Beginning on February 7, an Imperva-protected account was targeted by an ongoing account takeover (ATO) attack that lasted for two weeks. On average, attacks last a few hours or a couple days at most, so the length of this attack was an anomaly and underscores the persistence of the attackers. As a point of comparison, a previous DDoS attack tracked by Imperva was considered significant because it lasted over four hours. This ATO attack was not the largest by volume, but the duration of the attack is notable because it is the longest attack we’ve seen.
A Mexico-based grocery store’s mobile site login portal was targeted by an average of 600,000 risky logins per day since the attack began, with a peak of 1.5M risky logins on February 17 and a total of 11M logins throughout the duration of the attack. The majority of attack attempts targeted the site with credential stuffing, or attempts at gaining access to accounts by trying to compromise credentials. In fact, as many as 150,000 distinct login credentials were used in a single attack. This is distinct because the attack used both “low and slow” attack methods – trying one credential at a time over a period of days – as well as “noisy” attacks by flooding the site with thousands of credentials at once.
The online accounts of the targeted website stored payment details, coupon codes, and personal information (e.g. name and addresses) for the purpose of arranging grocery delivery. All of this information is valuable to attackers. Their intent is to steal and resell the data on the dark web, where a credit card number can be sold for over $100, and name and address data can be sold for at least a dollar per line. When attackers find a working username and password combination, it is often reused on other sites for the purpose of credential stuffing to find more valuable personal data.
Attacks came from about 160,000 distinct IPs, mostly based in the US. Within a week of the attack starting, IPs were used to target other Imperva-protected sites with ATO attacks. Based on an analysis of IP threat reputation by Imperva, many of the IPs used had a heightened risk score at the time of this attack because they were involved in suspicious activity. In fact, the IPs had an average risk score of 57%, and the highest risk score was 94%.
During this attack, the majority of IPs visiting the site originated from a cloud service provider (CSP), with many sourced from the US. Attackers likely used CSPs in order to conduct a cost-effective, scalable attack while remaining anonymous.
Attackers are creative, and constantly seeking new vectors to steal information. Something as simple as a grocery store’s member account can be exploited to steal data. As witnessed with this incident, it was valuable enough for attackers to target the site for two straight weeks. Let this be a reminder that it’s always crucial to ensure your site is protected against attacks like this, and others!
Mitigate the risk of Account Takeover with Imperva
Imperva provides login protection without affecting your legitimate user traffic and with no added latency. Account Takeover Protection enables fraudulent behavior investigation and detection by bringing the focus to the login functionality as a whole. Utilizing a proprietary, multilayered detection process, it accurately determines if the interactions with your website have the characteristics of an account takeover attempt with pinpoint accuracy, stopping malicious account takeover attacks before they even have a chance to reach your infrastructure. The intuitive dashboards provide clear visibility and actionable insights into attack attempts, leaked user credentials, compromised user accounts, and successful login attempts, while user behavior anomaly detection points out accounts at risk of fraudulent activity.
Account Takeover Protection is part of the market-leading Imperva Web Application & API Protection (WAAP) solution. Start your Application Security Free Trial today to protect your login pages.
Try Imperva for Free
Protect your business for 30 days on Imperva.