Account takeover warning sign: Brute force attacks

Security tips
 | 
March 8, 2022

As more of our financial and personal lives happen online, the incentives for fraud and theft continue to grow. While inelegant, brute force attacks to take over accounts continue to be effective and popular. In the last quarter of 2021 alone, brute force attacks increased a staggering 274%. These hacks are frustrating, time-consuming, costly—and often the first indication of an ATO—but they are preventable.

This article examines the types of brute force attacks and how to recognize and defend your users from falling victim.

What is a brute force attack?

A brute force attack is a digital intrusion where hackers employ software to systematically ‘guess’ passwords to gain access to accounts. A form of account takeover, it’s unsophisticated in nature, as it involves casting the widest net possible to succeed. A brute force attack is almost always automated.

Because it’s simple, brute force is the most common form of hacking. In recent years, it has exploded in usage, due mostly to an increase in digital accounts created and used by remote workers.

Let’s look at why fraudsters implement this attack and the damage that often occurs.  

Damage caused by brute force attacks

Brute force attacks are often used to either to steal money (or steal an identity to conduct fraud) or cause digital disruption to a website. Knowing why they attack and what they stand to gain can help you defend your customers and ecosystem against them.

Here are the ways hackers conduct brute force attacks to steal money:

  • Stealing data and then reselling it. Once an account has been breached, the thief can typically find and steal sensitive data from your users. They then monetize the stolen information, usually on the dark web.
  • Spamming popular sites. Spamming a website isn’t very productive on low-traffic sites. Brute force attacks are aimed at high-traffic websites to spam on a larger scale and increase sales for themselves or the business who hired them.
  • Stealing traffic. Once a brute force attack occurs, it’s possible for the hacker to manipulate a website’s traffic to a different resource for their own benefit. This is done by rerouting traffic to controlled ad sites.

Here are the way brute force attacks can disrupt your product or website:

  • Infecting systems with malware. If fraudsters successfully steal login credentials, you’re now vulnerable to malware attacks, exposing the safety of the domain.
  • Interfering with digital ecosystems. An initial attack often leads to a breach of the entire digital domain, as hackers use the open door provided by the attack to compromise and damage an entire ecosystem.
  • Creating illegitimate public-facing hacks to damage brand image. Lastly, a brute force attack can tarnish a brand’s reputation by changing public perception of the company’s security and customer experience.

Types of brute force attacks

There are four main types of brute force attacks, all with their own unique ways to take ownership of an account.

Simple

The simple brute force attack is the most basic, as it entails guessing password combinations until successful.

Dictionary

In a dictionary brute force attack, hackers use automated software to enter multiple combinations of passwords until they find one that works.

Hybrid

The hybrid method combines dictionary and simple brute force tactics to guess passwords containing common words and random characters.  

Reverse

A reverse brute force attack takes a single password and attempts to access accounts by applying it to many username logins.

Now that you’re aware of the ways fraudsters are penetrating accounts, let’s see how to keep them out.

Prevention

Preventing brute force attacks requires a proactive, creative approach that you periodically evaluate as part of your overall fraud prevention processes.

Change your password creation-mindset

It’s a misunderstanding that a mixture of letters, numbers, and special characters make the best passwords. Instead, you should encourage your customers to create passwords that are built with lengthy sentences.

To a human, a password such as HagksyeHbB12@#4651 might seem tough to crack, but not for a machine: It’s simply 18 characters a machine can quicky reorder until successful. However, a longer password such as: thedogisbluewithgreenstripesandlikestoeattomatoeswithpasta will take much more time for a computer to crack, if at all.

Restrict login attempts

There’s a thin line between cracking down on brute force attacks and providing a frictionless experience for your customers. One way to strike the right balance is to limit login attempts. That way, legitimate login attempts aren’t disrupted, while brute force attacks are shut down.

Periodically check for dormant accounts

One of the problems companies encounter in their fraud prevention strategy is inadvertently providing accounts to hackers, which in turn are used to infiltrate more lucrative accounts within their ecosystem.  

It’s critical to check for accounts that are dormant within your system to ensure hackers don’t use them to commit fraud.

Prioritize multifactor authentication

Companies that embrace multifactor authentication (MFA) find that user logins are much more secure, and their customers end up with safer, better experiences. Brute force attacks target companies with websites that permit customers based on a single login, such as entering a username and password. By implementing MFA, the chances of a brute force attack working are slim, especially when used in combination with other security efforts. Google recently implemented MFA for accounts, and in the last year alone found a reduction of compromised accounts by 50%.

Ultimately, a brute force attack is only as effective as a company allows it to be. By being proactive and consistently evaluating your security stack to ensure you have the right mix of layered solutions, you can stop the attacks before they start.

TeleSign is committed to helping you keep your customers safe. If you’re interested in learning more about securing accounts from fraudsters, contact us today.

Related posts