As part of Radware’s ongoing threat monitoring, Radware’s CTI team monitors over 26 underground marketplaces used by hackers to illegally trade breached accounts. In those marketplaces, hackers who engage in account takeover attacks sell their freshly breached accounts using ads. Some of the indicators that Radware uses to assess risks include:
- Type of targets per threat actors – reflect the industries threat actors are focusing on.
- The number of available accounts for sale per target and threat actor reflects the number of accounts the threat actors breached.
- Amount of restocks – represents new successful attacks.
- Time of restock – Since breached accounts don’t hold well (can be terminated by the targeted application at any time after the breach), threat actors tend to sell their fresh breached account as soon as possible; therefore, the timestamp of the restock represents an estimated time of the attack.
Examples of Ads of Low-And-Slow Account crackers, specialized in Social media accounts (Source: Shellix.XYZ)
The traditional “hit and run” attack mindset:
Account takeover attacks, and particularly Credential Stuffing attacks, are traditionally managed as “hit and run” operations:
- Targets: The threat actor attacks thousands of accounts using thousands of bots, each attempting different reused passwords on different victims.
- Attack duration and output: 10-30 minutes. Several hundreds of accounts are breached and collected by the threat actors in an attack.
- The threat actors update their ads in the underground marketplace in which they sell the accounts.
This mindset has a few weak points from the threat actor’s perspective:
- Notable attack fingerprint: The big traffic spikes these attacks created increase that attack's visibility, especially to the eyes of the target security team.
- Volumetric detection that limits the amount of action per IP is forcing the threat actors to pay for proxy IP services and increases the attack cost.
- Low success rate – since most of the traditional application protection services are designed to mitigate these fast and noticeable attacks, these attacks have a relatively low success rate: 1 out of 100 accounts is breached.
This mindset is still mainstream in the world of account takeover. However, Radware’s CTI team has noticed a growing cluster of threat actors' mindsets that successfully attempt to take the points of “Hit and run” – The “Low And Slow” attack mindset:
- Low scope of operation:60-80 bots on 10-20 accounts. 10-23% of the scope of “hit and run”. These stats reflect in the attack scripts we found “low-and-slow” threat actors are engaging, as each script contains “CPM” – Credentials Per Minutes – which reflects the recommended attack pace in order not to hit the target detections. “low-and-slow” threat actor’s scripts take this CPM number down.
- Attack duration and output: On average, between 14 hours to 3-4 days. Several thousands of accounts are collected.
- The threat actors automatically update their ads in the underground marketplace where they sell the accounts. Ongoing small stock updates.
Low and slow credential stuffing operations tend to have a relatively high success rate: threat actors can collect hundreds of accounts instead of a few dozen accounts. This is because many application protection vendors still rely on their security teams to identify threats, which often overlook the subtle indicators left by these attacks.
Bypass Traditional Defenses:
Unlike Hit-And-Run operations
- These operations do not generate traffic spikes and, therefore, often go without notice.
- “Low-and-slow”, the support teams typically do not receive many customer tickets reporting account breaches.
- Low and slow attacks can utilize the same IP addresses since they remain below the detection threshold for the target. IP reputation services cannot help.
Summary
The rise of "low and slow" attacks highlights the limitations of traditional, volume-based defense strategies. Adapting to this shift requires organizations to embrace more nuanced, intelligence-driven approaches that focus on identifying subtle patterns and behaviors. Advanced behavioral analytics and strong application-layer defenses play a crucial role in detecting and mitigating these prolonged and stealthy threats. By evolving our defenses to meet the challenges of this new landscape, we can strengthen security and safeguard the digital environment in 2024 and beyond.
In my next blog post, I will share and reveal five ways bot operators use to bypass traditional application protection defenses – as I’ve learned from three threat actor’s tutorials.