Bad news: 43% of login attempts 'malicious' Good news: Er, umm...

Also bad: Unpatched systems, unsecured APIs, IoT gear, anthrax candy, bottomless pits

28 Reg comments Got Tips?

An extraordinary 43 per cent of all attempted online account logins are malicious, Akamai claims in its latest internet security report.

"Credential abuse" is an increasingly popular line of attack, thanks in large part to the readily availability of huge user/password databases that has been stolen and are sold online.

Akamai identifies two main types of such attacks: "bursty, high-speed login attempts" to break into people's accounts, and "low and slow attempts to avoid apprehension by spreading login tries across longer time periods," again to gain unauthorized access to profiles and systems.

The web hosting giant even reckons it may be underestimating the problem because it only gathered data from websites that use an email address as a username, which included no less than six billion login attempts over two months. Banks typically require you to select a username rather than an email and are often the most persistent focus of attackers attention, for obvious reasons, so are likely missing from this dataset.

In addition to detailing credential abuse, Akamai's quarterly State of the Net report, out this week, identifies mobile devices, the internet of things, and APIs as the biggest, and somewhat bleeding obvious, new threats to online security.

API attacks more than doubled in the last quarter, we're told. Akamai has also noticed a new trend in miscreants breaking into systems in order to use their computing power for activities including mining cryptocurrencies, rather than simply stealing information.

"We are seeing a new trend of enterprise systems being targeted, not only to steal their data, but to steal their computing resources, perhaps driven in part by the rise of cryptocurrencies and the potential value of mining resources," the report notes.

And now for the... oh well

As for the good news – there is no good news. Denial-of-service and web app attacks continue to increase as the number of vulnerabilities identified grows over time. Criminals continue to make the most from "long-standing, tried-and-true attack vectors," the report notes. That said, DDoS were down one per cent from the previous quarter so that's… good?

As to how to protect yourself or your company, the main advice is – hold on to your hats – to patch existing, known flaws.

"Many of today’s attacks still leverage well-known vulnerabilities - flaws that have been documented and patched, and can be prevented," the report stated, while banging its head on the table.

It goes on, slowly and clearly in the hope that people are actually listening, "efforts to cover the basics - secure coding practices, timely patching, proper device configuration, and prudent password management, would go a long way towards fortifying defenses." ®


Keep Reading

There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught

Bank on the receiving end of massive 418Gbps traffic barrage

Stuffing nonsense: Persistent cyberpunks are pummelling banks' public APIs, warns Akamai

Security biz clocked 55 million malicious login attempts on a client

Watch your MANRS: Akamai, Amazon, Netflix, Microsoft, Google, and pals join internet routing security effort

Filtering, anti-spoofing, coordination, validation to prevent crooks, spies hijacking victims' connections

DIY with Akamai: What to do when no one sells the servers you need? You build your own

Akamai Edge World If it looks like a hyperscaler, swims like a hyperscaler...

Akamai CEO: Playing games from the cloud? Seems too expensive to be viable right now

Akamai Edge World 'It is something we are interested in … but the economic model hasn’t worked out yet'

Akamai on dragging 'em kicking and streaming to the edge: They might be public cloud giants, but we're, er, vids in

Akamai Edge World CEO Tom Leighton pitches CDNs for enterprise

Dear hackers: If you try to pwn a website for phishing, make sure it's not the personal domain of a senior Akamai security researcher

Exclusive Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login page

Crime doesn't pay? Crime doesn't do secure coding, either: Akamai bug-hunters find hijack hole in bank phishing kit

Exclusive Absolutely criminal behavior – unrestricted file upload, really?

Biting the hand that feeds IT © 1998–2020