The scale of malicious logins has been highlighted by content delivery and cloud services firm Akamai, in its Q4 2017 State of the Internet report. It found that an alarming 43% of all online login attempts across its network were unauthorised.
And as if that wasn’t bad enough, Akamai reckons this figure may be lower than it should be, because the results only include logins that combine a password with an email address. Many accounts require a username instead of an email address - including, worryingly, most online banking services. Had these been included in the statistics, then it’s likely they would have painted an even more frightening picture.
How Is This Possible?
When you consider the billions of people who log into online accounts every day, it’s mind-boggling to think that such a large percentage of login attempts could be carried out for nefarious purposes. How can criminals achieve such feats?
The answer, simply, is automation. Hackers don’t need to individually target accounts (although they can if they want to), because their hacking tools are perfectly capable of running by themselves, looking for vulnerabilities or finding ways to get past login measures.
There's nothing to say that the person filling in a login form really is a person at all.
How Do Malicious Logins Work?
There are two main ways that hackers can log into other people’s accounts: with stolen details or by guessing passwords.
If they use stolen details, these will often be from when a company has suffered a data breach and had lists of users and their passwords taken by thieves. They might also be sourced from phishing campaigns, where victims are tricked into giving up their login details voluntarily.
Sometimes, the hackers will use these details for their own crimes, but it’s also common for them to be sold online to other criminals. With these credentials programmed into their hacking software, it’s just a case of waiting to see how many of the logins still work – and that’s likely to be quite a few if they were stolen recently.
When passwords aren’t available, cyber criminals can use tools that guess them. One method for doing this is a dictionary attack. As the name suggests, this runs through a dictionary of different words, phrases and common passwords, trying each one in turn until access is gained.
A more time consuming but still potentially effective way to guess a password is with a brute force attack. With a brute force attack, hackers leave software to run through every possible combination of numbers and letters that could be in a password, until something works and they get past the login screen.
How Much Of A Threat Are Malicious Logins?
Although 43% of login attempts might be malicious, the number of successful attempts is obviously considerably lower. This is no doubt thanks to some relatively simple security measures that can thwart both brute force and dictionary attacks.
For example, websites may block users who make numerous unsuccessful attempts to log into an account, preventing them from trying again for a set period of time or until they request access manually.
Authentication measures like reCAPTCHA can also help, by tying login accessing to proof that the person attempting the login really is a person and not an automated bot.
Yet the threat remains real, particularly with stolen credentials. If users are unaware their details have been taken (perhaps because a third party is keeping quiet about a data breach), then by the time they find out, it might already be too late.
What Can You Do?
These malicious logins aren’t going to stop. If anything, they’ll become more prevalent as more people learn how to run hacking tools and the tools become more sophisticated.
But exercising best practice really can make a difference. There’s no 100% perfect solution to cyber crime, of course, but you can drastically reduce your chances of being affected by cyber breaches if you do things like using strong, varied passwords and making sure you have email security as part of your business plan.
The absolute worst thing you can do, as Akamai’s research shows, is nothing. There’s simply too much at stake and too much danger for that to be a sensible option.
Are your security measures up to scratch? Find out with a Cyber Essentials certification.