What is password spraying?
As a security measure, many businesses allow their customers only a certain number of attempts to log into their accounts, failing which the account is locked out. In a password spraying attack, fraudsters try to circumvent this security measure by ‘spraying’ a password - usually default passwords - across several accounts before trying out another password.
Password spraying attacks are more common against applications that allow single sign-on or cloud-based applications that use federated authentication protocols.
Many users - and businesses - do not change the default passwords of their devices, Additionally, to work around the problem of remembering too many passwords for their accounts across multiple digital channels, consumers often just simply create easy-to-remember passwords and often repurpose and reuse them across accounts. This makes it easier for fraudsters to break into multiple accounts.
Fraudsters also use phishing to extract user information, especially for financial services accounts, as these accounts do not use email addresses as usernames. Using bots and advanced scripts to scale up password spraying attacks, fraudsters are able to create databases of valid username-password combinations in no time that are then used to fuel account takeover attacks.
A successful account takeover enables fraudsters to exploit the compromised account at whim. In addition to the financial benefits by draining the funds from the account, fraudsters can access saved details such as email addresses from the compromised account to attack more users.
Types of password spraying attacks
Broadly there are two types of password spraying attacks - rule-based and hybrid.
Where attackers apply specific permutations to the passwords they are trying to guess.
Where attackers use a combination of brute force attack and dictionary attack by adding combinations of numbers to all the words in a dictionary.
Password spraying attacks are on the rise
Password spraying is an easy method to identify user accounts for account takeover attacks. Use of automation helps scale up password spraying attacks and arrive at thousands of valid username-password combinations quickly.
Bots with advanced capabilities and support are easily and cheaply available which allows fraudsters to execute large-scale password spraying attacks with the least possible investment. The returns far outweigh the investment, which makes password spraying attacks a popular tactic amongst fraudsters. This is one of the reasons why password spraying attacks are on a steady rise.
Monetizing password spraying attacks
Monetizing password spraying attacks is pretty straightforward. Attackers can monetize their lists of valid username-password combinations by simply selling them off to third parties or on the dark web. They can choose to spend a little more effort to categorize the hacked accounts according to their net worth, which enables them to fetch higher prices. For this, they take over the accounts and assess their worth and then put them on sale at a much higher price.
Fraudsters can also steal the funds from the compromised accounts and use the saved information to carry out further downstream attacks.
Protection from password spraying attacks
It is clear that businesses cannot afford to bear the brunt of automated password spraying attacks. However, current fraud defense solutions are limited in their scope and fail to provide the level of protection that digital businesses need today.
Identity-based solutions have been rendered redundant as fraudsters can access valid login credentials and impersonate good users. They can also hide their real intent and location using tactics such as IP spoofing and device obfuscation, among others. Data-driven solutions look for clear signals of ‘trust’ or ‘mistrust’ that have now been transmuted due to manipulation of digital identities, evolving consumer behaviors, and spoofing techniques used by fraudsters. This means signals are no longer reliable for risk-decisioning with certainty. Fraudsters use this knowledge to game the fraud defense mechanisms, which means that businesses are engaged in a cat-and-mouse game with the fraudsters.
Targeted friction for smarter authentication
Businesses cannot rely on obsolete or point solutions to fight password spraying attacks, as not only do they fail to provide the needed protection but can also add to the long-term costs. Instead, they need a long-term approach that can enable them to disrupt fraud and put a stop to these large scale attacks.
Arkose Labs adopts a zero tolerance to fraud approach, which helps eliminate fraud and preserve user experience. The Arkose Labs solution shifts the attack surface to its network and instead of blocking any user - good or bad - it affords them an opportunity to prove their authenticity. The platform combines risk-based decisioning with intelligent step-up to clarify whether or not a good customer’s digital footprint has been corrupted by the fraudsters through the following steps:
Sophisticated, real-time analysis of incoming traffic looks for even the most subtle indicators of fraud. However, this does not involve collecting users’ personal data; instead it encompasses focus on behavior, device, and network characteristics and how they are connected.
Classify and Triage
Arkose Labs classifies and segments traffic based on the risk profile. The platform triages traffic on the basis of its likelihood of being a legitimate user, bot, or human sweatshop, and provides actionable intelligence to inform the system of any secondary screening required and the type of enforcement required.
Challenge and Interact
To understand the intent of traffic in a deterministic way, secondary screening must be paired with risk assessment. Arkose Labs’ custom enforcement challenges test high-risk traffic using interactive technology that causes all automated attacks to fail. Graduated risk-based challenges can also frustrate fraudsters by increasing the amount of friction they experience, leading them to abandon their attacks.
Arkose Labs clients benefit from a fraud prevention system, which combines risk assessments with challenges, leveraging a continuous feedback loop to improve fraud detection rates, while decreasing challenge rates for good users. Embedded machine learning provides advanced anomaly detection and evolving protection, taking the burden away from in-house teams.
Businesses need to step-up their guards to be able to protect their revenue streams and maintain customer trust. They can rely on this multi-step approach to ensure comprehensive fraud protection that protects them long-term.
To learn how Arkose Labs helps global businesses fight password spraying attacks, without impacting user experience, please click here.