The Tale of a Heavily Distributed Credential Stuffing Attack
What happens when a motivated attacker goes after your user accounts?
Most websites and mobile applications face automated fraudulent login attempts, aka credential stuffing attacks, on a daily basis. But how far do you think an attack can go when bot operators are willing to spend ~$20,000 on it?
We recently observed a heavily distributed credential stuffing attack that was extremely informative. Here are just a few numbers:
- The attack lasted ~four days.
- The attacker made 107,930,521 malicious login attempts.
- The attacker leveraged 91,340,141 IP addresses located all around the world (each IP address made 1.18 malicious login attempts on average).
Attack Overview
The attacker targeted the login endpoint of a video game platform. (To protect the anonymity of the website targeted, we won’t reveal more details.)
Over the ~4 days of the attack, we observed 5 major malicious spikes, including 2 spikes where the attacker made more than 4M malicious login attempts per hour for several hours.
Graph 1 below shows the timeline of the attack. The green line represents the number of human login attempts over time, while the blue line shows the malicious login attempts conducted by bots.
Graph 1: Number of human (green) vs. malicious bot (blue) login attempts over time.
Although the scale of the attack is massive, the attacker does not seem very sophisticated. All of its malicious requests could be tracked/identified using a combination of different server-side signature signals, which made it possible for us to better understand the attack.
It Was Heavily Distributed
The 4-day attack was distributed over 91,340,141 distinct IPs. Thus, on average, each IP address made 1.18 malicious login attempts, making traditional rate limiting policies ineffective.
The IP addresses involved in the attack were mostly clean. The majority of them had not been involved in any significant malicious activity against any of our customers in the week before the attack.
Graph 2 below shows the distinct number of malicious IP addresses used by the attacker over time. Since each malicious IP address makes only 1-2 login attempts, this graph is highly correlated with Graph 1.
Graph 2: Number of malicious IP addresses used in the credential stuffing attack over time.
The map below, which indicates the number of malicious login attempts per country, shows this attack was distributed all around the world. The attacker had access to a significant pool of clean IPs located in different countries, ranging from the US, China, France, Germany, and the UK.
Number of malicious login attempts per country.
Most importantly, the attacker had access to clean residential IP addresses, the same type of IP address humans like you and I use to browse the internet.
The table below shows the top 10 autonomous systems linked to IPs involved in the credential stuffing attack:
We see that the attacker had access to residential IPs from legit ISPs all around the world, e.g. providers in the US:
- AT&T
- Comcast
- Verizon (UUNET)
Tracking Malicious IP Addresses
Given the huge pool of residential IP addresses the attacker had access to, it’s important to know which of the attacker’s IP addresses are shared with other/real users.
IP addresses are often shared by several users (which can include both bots and humans) and can be reassigned. Still, there’s a chance that a significant fraction of the IPs used in the attack are still controlled by the attacker.
Thanks to our real-time detection engine, DataDome can easily tag IP addresses to observe and study their activity across all customers protected by DataDome. The graph below shows the number of malicious requests coming from a subset of the IP addresses involved in the credential stuffing attack, focusing on the four customers most targeted by those IP addresses.
Graph 3: Each color above represents one of the four customers most targeted by this subset of IP addresses in the credential stuffing attack.
Many of the IPs are still conducting credential stuffing attempts on the same video game platform, while also targeting some of our other customers with credential stuffing attempts.
In addition to credential stuffing attacks, some of the same IP addresses have also been used by sneaker bots during limited-edition sneaker releases! If you’re wondering how to detect sneaker bots, read our dedicated guide.
Conclusion
Bot operators are willing to invest thousands of dollars in conducting credential stuffing attacks to steal and monetize human user accounts. Attackers achieve monetization by reselling accounts on the dark markets, or by leveraging the accounts as a lateral move to conduct fraud on targeted platforms (e.g. stealing influencer accounts with good reputations and using them to conduct crypto scams).
To detect threats like the massive credential stuffing attack described above, it’s important to have a real-time bot detection engine that is resilient against distributed attacks. Traditional in-house techniques (such as rate-limiting) to mitigate bots are not effective against attackers who have access to a huge pool of IPs.
To be effective against heavily distributed attacks, a solution must leverage the whole spectrum of bot detection signals:
- Client-Side Signatures (Browser/JS Fingerprint, SDK)
- Server-Side Signatures (HTTP Headers, TLS Fingerprints)
- Behavioral Signals (Mouse Movements, Touch Events, Sensors)
- Reputational Signals (Per IP/session, Proxy Detection)
For protection against heavily distributed attacks, it’s extremely important to choose a bot vendor that has a broad vision of the bot landscape. Remember that thousands of IPs involved in the credential stuffing attack detailed above were later used to conduct different types of attacks on other enterprises.
Protecting hundreds of e-commerce sites and mobile applications all around the world helps our team better understand how attackers operate. And that understanding helps us best protect our customers. To learn more about DataDome and our Account Protect solution, start a 30-day free trial.
Related posts
How BPX Protected Revenue-Critical APIs from 6.6M Price Scraping Attacks
Tell me more
How Plarium Uses Intent-Based Detection to Block 20M+ Malicious Requests a Month
Tell me more
Inside Kimwolf Traffic: How Residential Proxies Fuel Credential Stuffing, Web Scraping, & Fraud
Tell me more
How to Prevent a Brute Force Attack with these 5 Powerful Strategies
Tell me more
