A fifth of authentication requests are malicious

The 2023 Identity Threat Report: The Unpatchables analyzed 320 billion data transactions occurring in the systems of 159 organizations between March 2022 and April 2023.

When no mitigations were in place, the average rate of automation – a strong indicator of credential stuffing – was 19.4%. This reduced by more than two-thirds to 6% when malicious traffic was proactively mitigated.

Credential stuffing attacks entail bad actors leveraging stolen usernames and passwords from one system to breach others. Automated tools are at the heart of this, allowing attackers to maximize the number of attempts they make.

A key part of the study explored the impact of mitigations on credential stuffing attacks. These tended to alter the behavior of attackers and cause a decline in the use of malicious automation.

F5 Labs found that, without mitigations, attacks were more prevalent against mobile endpoints than web. After mitigations were introduced, the fall in mobile attacks was greater, and more of the subsequent attacks came through web endpoints.

Mitigations also had a bearing on the sophistication of attacks.

Against unprotected authentication endpoints, 64.5% of malicious traffic comprised attacks classed as ‘basic’, which means no attempt to emulate human behavior or to counteract bot protection. The share of these attacks fell significantly to 44% after mitigations were put in place.

By contrast, ‘intermediate’ attacks – that make some efforts to tamper with anti-bot solutions became much more prevalent with mitigation – rose from 12% to 27% post-mitigation deployment. Advanced attacks, which use tools that can closely emulate the browsing of a human user (including mouse movement, keystrokes, and screen dimensions), increased from 20% to 23%.

F5 Labs also examined the supply chain of compromised credentials. Worryingly, defenders appear to have much less visibility than they thought. As many as 75% of credentials submitted during attacks were not previously known to have been compromised.

Furthermore, defenders are having to respond to identity threats designed to overcome mitigations. For example, organizations may seek to monitor credential stuffing attacks by looking for an abnormally low success rate of authentication requests. The study found that attackers adapted to this with ‘canary’ accounts. These can be accessed continuously to artificially boost the overall success rate. In one example, a credential stuffing campaign logged into the same canary account 37 million times in the same week for this purpose.

With phishing attacks, another key area of focus for F5 Labs’ analysis, there was once again clear evidence of intensifying efforts to combat countermeasures. Notably, the increased use of multi-factor authentication is fuelling the rise of reverse proxy phishing, whereby attackers set up fake login pages that encourage users to enter their credentials.

In addition, attackers are increasingly making use of detection-evasion capabilities such as AntiRed. This is a Javascript tool designed to overcome browser-based phishing analysis such as Google Safe Browsing (which gives the user a red flag message when encountering a potentially unsafe site).

Against a backdrop of continuously evolving environments, F5 Labs also observed how a new generation of threats are emerging.

As a case in point, in August 2022 an advert was observed on the Dark Web promoting a voice phishing system that would use artificial intelligence to automate phishing calls. The growing sophistication and declining costs of AI means that such approaches are set to become more commonplace and effective over time.

​
​