Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

Alert - Widespread Brute Force Login Attempts

Number: AL17-003
Date: 16 February 2017

Purpose

The purpose of this alert is to bring attention to ongoing and widespread brute force login attempt activity observed targeting retail organizations.

Assessment

CCIRC has received reports from several retail sector companies concerning ongoing brute force login activity against their customer portals.  The malicious actors appear to be targeting retail organizations that have a customer reward or loyalty programs and are using compromised customer account credentials from other sources to steal earned rewards or points.  Customer rewards have a translatable cash-value, as they can typically be exchanged for gift cards and/or other merchandise/services or sold to a third party.

Malicious actors have leveraged several strategies and tactics in their malicious activities, including:

  • utilizing multiple credential-set lists harvested from past publicly disclosed third-party service/website compromises
  • password-spraying using  public email address lists and password dictionaries of commonly used passwords
  • rate-limiting login attempts to remain below detection thresholds
  • using multiple different malicious hosts simultaneously to avoid detection
  • utilizing proxy servers and VPNs to hide the source of the malicious traffic

Access to customer accounts and customer data could also potentially facilitate the malicious actors to perform other fraudulent activities including phishing PhishingAn attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking or spoofing a specific, usually well-known brand, usually for financial gain. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they may then use to commit fraudulent acts. .

Suggested Action

CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.

  • Utilize a CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) test on login forms.
  • Employ geo-blocking against website visitors outside of your typical customer area.
  • Implement multi-factor authentication methods.
  • Review logs for any suspicious activity and/or traffic which may indicate potential brute force login attempts.  CCIRC suggests investigating any non-typical network/webserver activity or usage metrics including:
    • Extended periods of high load/traffic/usage.
    • High volume of account login failures including accounts that don’t exist, or conform to your username and password convention
    • Multiple login attempts for different users from the same IP.
    • High volume of account login attempts from outside your typical customer demographic.
  • Disallowing redemption of customer rewards for items with direct monetary value (eg. gift cards or vouchers).
  • Cross referencing customer email addresses with those of publicly known compromised credential sets.
  • Employ a strong password policy, and disallow use of commonly used passwords.

References:

Get CyberSafe Guide for Small and Medium Businesses:
https://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx%20-%20s6-2

Using Passwords:
https://www.getcybersafe.gc.ca/cnt/prtct-yrslf/prtctn-dntty/usng-psswrds-en.aspx

Spotting Malicious E-mail Messages:
https://www.cse-cst.gc.ca/en/node/237/html/2998

Date modified: