Deadliest Automated Attacks of 2018 — A Year in Review

“Data is the new oil!” it’s a claim you have heard multiple times. But, what does it actually mean? In some ways, the analogy could be the use of data to power much of the digital services in a day to day life. However, there’s another facet of it and that’s to illegally obtain the data to monetize it or use it for nefarious purposes.

Every year, online businesses and governments face a barrage of attacks from cybercriminals. These attacks are aimed at stealing sensitive user data, payment card details, and other business-critical information. 2018 was no different for the online community, in fact, it will be remembered for some of the deadliest cyber attacks in history including attacks on Facebook, British Airways, and Under Armour’s MyFitnessPal. Here in this blog, we have listed some of the worst cyber attacks of 2018 that you should know about.

Type of AttackAttack Description

Data Security Breaches

• In March 2018, Under Armour revealed that it had faced a deadly security breach. The company said that personal data including usernames, email addresses, and hashed passwords of 150 million MyFitnessPal accounts may have been compromised. [Source: Reuters]
• In June 2018, electronics retailer Dixons Carphone revealed that personal details of nearly 10 million customers including names, addresses, and email addresses may have been compromised after a security breach on its internet properties. [Source: Independent UK]
• In July 2018, SingHealth, Singapore’s largest group of healthcare institutions, revealed that it recently suffered a serious data breach, compromising personal data of 1.5 million healthcare patients including Prime Minister Lee Hsien Loong. [Source: ZDNet]
• On August 28th, Air Canada unveiled that it had suffered a massive data breach. The company noted that as many as 20, 000 customers may have been affected and that the compromised data include personal information including passport details. [Source: Air Canada]
• On Sept. 06th, British Airways revealed that it faced a massive data breach between Aug. 21 and Sept. 5. The airline confirmed that personal information and credit card details of as many as 380,000 customers were stolen. [Source: Reuters]
• In Dec. 2018, Google announced that it’s advancing the shutting down of Google+ following a data breach. According to estimates, 52.5 million customers’ personal data may have been compromised in the recent breach. [Source: The News Minute]

DDoS Attacks

• On Feb. 28, a massive DDoS attack hit code-hosting site Github. It was one of the largest DDoS attack ever with traffic peaked at 1.3 terabytes per second. [Source: TechCrunch]

API Abuse

• In August 2018, T-mobile revealed that personal data of nearly 2 million users may have been affected after hackers compromised company servers through an API. [Source: ZDNet]
• In September 2018, Facebook revealed an API abuse attack. The company said that almost 50 million users were affected by the breach. [Source: Ars Technica]

Consequences of Data Breaches

Opens the Door for Account Takeovers

A successful data breach brings abundant opportunities for attackers. It virtually opens the door for account takeovers and makes almost all online businesses vulnerable to credential stuffing and credential cracking attacks. When attackers breach a firm’s security, they steal PIIs, credentials, and other sensitive information of millions of customers. They test lists of stolen credentials against a range of websites using bots, in the hope that a victim may have used the same combination of credentials on various sites — a practice known as credential stuffing. This is a way to exploit the user’s propensity to reuse passwords across different sites.

Attackers also leverage PII and other sensitive information related to users to generate different combinations of usernames and passwords. They use these fake credentials to log in to various portals and identify valid credentials — a practice known as credential cracking. For example, when Yahoo announced two data breaches in 2016, it said that 3 billion user accounts were compromised. The company said that along with passwords, the hack exposed associated names, birthdays, phone numbers, and, in some cases, “encrypted or unencrypted security questions/answers and hashed passwords. Now with such sensitive information, attackers can create different combinations of usernames and passwords and attempt to take over accounts associated with those 3 billion users on the internet.

In both cases, attackers deploy sophisticated automated scripts (bots) to execute these methods. The best bet any organization has in protecting against these types of attacks is by blocking automated scripts from accessing their website. A bot management solution is effective in preventing such attacks.

Blow to Brand Reputation

Google+ shutdown was scheduled in August 2019, but the company will be shutting down its services 4-months prior to the scheduled time in April 2019, following a massive data breach that affected nearly 52.5 million Google+ users. Such could be the impact of a data breach.

Security breaches equally impact all types of businesses, large and small alike. They tarnish the brand reputation, break the trust of loyal customers, and heavily hit revenue. Though these attacks are not primarily aimed at hurting a brand’s reputation, the consequence of such attacks is often a huge blow to reputation and customer-company relationship.

Conclusion

As automated attacks are increasing year over year and attackers are devising ingenious ways to target organizations through advanced technologies including machine learning, organizations need to implement an extra layer of security to stop sophisticated automated attacks. The right way to stop such attacks is to thoroughly analyze the attacker's playbook, understand the intent behind attacks, and implement well-researched measures to thwart the attacker's plans. Bot management solution equipped with advanced machine learning and artificial intelligence combined with historical data can help in understanding the intent behind attacks and eliminating potential attacks.

Originally published at https://www.shieldsquare.com on February 01, 2019.