back to article Some credential-stuffing botnets don't care about being noticed any more

The bots spewing out malicious login attempts by the bucketload appear to have cranked it up a notch. According to Akamai's latest State of the Internet report on credential stuffing (PDF), its customers alone were deluged by 30 billion malicious logins between November 2017 and June this year, an average of 3.75 billion per …

  1. msknight

    The Chinese regularly try and hack my little word press site

    I now have a regular call with the ISP to do a htaccess deny on any Chinese owned IP address. Not that anyone in China would have been able to access my web sites anyway.

    That one action alone, has saved me a lot of grief.

    They do attack now and then, from VPN's to other countries, but I know it's them because it's the same attack pattern every damn time. On the one hand, they're intelligent and persistent. On the other, they leave their fingerprints over everything. Conclusion... they're just a battering ram and don't care that the world knows that they're hacking us.

    1. frank ly

      Re: The Chinese regularly try and hack my little word press site

      I don't have a Wordpress site or anything associated with that, but I do have a little FTP server appliance at home (with an obscure username and password) that is connected to the internet (port forwarding via my router). Soon after I set it up, the logs were full of login attempts and attempts to access folders that had names associated with Wordpress configuration folder path names.

      I tried moving it to an obscure port location like 56823 which stopped the attempted accesses for about a week. Then, some port scanning person found it and tried to log in. After a week, he must have told all his 'friends' because the attempts to get to Wordpress types of folder pathnames started up again.

      The majority of IP addresses associated with this behaviour came from China, East asia and Eastern Europe. It may be some kind of hobbyist/cottage industry type thing that I assume sells the details of successful attempts to more 'professional' criminal groups.

      If it's connected to the internet, somebody will notice it and try to get into it.

      1. Anonymous Coward
        Anonymous Coward

        Re: If it's connected to the internet, somebody will notice it and try to get into it.

        Honeypots.

        1. phuzz Silver badge

          Re: If it's connected to the internet, somebody will notice it and try to get into it.

          A honeypot will waste their time a bit, but given the scale of the attempts, is it really going to dissuade anyone?

      2. Anonymous Coward
        Anonymous Coward

        Re: The Chinese regularly try and hack my little word press site

        There is a large malvertising scheme that has been using infected WordPress sites.

        I'm thinking that it may be these miscreants trying to get at your WP site:

        https://malware.dontneedcoffee.com/hosted/anonymous/kotd.html

        https://blog.malwarebytes.com/threat-analysis/2018/09/mass-wordpress-compromises-tech-support-scams/

    2. cd

      Re: The Chinese regularly try and hack my little word press site

      Install Wordfence and you can block IP's and ranges with the Advanced Blocking pane. And see in real time who is trying via Live Traffic.

      I tended a site besieged by a certain corrupt international child molesting religious agency and never went down due to vigilant blocking and some other measures. But they tried.

      Also, obscure your login page, most scripts look in the same hierarchy.

      1. Bibbit

        Re: The Chinese regularly try and hack my little word press site

        "I tended a site besieged by a certain corrupt international child molesting religious agency"

        You got hacked by the Vatican? Is nothing sacred?

  2. P. Lee

    >Short of imposing authentication and magically abolishing crap passwords, can the bots be stopped?

    The problem is that it turns out that strong mobile authentication invades privacy and we have fewer and fewer reasons to trust the large providers. Until we sort out the privacy issue, we will have a problem.

    It might be simple, such as a vpn back to a home router or a remote control mozilla instance, or it could be something a little more advanced, such as a new email client which provides a facebook-like interface to an imap server. Posts are emailed, which increases traffic volumes. but adverts disappear.

  3. Bronek Kozicki

    I use fail2ban with a tweak to ban whole network segment, as per IP ownership lookup. It is really obligatory tweak on sites which support IPv6 (and mine does).

    1. Missing Semicolon Silver badge
      Unhappy

      Fail2Ban works well for this

      So why is it so bloody awful to set up? It seems almost deliberately difficult to add a service log file to its search list to detect probing activity. And the default actions do almost no blocking.

      Set it up right, and the bad guys will soon give up, as your service becomes invisible to them.

      1. Gene Cash Silver badge

        Re: Fail2Ban works well for this

        Fail2Ban has been getting a lot better on Debian. I don't know if that's changes to the core, or patches Debian has added.

      2. Anonymous Coward
        Anonymous Coward

        Re: Fail2Ban works well for this

        Easy enough to get a list of all Chinese IP addresses (or Ukraine Russia, whatever)

        I use http://www.ipdeny.com/ipblocks/data/aggregated to get the lists and drop them using iptables.

        Fail2ban blocks anyone with two or more 404 responses for a few hours.

