More Than 40% of Global Log-in Attempts Are Malicious

More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai. From a report: The cloud delivery provider's latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month. It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts. Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.

99% on my vm

[imidan]

I have a VM with a hosting service where I run Ubuntu to host some things like svn and other small services. According to the ssh logs, where bots are trying to log in constantly, and the apache logs, where bots are constantly trying to access admin pages for services I don't run, I'd say that more than 99% of login attempts are malicious on that host. That's without advertising the IP or hostname anywhere; the bots just found it over time. I do run fail2ban, so they eventually get blocked, but there's an endless supply of them.

Well, duh...

[bradley13]

Create a new AWS account, and create a new AWS instance. Allow normal login (not just SSH), and don't do any sort of IP restriction. Watch your logs. Your instance will be noticed very quickly, and will be flooded by bots attempting to brute-force a login. FWIW, the bots are all from Eastern Europe and Asia, or at least they were the last time I tried this (a few years ago). It's pretty crazy.

I don't know about other cloud services, but I wonder about AWS policies. You can set a warning when your monthly spend exceeds a threshold, but you cannot actually set a hard spending limit. This means that, if someone manages to hack into one of your servers (or, better, into your account), they can use as many resources as they want, until you notice and stop them. If you don't notice, they can run up massive bills, which AWS will want you to pay. Seems like a good racket, no wonder those bots are lurking...