Just announced: HUMAN’s Satori Threat Intelligence and Research team has disrupted a cunning mobile advertising fraud campaign dubbed Konfety.
HUMAN Blog

How an E-commerce Retailer Reduced Malicious Login Attempts by Millions

This large e-commerce retailer was bombarded with credential stuffing attacks that led to account takeovers (ATOs). These attacks caused financial losses, customer churn and brand reputation damage. 

Last fall, the company experienced attacks attempting to take over nearly 2.5 million accounts. Although it successfully blocked the malicious login attempts with HUMAN Bot Defender, the company also wanted to reduce the volume of attacks coming in. The retailer implemented HUMAN Credential intelligence to cut off credential stuffing bots at the source, in addition to blocking them in real time. 

The impact was immediate. Following the deployment of Credential Intelligence, the e-commerce retailer realized a more than 90% reduction in the magnitude of credential stuffing attacks, and the number of accounts at risk of ATO dropped to less than 200 per week. This allowed the retailer’s security team to spend time on strategic tasks rather than fraud investigations and saved the company hundreds of thousands of dollars per month.

The graph below shows a significant drop in credential stuffing attacks witnessed by Bot Defender — depicted by the red line — which is almost simultaneous to the deployment of Credential Intelligence. 

Fig 1 - Login Attempts and Traffic

Fig. 1 - Volume of credential stuffing attack attempts with Bot Defender alone and then with both Bot Defender and Credential Intelligence

Were there just fewer credential stuffing attacks after October 2021? Of course not. Instead Credential Intelligence prevented and flagged login attempts using compromised credentials before bad bots even reached Bot Defender. 

How It Works: Decreasing Your Vulnerable Surface Area

Credential Intelligence works by decreasing the vulnerable surface area: in this case, the number of accounts using credentials that are known to attackers. More specifically, Credential Intelligence prevents users from logging in with compromised credentials and provides a real time response — forcing a password reset — as part of the login flow. 

Credential Intelligence leverages a dynamic credential database that is highly curated and always evolving with the freshest data from attacks taking place in the wild. Because of this, only compromised credentials that are actively in use by threat actors are flagged. This allows the solution to effectively reduce vulnerable accounts while preventing unnecessary friction. 

The graph below shows the login requests from legitimate account owners whose credentials were compromised. After the e-commerce retailer implemented an automated password reset flow, affected users changed their passwords and the number of accounts at risk of ATO quickly dropped. This demonstrates the long term effectiveness of the solution because the number of accounts using credentials known to attackers decreased significantly over time.

Fig 2 - Logins Using Compromised Credentials

Fig. 2 - Login requests from legitimate account owners whose credentials were compromised, before and after Credential Intelligence was deployed

Defense-in-depth: A Layered Defense Model

Credential Intelligence and Bot Defender work together to provide a layered defense model, a best practice known by security experts as “defense-in-depth.” Each solution plays a different role in your security infrastructure to catch cybercriminals at every turn.

The graph below shows a small and elusive credential stuffing attack against the e-commerce retailer. The red line shows the logins blocked by Bot Defender and the yellow lines show the logins caught by Credential Intelligence. Because each solution looked for different markers of malicious activity, together they stopped the entire attack and ensured nothing fell through the cracks.

Fig 3 - Defense in Depth

Fig. 3 - Logins using compromised credentials blocked by Bot Defender and Credential Intelligence over nine day period

All accounts targeted during the attack were either blocked or flagged as high risk accounts that should be monitored. These accounts were blocked until their password was changed to reduce the vulnerable surface area and ensure they are no longer susceptible to future attacks.

An Early Warning System

Credential Intelligence acts as an early warning system that shares knowledge with Bot Defender. This better equips both solutions to block impending attacks, stopping ATOs before they happen.

In the below example, attackers conduct a dry run where they make manual attempts noted by the yellow line below, before launching the full bot attack noted by the red line. Credential Intelligence flagged some of the manual logins, acting as an early signal that a larger scale attack was coming. 

These insights were passed on to Bot Defender and used to fine tune its detections to lower thresholds and block attacks in their infancy. The early blocks led bot operators to abandon the attack.

Fig 4 - Early Warning System

Fig. 4 - Logins using compromised credentials blocked by Bot Defender and Credential Intelligence during credential stuffing attack

Break the Cycle of Credential Stuffing Attacks

Credential stuffing attacks are a seemingly inevitable byproduct of authenticating users with usernames and passwords alone. Up until now, there were two best practice solutions:

  • Switch to a more robust authentication mechanism such as MFA, which isn’t a viable solution for many websites because of the friction and cost it introduces 
  • Adopt security measures to block attacks as they happen, which does not deter future attacks

Credential Intelligence revolutionizes credential stuffing mitigation by removing your vulnerable surface area, making attacks not economically viable. It turns a previously renewable resource — compromised credentials — into a single-use resource. This happens because once a credential pair is seen in a single attack, it will be mitigated across the entire HUMAN network. The result is a long-term decline in credential stuffing attacks and account takeovers. 

By stopping the use of stolen credentials up front, Credential Intelligence prevents fraud before it happens. This decreases fraud claims, transaction fees and write-offs, protects brand reputation and instills trust in consumers that their accounts are safe on your site. The result is a safe user journey and a low-friction customer experience.