        Cuts malware / login attempts fro a high of thousands to less tha a dozen a day

  4. Giovani Tapini

    Maybe just

    forcing password changes once in a while...

    Inconvenient, possibly, but at least it puts a shelf life against stolen credentials. It does not even need all the thinking that a second factor needs, or other passwordless authentication. Not advocating it as a security baseline, but very few places would even need to change their code to achieve this.

    1. Deckard_C

      Re: Maybe just

      Just makes it more likely for people to use the same password across sites. At best the new password will just 1 have added to the number part. Which the bots can easily be programmed to try.

      1. vtcodger Silver badge

        Re: Maybe just

        Look folks. I really don't care about securing my password for Slashdot, The Register, or a multitude of other non-financial sites. Neither do many (I suspect most) other users. The password/account logic is imposed by the sites for their convenience, not mine. For them I reuse the same password within the limits of obscure and often conflicting length and content rules So does my wife, my kids, and (I suspect) damn near everyone.

        Fifty plus years of computer work tell me that attempting to educate users or to force them to do things your way is pretty much a complete waste of time. I really believe that "crap" and reused passwords are part of the universe we live in. They aren't going away.

        User authentication is a huge problem. It's a problem that will, I think, quite likely eventually limit the utility of the Internet. Basically, the problem is that a website that is actually secure -- for example the US treasurydirect.gov -- is going to be horribly difficult to access and is likely to have other problems as when multiple individuals need to access an account.

        Do I have an answer? Nope. If I did, I'd be working on a business plan, not posting here.

        But I do think you folks should recognize that passwords don't work very well and, as far as I can see, probably can never be made to work much better than they do now.

        (Interestingly, one organization that I actually need to interface with has a website that is perpetually broken in one way or another, but has something I'd thought to be unlikely -- an automated phone system that actually works. FWIW, It authenticates me by date of birth and postal code. Not great from a security point of view, but not awful, and better, considering the medium and all, than passwords).

        1. This post has been deleted by its author

        2. It's just me
          Boffin

          Re: Maybe just

          The FIDO2 protocol seems to be a good solution that is just starting to be rolled out.

          https://fidoalliance.org/fido2/

          I haven't looked too closely at it yet but the SQRL protocol also sounds like a solution.

          https://www.grc.com/sqrl/sqrl.htm

      2. cray74

        Re: Maybe just

        At best the new password will just 1 have added to the number part.

        I can tell one of my engineering managers has been employed here since passwords were 6 characters shorter. I usually sit in the morning conference room where I can see her log in, and there's a distinctive bit of typing where she adds 6 repeating characters at the end. I've been tempted to send her a Register article on password security but that might not be as amusing to her as it would be (briefly) to me.

        Her predecessor, on the other hand, had an incredible password that was way longer than required and had her two-hand typing all over the keyboard. When asked, she said she used phrases from favorite novels. I've always wanted to do that but I have trouble remembering where I put the numbers and non-alphanumeric symbols.

        1. Anonymous Coward
          Joke

          Re: Maybe just

          Her predecessor, on the other hand, had an incredible password that was way longer than required and had her two-hand typing all over the keyboard. When asked, she said she used phrases from favorite novels. I've always wanted to do that but I have trouble remembering where I put the numbers and non-alphanumeric symbols.

          It is a truth universally acknowledged, that a single man in possession of a good fortune must be in want of a password manager.

    2. Just Enough

      Re: Maybe just

      Forcing password changes just ensures that people use weak passwords. And doubles the support calls to your help desk.

      Just tell users not to re-use passwords. For pity sake, do not re-use passwords!!

    3. Bronek Kozicki

      Re: Maybe just

      "... at least it puts a shelf life against stolen credentials"

      if passwords are not reused that should not be a problem. In case of a genuine password leak the correct way to enforce password security is via monitoring of user logins. That gives you much shorter reaction time and also view on the damage incurred.

  5. Joe Montana

    Abolish crap passwords?

    Abolishing crap passwords won't help when the source of the passwords is a breach from another location... Doesn't matter how strong a password is if it's getting leaked from somewhere that doesnt store it securely.

    Blocking based on IP is also pointless due to the excessive use of NAT these days, blocking a single address often results in millions of innocent users being blocked simply because they use the same provider as a single compromised user.

    Also most of these "attacks" are not actually perpetrated by anyone even remotely related to the source address. Attacks frequently come from chinese addresses because china is full of cracked software which never receives updates (updating often overwrites the cracked binaries), so their machines are easy targets. The same is true of many other countries, but china just has a greater volume of users.

  6. Pascal Monett Silver badge
    Flame

    "they'll [..] invest when it's too late"

    Methinks we're alreay at that stage. Breaches are so common now they barely get noticed, and nothing ever gets done about it anyway.

    We're lucky if they think of closing the stable door.

  7. DonatelloNobatti

    Pure fiction

    Until international law enforcement gets serious about tracking done and prosecuting people for this type of activity, it will get worse.

    Right now, it's simply a game. Time to bring law enforcement into the internet age.

    Enforcement costs could be recovered with heavy fines and asset confiscation.

  8. Anonymous Coward
    Anonymous Coward

    'Short of imposing authentication and magically abolishing crap passwords, can the bots be stopped?'

    There's a massive disconnect here. Users can't understand why services don't offer 15 min lockouts and region locking on their accounts etc. Services don't understand why users keep repeating the same crap passwords across multiple services etc.

    From the Fortnite hacking clusterfck etc, we know Hackers are guessing at usernames not passwords (as they have those aready). So services need to get wise to this, and turn security on its head.

    Instead of looking at failed login attempts based on username, services need to look for passwords (salted / hashed etc) that are being repeated across a large volume of accounts, and ignore the fact that the hits are coming from rotating IP's addresses etc...

    ______________

    https://kotaku.com/whats-really-going-on-with-all-those-hacked-fortnite-ac-1823965781

  9. Anonymous Coward
    Anonymous Coward

    Maybe sites need two factor authentication

    It would be nice if I could use two factor auth at The Register and many other sites I don't care about my password enough to not re-use the same password for, so that if I logged in using a browser that didn't have an El Reg cookie set for a previous successful login it would send me an email with a code that I'd have to type in.

    That's a LOT more likely to be accepted than the ridiculous idea that I should use a different and nicely complex password at every single site I have a login for. I just won't, because I don't care if someone gets my Reg credentials. Worst case, some miscreant uses it to post spam in the forums, which The Register will have to deal with, by locking my account and deleting all the crap.

    If that happens with enough Reg accounts that they don't want to keep doing that, I hope their response is to enable two factor auth, rather than forcing everyone to set a new password (and prevent us from changing back to the old one, or a minor variant of it, which is what I'll do if they try to make me change it)

    I've never seen spam here, so they either delete it VERY quickly or spammers don't care about compromising Reg logins.

    1. Gene Cash Silver badge

      Re: Maybe sites need two factor authentication

      I downvoted you because of the ultra-shitty way most sites do two factor authentication.

      For example, I got a new credit card from Capital One. Their website needs a code to log in, since it's a new unrecognized computer. Fine.

      I have an option to text my phone. However it says it's not my phone... the address/name/phase of the moon doesn't match and refuses to use the number.

      I have an option to have it call a number and say the code. However, when it calls, it says "no input was received. good bye" and hangs up.

      I have an option to call support, and have them give me the number.

      So I call, and it's one of those fucktarded systems that insists on you saying the number, instead of hitting the phone button.

      Except it doesn't understand me, and tells me it will hang up on me if I don't choose something.

      So you can bet I pounded some numbers, got a human on the phone, and canceled my brand new card.

      And that's just the latest in a series of encounters with 2FA.

      1. Anonymous Coward
        Anonymous Coward

        Re: Maybe sites need two factor authentication

        Hmmmm, I've never had similar problems using two factor with either text you or call type authentication. Though for sites like El Reg I was thinking emailing a code would be fine - if someone compromises both my generic web forum password AND my email, I likely have much bigger problems than someone impersonating me at The Register!

      2. veti Silver badge

        Re: Maybe sites need two factor authentication

        Ah, you're lucky you got to talk to a human...

        Last time I tried to call a system like that, it wouldn't give me that option, not even by the time-honoured "wait two hours for the call centre drone to wake up" route. The only way to talk to a human was to request a call back. Since the phone I was using wouldn't accept the incoming call, that left me pretty well stuck.

        1. Anonymous Coward
          Anonymous Coward

          Re: Maybe sites need two factor authentication

          Where did I say I talked with a human? These systems were all automated, and all just worked. You must just have terrible luck, because implementing a system for a simple email/text/automated call to send a code then require it as input would be pretty hard to mess up.

  10. Not Enough Coffee

    So, based on the attack sources, why don't sites remember "typical" login areas and automatically require two-factor auth for new locations? That is, if I normally log into Wordpress from Florida, why assume I'm suddenly in China? If I'm not logging in from my usual location, have me confirm it even if the username and password were correct.

  11. Aodhhan

    Only a matter of time

    Since most organizations don't build a robust network operations center to monitor live security events, nobody will notice these attacks occurring until well after the fact--most likely on some weekly report.

    If we've learned anything from recent attacks on large organizations is: it takes a while before anyone notices. So it was only a matter of time before malicious hackers started to take advantage of this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like