Your browser is not supported. Please update it.

15 November 2018

New threats like credential stuffing target OTT services

Illicit redistribution has become a major focus for revenue theft from online video services for both live and on demand content, raising demand for forensic watermarking to facilitate detection and rapid take down of infringing streams. But the rise in online distribution and cloud services is also exposing operators and content distributors to cybersecurity attacks common to other sectors, as has been pointed out by Akamai in its latest Q4 2018 State of the Internet/Security report.

Some of these attacks can steal revenue directly as well as stopping services. In this regard the potential damage resulting from Distributed Denial of Service (DDos) attacks is well known, but other forms of attack have arisen quickly over the last two few years. Akamai highlighted the threats posed by credential stuffing attacks to all online services accessed by a username and password pair, such as Netflix and also OTT-only offerings from pay TV operators. Credential stuffing is the automated injection of breached username-password pairs in order to fraudulently gain access to user accounts.

Two factors have combined to trigger a boom in credential stuffing, the spate of major security breaches where personal credentials are stolen and the tendency of many consumers to use the same password for two or more of their services. This rush of attacks fed the dark web with plenty of places where username password pairs can be purchased. Of course the users concerned will usually have been alerted to the breach and changed their passwords as a result, but in many cases they will have failed to heed advice to do the same for other online services they subscribe to.

This exposes them to credential stuffing attacks where the stolen username/passwords pairs are tried against a list of other services the users concerned may have subscribed to. This is trial and error and the great majority of cases these attacks fail, but even if just a small percentage succeed, a large number of accounts in numerical terms can be compromised if a few million username/password pairs had been stolen.

Research by cybersecurity firm Shape Security estimated credential stuffing success rate at 0.05 percent, but that still meant that out of 232.2 million malicious login attempts made on an average day, 116,106 would lead to successful access to a service or account takeover.

Akamai reported a total of 8.3 billion malicious login attempts on its Intelligent Edge Platform between May and June 2018, which equates to about 4.15 million successful hits. The attacks are no harder to mount than DDoS and lead to more reliable gains with less severe penalties when caught than say DDoS attacks demanding ransom payments. As a result their incidence has ballooned.

Some online commerce sites have been reporting that up to 90% of their login traffic has come from credential stuffing attacks. Such attacks also have the advantage that unlike those using brute force that try different passwords, they are not stopped by blocking access after a few failed login attempts. In most credential stuffing attacks, only one attempt is made on any given user account and success relies on the relatively high probability that a given user-password pair will gain access to some service.

The attacks themselves have become more sophisticated in attempts to evade defenses employed by both services and infrastructure platform providers within the ecosystem such as Akamai. Under early attacks all traffic came from just two or three IP addresses based on some cloud platform with every login request containing the same user agent. Such attacks were easy to defend against by applying simple rules to block either the IP addresses at the edge of a service provider’s network, or the user agents themselves closer to the login page of the site. A botnet owner might switch periodically to a new set of IP addresses or change the user agents, but this could still be detected readily enough.

However attackers with more resources and technical ability moved on to generate attacks from much larger numbers of IP addresses, up to 10,000 or more, and incorporated more user agents, perhaps around 1,000. This made simple defenses against specific IP addresses and user agents much harder, especially if the attacker constantly rotated between subsets of the total they had using different permutations.

Defense against these attacks requires deeper inspection of traffic activity and tools specifically tuned to them, with machine learning approaches showing some success. But attacks have recently evolved further to the approach Akamai refers to as “low and slow”, issued from bots reducing levels of activity down to typical user levels. Now each IP address in the attacker’s armory will only fire against a given target site perhaps once or twice a day to reduce risk of detection. This in turn lowers the success rate against a given site, but the strength of the method lies in its aggregate impact on a sector or whole ecosystem.

Each IP address is rotated so that while it may only target a given site on one day it will also fire malicious login attempts at thousands of others within the same period. This tactic has so far allowed some credential stuffing botnets to remain active and undetected for long periods of time and improved their overall success rates at finding vulnerable accounts. Detection must move to a new level based on broader surveillance to identify what is only an unusual pattern on a greater scale.

Of course credential stuffing, as well as many other attacks, would be snuffed out given perfect password hygiene, but only some users are getting the message. Two factor security is gaining ground, being promoted by Google among others, works well with smartphones and is supported by many services. The infosec community is divided over the merits of smartphones as second factors, something the user owns, given the number of exploits that target them, but it is in practice good enough for most services including online video.

Credential stuffing is a serious threat because it allows free access to services and so deprives providers of revenue. Not all widespread forms of attack are so serious, because they can easily be countered by established service providers. That is the case for Remote File Inclusion (RFI) which consistently comes top of Akamai’s list for online video, accounting for around 50% of all attacks. These target badly written web applications that refer to external scripts which can be hijacked by attackers to upload malware from a remote URL. This can lead to site takeover and content modification, as well as theft of credentials and so is certainly a major threat. RFI does not cause the likes of Netflix to lose any sleep because its apps are properly written. But no one player on its own can entirely counter credential stuffing, even though that may well diminish as a threat given improved use of passwords and more adoption of two factor security.