response team found a high number of Xyxel and Arris home routers -- provided by ISPs in an insecure state and not patched after deployment.
While distributed attacks are common, this story is a kind of trifecta of infosec badness: hacked, headless IoT devices rented to customers who aren't allowed to reconfigure them; email/password breaches leaked from insecure services being leveraged on the assumption of password re-use; and attacks originating from a million IPs -- all directed to financial accounts in a way that could clean out its victims of their life's savings.
We analyzed two ATO attack campaigns that took place February 10-17, 2016. During this time, many domains were attacked, however 93% of the attacking IPs were part of a campaign that targeted two specific customers and three domains. These two targeted campaigns were many orders of magnitude greater than all the other ATO attacks combined.
In the repeated attacks against a customer in the financial services industry, 999,980 IPs were e involved in the attacks against the customer's login page. One campaign was responsible for more than 90% of the total attack volume. Here is a closer look at this campaign:
993,547 distinct IPs
427,444,261 accounts checked
22,555 IPs previously blocked based on WAF event logs
The rate of the attack was steady as 75% of attackers participated for multiple days, as shown in Figure 3-17.
Web Application Defender's Field Report: Account Takeover Campaigns Spotlight
(Image: ZyXEL Prestige 600 series 20070304, Warko, PD)
Iowa state court officials contracted with Coalfire to conduct "penetration tests" on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.
Eleanor Saitta's (previously) 2016 essay "Coercion-Resistant Design" (which is new to me) is an excellent introduction to the technical countermeasures that systems designers can employ to defeat non-technical, legal attacks: for example, the threat of prison if you don't back-door your product.
For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy […]
There’s reading for pleasure, and then there’s reading for fuel; absorbing the great ideas in nonfiction books so you can apply them in your own life. In today’s hectic pace, it can be difficult to find the time to do that reading – especially for the entrepreneurs and professionals who can benefit the most from […]
Breaking into the big leagues as a project manager isn’t done overnight, but there are principles that anyone can learn, and they’re applicable to nearly any business. No matter what your field, if there are multiple teams working toward a common goal, you’re going to need a roadmap. The Project Management Professional Certification Training Suite […]
On the one hand, nostalgia is “a corruption of the historical impulse,” according to William Gibson. On the other hand, “Super Mario Bros.” will never not be cool. Luckily, there’s a way to satisfy that retro gaming while still keeping an eye on the future: The GameShell Kit. This thing is simultaneously the last handheld […]