Botnets & Credential Stuffing Attacks – Not a Thanksgiving Thing

Remember Willie Sutton? The bank robber that indicated that he robbed banks because ‘that’s where the money is”? That’s where cyber-criminals of today agree with the 1930’s robbers; go where the money is.

What Are Botnets and What Are They Used For?

Botnet is a combination of the words “robot” and “network”. Botnets have been a ‘thing’ since 2003. The idea of a botnet is for the botmaster to infect a machine (server, PC, router) with a robot (bot). This can be accomplished through a number of cybersecurity threats that we are familiar with such as: phishng, scripting exploits, backdoors, OS vulnerabilities, application vulnerabilities, etc.

After the bot is established on the compromised machine, it ‘phones home’ to the botmaster. Most of the successful botnets had bots that used code to replicate over the network; they would find other machines to infect. The most successful botnet (BredoLab) was a Russian effort that, when it was dismantled, had 30,000,000 bots. After the bots were installed and reported back to the controller, they are controlled remotely by the botmaster to accomplish whatever nefarious activity the botmaster has in mind.

Initially, botnets were used to generate spam. Internet Service Providers and email providers began to limit the amount of email a single IP address could send in a given time period. Spammers were not happy. With a botnet, a spammer could send, say 20 emails each from a million different machines. Spam is a way to make money. Finding a way to send spam makes money…. botnets.

How Are Botnets Used in Distributed Denial of Service (DDoD) Attacks?

Another popular use of botnets is Distributed Denial of Service (DDoS) attacks. A botnet is used to target a resource (website for example) and overwhelms the servers of the target with requests. Those requests can take on a variety of forms (Syn Flood, Pings, ICMP Flood) and uses up the target systems resources by forcing it to respond to too many requests or using up the resource’s available bandwidth. Botmasters would use the threat of a DDoS for blackmail… “Send money or I will take you off the internet”. Interestingly, the most recent DDoS attacks have been leveled at dark web sites…. No honor among thieves.

Click fraud is another botnet target. In Google search results, for example, the popularity of a site, i.e. the number of clicks, raises the site in Google’s search results. Thus, click fraud. A botnet can be targeted to ‘click’ on a web resource to make it look REALLY popular and thus move it up in Google results. Want www.mywealthstrategy.com to look legit? Pay a botmaster to give it 2 million web hits.

Bitcoin mining is next. Without getting into the depths of crypto-currency, suffice it to say that ‘mining’ Bitcoin is processor intensive. Using a botnet of computers to do the calculations on other’s machine is a way to distribute the processing.

What Are Credential Stuffing Attacks and How Do They Work?

Finally, (thanks for hanging in there) comes credential stuffing. In the latest botnet evolution, botnets are being used for these attacks. If a website loses control of it’s user credentials (username/password), a botnet can be employed to use that information to attempt logins on many web resources automatically and from a distributed network. This is effective because if one were to sit at home and start trying a list of a thousand credentials into a single website, the server log would notice that there were many login attempts with a variety of credentials from a single IP address. This screams fraud to the server…. but… if the attempts were to come from 1000 different computers, it just like users fat-fingering their login or it is a successful login attempt.

The botnet logs which attempts are successful and passes the information back to the botmaster. This is important because users often re-use passwords. If I use whuffines@nerdstogo.com as my username and Lkj3#jkl as a password on, say reddit.com, it looks like a pretty good password (it’s not but that’s another discussion). Then, say reddit loses control of its user database. A botmaster then takes that list and tries amazon.com, audible.com, facebook.com, twitter.com, schwab.com, Bank of America, Google, etc.etc. to see if I made the mistake of using the same password. In short order, think hours, the botmaster has assembled a list of ‘good’ credentials to a number of sites. This has become a valuable item on the web. One analysis suggests that a ‘credential stuffer’ can net $20,000 with a $550 investment. This is possible because of dark web marketplaces for the information.

Strong Passwords Are the Best Way to Prevent Credential Stuffing Attacks

Until users make the effort unprofitable by using unique passwords, “that’s where the money is”. Here are some ways you can help protect yourself from becoming s victim of one of these botnet attacks, and keep your online data secure:

  • Use unique and strong passwords for each website
  • Use a password manager app to help create and remember these strong, complicated passwords
  • Pay attention if your computer is suddenly slow or the hard drive is busy when you aren’t using it. That’s an indication you have a bot operating on your computer without your knowledge of permission

How NerdsToGo Computer Service Can Help

At your local NerdsToGo, we offer all types of residential and business technology services. We can help you by upgrading your computer to the latest and greatest security software and provide on-going best practice tips to keep you and your family safe while online. And remember, we come to you!

We also offer expert business IT services to help keep your business data safe through services like remote data monitoring and management (RMM) services, custom cybersecurity solutions, networking & firewall services, and much more! Learn more about our IT support for business to see how we can help. To get started, feel free to give us a call at (800) 420-6039 or contact us online to schedule and on-site appointment with one of our Nerds.

Category: