An extraordinary 43 per cent of all attempted online account logins are malicious, Akamai claims in its latest internet security report.
"Credential abuse" is an increasingly popular line of attack, thanks in large part to the readily availability of huge user/password databases that has been stolen and are sold online.
Akamai identifies two main types of such attacks: "bursty, high-speed login attempts" to break into people's accounts, and "low and slow attempts to avoid apprehension by spreading login tries across longer time periods," again to gain unauthorized access to profiles and systems.
The web hosting giant even reckons it may be underestimating the problem because it only gathered data from websites that use an email address as a username, which included no less than six billion login attempts over two months. Banks typically require you to select a username rather than an email and are often the most persistent focus of attackers attention, for obvious reasons, so are likely missing from this dataset.
In addition to detailing credential abuse, Akamai's quarterly State of the Net report, out this week, identifies mobile devices, the internet of things, and APIs as the biggest, and somewhat bleeding obvious, new threats to online security.
API attacks more than doubled in the last quarter, we're told. Akamai has also noticed a new trend in miscreants breaking into systems in order to use their computing power for activities including mining cryptocurrencies, rather than simply stealing information.
"We are seeing a new trend of enterprise systems being targeted, not only to steal their data, but to steal their computing resources, perhaps driven in part by the rise of cryptocurrencies and the potential value of mining resources," the report notes.
And now for the... oh well
As for the good news – there is no good news. Denial-of-service and web app attacks continue to increase as the number of vulnerabilities identified grows over time. Criminals continue to make the most from "long-standing, tried-and-true attack vectors," the report notes. That said, DDoS were down one per cent from the previous quarter so that's… good?
As to how to protect yourself or your company, the main advice is – hold on to your hats – to patch existing, known flaws.
"Many of today’s attacks still leverage well-known vulnerabilities - flaws that have been documented and patched, and can be prevented," the report stated, while banging its head on the table.
It goes on, slowly and clearly in the hope that people are actually listening, "efforts to cover the basics - secure coding practices, timely patching, proper device configuration, and prudent password management, would go a long way towards fortifying defenses." ®