Quantifying the identity threat: a fifth of authentication requests are malicious

F5 Labs research finds 19.4% of authentication requests are likely driven by credential stuffing attacks.

  • Wednesday, 1st November 2023 Posted 1 year ago in by Phil Alsop

Digital identities have become a cybersecurity battleground, with a fifth of authentication requests coming from malicious automated systems, new F5 Labs research has found.

The 2023 Identity Threat Report: The Unpatchables analyzed 320 billion data transactions occurring in the systems of 159 organizations between March 2022 and April 2023.

When no mitigations were in place, the average rate of automation – a strong indicator of credential stuffing – was 19.4%. This reduced by more than two-thirds to 6% when malicious traffic was proactively mitigated.

 Credential stuffing attacks entail bad actors leveraging stolen usernames and passwords from one system to breach others. Automated tools are at the heart of this, allowing attackers to maximize the number of attempts they make.

“Digital identities have long been a priority for attackers, and the threat is growing as the prevalence of non-human identities increases,” said Sander Vinberg, Threat Research Evangelist at F5 Labs. “Our research shows the extent to which digital identities are under attack, and the importance of effective mitigation. Significantly, we found a consistent pattern in which the use of malicious automation immediately declined to a lower level when protections are in place, with attackers tending to give up in search of easier targets.”

Mitigation: before and after

A key part of the study explored the impact of mitigations on credential stuffing attacks. These tended to alter the behavior of attackers and cause a decline in the use of malicious automation.

F5 Labs found that, without mitigations, attacks were more prevalent against mobile endpoints than web. After mitigations were introduced, the fall in mobile attacks was greater, and more of the subsequent attacks came through web endpoints.

Mitigations also had a bearing on the sophistication of attacks.

Against unprotected authentication endpoints, 64.5% of malicious traffic comprised attacks classed as ‘basic’, which means no attempt to emulate human behavior or to counteract bot protection. The share of these attacks fell significantly to 44% after mitigations were put in place.

By contrast, ‘intermediate’ attacks – that make some efforts to tamper with anti-bot solutions became much more prevalent with mitigation – rose from 12% to 27% post-mitigation deployment. Advanced attacks, which use tools that can closely emulate the browsing of a human user (including mouse movement, keystrokes, and screen dimensions), increased from 20% to 23%.

“Our analysis shows that many attackers simply move on when protections are implemented,” said Vinberg. “Attackers that continue to target a system with mitigations in place are clearly more determined and sophisticated, harnessing tools that allow them to closely replicate human behavior or work harder to conceal their activities.

“For example, we observed one attack that emulated 513,000 unique user interactions across 516,000 requests – recycling identifiable features in less than 1% of instances. With the most sophisticated attacks, manual observation is sometimes required to identify malicious behavior and create a new signature.”

Challenges mount for defenders

F5 Labs also examined the supply chain of compromised credentials. Worryingly, defenders appear to have much less visibility than they thought. As many as 75% of credentials submitted during attacks were not previously known to have been compromised.

Furthermore, defenders are having to respond to identity threats designed to overcome mitigations. For example, organizations may seek to monitor credential stuffing attacks by looking for an abnormally low success rate of authentication requests. The study found that attackers adapted to this with ‘canary’ accounts. These can be accessed continuously to artificially boost the overall success rate. In one example, a credential stuffing campaign logged into the same canary account 37 million times in the same week for this purpose.

With phishing attacks, another key area of focus for F5 Labs’ analysis, there was once again clear evidence of intensifying efforts to combat countermeasures. Notably, the increased use of multi-factor authentication is fueling the rise of reverse proxy phishing, whereby attackers set up fake login pages that encourage users to enter their credentials.

In addition, attackers are increasingly making use of detection-evasion capabilities such as AntiRed. This is a Javascript tool designed to overcome browser-based phishing analysis such as Google Safe Browsing (which gives the user a red flag message when encountering a potentially unsafe site).

New threats on the horizon

Against a backdrop of continuously evolving environments, F5 Labs also observed how a new generation of threats are emerging.

As a case in point, in August 2022 an advert was observed on the Dark Web promoting a voice phishing system that would use artificial intelligence to automate phishing calls. The growing sophistication and declining costs of AI means that such approaches are set to become more commonplace and effective over time.

“Looking ahead, Identity providers should employ an anti-bot solution to mitigate malicious automation such as credential stuffing. Even simple anti-bot solutions can mitigate the bulk of unsophisticated credential stuffing,” added Vinberg.

“Organizations can further strengthen their defenses through use of cryptography-based MFA solutions, such as those based on the WebAUthn or FIDO2 procotols. Ultimately, there is no silver bullet for combating identity-based attacks. Defenders must monitor and detect attacks, quantify the error rate of their detection, and adapt accordingly. The more we study these attacks and their constantly shifting nature, the better we can manage the risk of vulnerabilities that are inherent in any system which users must prove their identity to access.”