On a Tuesday last March, the website of one of our customers recorded a very unusual activity on its login form : more than 10,000 access attempts in less than 5 minutes. Fortunately, the DataDome protection was enabled and blocked the offensive. But you may still wonder what really happened and what were these thousands of robots looking for in the login page of a large e-commerce web site?
This is typically an attack by Impersonators. In this family of bad bots (for a general panorama of the different categories of bots, see here), behaviors can vary but they share a common trait : the robot tries very hard to appear to be what it is not.
The specific technique used against our customer finds its source in other cases of hacking, well known to the public. In 2012, LinkedIn’s user base was stolen. 167 million login / password combinations were suddenly on the street. On the street ? if only …
For sale! A base of 167 million accounts in perfect working order
4 years later, the base was available for sale on the darkweb. What’s the use of acquiring, for a few dollars or bitcoins, a 4-year old base ? Users have certainly already changed their LinkedIn password or will do so as soon as the information reaches them.
Indeed, but the human brain is so made that it follows the easiest path. Confronted with multiple requests for creating accounts on various and numerous sites, it tends to rely on a few restricted options of login / password combinations. If only to remember them more easily. And when we say restricted, we’re basically talking about 1 or 2 combinations. And when we talk about combinations, we’re talking about the generally well-known mail address and a 1234 password, pushed up to 5678 when the site requires a minimum length.
Grab the credits
Buyers of the LinkedIn database (and the many other account bases) on the darkweb are betting that the combinations are used on other sites. The happy acquirer of 167 million accounts only has to test them one by one on the login forms of the websites to access the precious data only accessible to identified users. And among these data, there is one that is of particular interest to the lucky buyer : credits, vouchers and promotions stored on the user account, that he can choose to recover via a transfer or use for purchases. That makes e-commerce, online betting and … banking websites prime targets.
Now, all the lucky buyer has to do is to devise a small program that tests each of the 167 million accounts on the login forms of the targeted websites and, for each winning combination, to recover the available credits. With this technique, the pirate manages to identify himself on the targeted sites as a legitimate user, which is why we classify him under the Impersonators family.
Naturally, the Impersonator knows that by testing so many accesses, it may be detected. He has two ways to tackle this issue.
- He can launch a massive attack, to test as many accounts as possible within the time it will take for the usual protection systems to detect it : this is what was attempted with our client on this early morning of March. Had the DataDome protection not been in place, users of the website would have lost a lot of money.
- Or he can choose to test the accounts in a very subtle and progressive way, in order to pass under the radar of classical detections. In doing so, he will use other Impersonator techniques to which we will return in a future post.
In the meantime, feel free to share your comments and experiences about the Impersonators, a family of bad bots that keeps evolving and becoming more and more sophisticated.