Nov 21, 2020

The rise and rise of application fraud

Matias Woloski
4 min
Auth0 application fraud
Cybersecurity for consumer-facing businesses has a unique challenge, says Matias Woloski. Application fraud and credential stuffing still loom large...

Cyberattacks have evolved since the advent of online transacting almost 25 years ago, with attackers continually escalating and refining their techniques to protect their illicit revenue streams. 

Early brute force attacks guessed passwords in a series fashion until they identified the correct one. This is time-consuming, computationally expensive, and not very effective. Then password lists became popular, and instead of just guessing, attackers would have massive lists of common passwords to guide them and would brute force different versions of them. 

Today, attackers and fraudsters can call upon a sophisticated suite of tools all designed to defeat traditional defences. Most people who use the internet have had an account compromised at some point, and in all likelihood, that was through either phishing or some type of credential stuffing attack.

Attackers can try thousands of credentials very quickly

Credential stuffing can be thought of as a smarter form of brute force where attackers take credentials that have been leaked in one data breach and try them en masse against other websites to find combinations that are reused, so that they can take over user accounts. Attackers do this in an automated fashion, so that they can try thousands of credentials very quickly. 

The use of stolen credentials is one of the most common methods used in observed data breaches. According to Shape Security, credential stuffing aimed at account takeover and other brute force attacks drive fraud and abuse that results in more than $40B of hard losses every year, and up to three times that much in total costs.

The 2019 Verizon Data Breach Investigations Report also states that roughly 70% of observed breaches use stolen credentials. Not all of these are going to be credential stuffing attacks, but it’s likely the majority are. 

At Auth0, we have seen massive trends across our customer base as we’re in a unique position as an aggregator of identity and login data. Today, roughly 67% of our authentication traffic is deemed suspicious, meaning, it looks like application fraud. 

What are the threats?

There are a number of factors that are enabling these credential stuffing attacks that organisations should be looking to secure or fend against.

  1. Single-factor authentication – this is when a website just uses a username and password as opposed to multi-factor authentication (MFA). Companies need to take mitigation techniques like MFA that introduce more friction and make them smarter. In an ideal world, a customer should only encounter more friction occasionally when it’s more necessary, rather than every time they log in.
  2. Lists of known, breached credentials – if attackers were unable to get a hold of these lists, they would not be able to carry out these attacks. Massive breaches create lists of thousands of usernames and passwords, which attackers will aggregate into mega lists. Some are multiple billions of credentials.
  3. Reusing passwords – there are a million statistics that most people tend to reuse their passwords, and if that were not the case, credential stuffing attacks would not work.
  4. Readily available tools – these are very easily acquired by attackers to conduct automated attacks. Most websites will identify spikes in traffic from a single source and then block it. However, attackers can get around that by dividing up their attacks among a botnet, meaning they spread out their queries to a victim site across a massive pool of residential IP addresses. There are services where attacks can pay a small amount of money to access tens of thousands of IP addresses.
  5. Monetising attacks – none of these tools or lists would exist if attackers were not able to monetise their attacks. They can simply sell the accounts on the darknet, but we also see a number of examples of attackers being creative, such as:
    1. Reselling subscriptions to content streaming platforms for less than the retail price.
    2. “Sneaker botting” where attackers target a limited sneaker release (or any collectible, really), take over hundreds of user accounts, and buy up the whole supply to sell on third-party marketplaces.
    3. Company loyalty programmes and gift cards where attackers target loyalty accounts and drain any points that have been generated. A UK supermarket had to suspend and block 620,000 accounts after stolen username and password combinations were used to take over the accounts and redeem reward vouchers that customers had earned through the loyalty scheme.

The scale of application fraud right now is unbelievable. However, most of the problems that enable credential stuffing attacks have been around for a long time. 

If organisations really want to defend against credential stuffing attacks, you have to think of security in layers. If you see a huge spike in failed logins, that’s a tell-tale sign of a credential stuffing attack. If you’re getting traffic from IP addresses that we know are associated with known threat actors, you might want to block them or institute some kind of CAPTCHA to help mitigate bot activity. You need those first layers of defence.

Good security hygiene, like testing for known, breached passwords among your user base is a second layer of defence. Then MFA is a third layer of defence. If your organisation has all three, you're in pretty good shape against credential stuffing, and you can minimise friction for users by prompting MFA only when an action is deemed suspicious.

Matias Woloski is co-founder and CTO, Auth0

Share article

Jun 18, 2021

GfK and VMware: Innovating together on hybrid cloud

3 min
VMware has been walking GfK along its path through digital transformation to the cloud for over a decade.

GfK has been the global leader in data and analytics for more than 85 years, supplying its clients with optimised decision inputs.  

In its capacity as a strategic and technical partner, VMware has been walking GfK along its digital transformation path for over a decade. 

“We are a demanding and singularly dynamic customer, which is why a close partnership with VMware is integral to the success of everyone involved,” said Joerg Hesselink, Global Head of Infrastructure, GfK IT Services.

Four years ago, the Nuremberg-based researcher expanded its on-premises infrastructure by introducing VMware vRealize Automation. In doing so, it laid a solid foundation, resulting in a self-service hybrid-cloud environment.

By expanding on the basis of VMware Cloud on AWS and VMware Cloud Foundation with vRealize Cloud Management, GfK has given itself a secure infrastructure and reliable operations by efficiently operating processes, policies, people and tools in both private and public cloud environments.

One important step for GfK involved migrating from multiple cloud providers to just a single one. The team chose VMware.

“VMware is the market leader for on-premises virtualisation and hybrid-cloud solutions, so it was only logical to tackle the next project for the future together,” says Hesselink.

Migration to the VMware-based environment was integrated into existing hardware simply and smoothly in April 2020. Going forward, GfK’s new hybrid cloud model will establish a harmonised core system complete with VMware Cloud on AWS, VMware Cloud Foundation with vRealize Cloud Management and a volume rising from an initial 500 VMs to a total of 4,000 VMs. 

“We are modernising, protecting and scaling our applications with the world’s leading hybrid cloud solution: VMware Cloud on AWS, following VMware on Google Cloud Platform,” adds Hesselink.

The hybrid cloud-based infrastructure also empowers GfK to respond to new and future projects with astonishing agility: Resources can now be shifted quickly and easily from the private to the public cloud – without modifying the nature of interaction with the environment. 

The gfknewron project is a good example – the company’s latest AI-powered product is based exclusively on public cloud technology. The consistency guaranteed by VMware Cloud on AWS eases the burden on both regular staff and the IT team. Better still, since the teams are already familiar with the VMware environment, the learning curve for upskilling is short.

One very important factor for the GfK was that VMware Cloud on AWS constituted an investment in future-proof technology that will stay relevant.

“The new cloud-based infrastructure comprising VMware Cloud on AWS and VMware Cloud Foundation forges a successful link between on-premises and cloud-based solutions,” says Hesselink. “That in turn enables GfK to efficiently develop its own modern applications and solutions.

“In market research, everything is data-driven. So, we need the best technological basis to efficiently process large volumes of data and consistently distill them into logical insights that genuinely benefit the client. 

“We transform data and information into actionable knowledge that serves as a sustainable driver of business growth. VMware Cloud on AWS is an investment in a platform that helps us be well prepared for whatever the future may hold.”

Share article