Brute force attacks have plagued the internet for years. It’s a fairly simple concept; attempt every combination of words/numbers until the right one is accepted. In this blog post we will be looking at recent trends as well as what you can do to protect your business.
The number and intensity of brute force attacks – such as those which targeted the UK and Scottish Parliaments last year – has increased dramatically over the first half of this year.
Our own research conducted on more than 500 websites globally show that, apart from a dip in February, large-scale attacks have followed an upward trend over the first half of the year. May and June registered four attacks daily while the previous three months never recorded more than one attack a day.
The intensity of attacks also stepped up with the number of very large brute force attacks – defined as more than 30,000 malicious requests in a 10 minute period – ended on an unprecedented high of over 1.5 attacks daily after starting the year at half that level.
In a brute force attack, cyber criminals use automated software such as botnets to make multiple guesses about possible passwords to gain access to data or personal details.
"Brute force attacks were once an occasional occurrence – typically we would see around one every three months or so. This data confirms what we are seeing on the ground. There is a very clear upward trend, not only in the frequency but also the intensity. Automated massive attacks are now the norm. Hackers are targeting organisations of all types in the public and private sectors. Smaller firms are seen as prime targets as their servers are often more vulnerable and, once breached, they can be used to launch new automated attacks that appear to come from a legitimate source." - Benjamin Hosack Chief Commercial Officer
Andrew Henwood, Foregenix CEO, also gave his opinion:
"There’s little reason to believe the trend will be reversed. The difficulty in catching the cyber criminals, the ease with which they can launch attacks and weak cyber defences especially in growth areas like the Internet of Things means brute force attacks are a long-term issue. Organisations need to take action to safeguard valuable data. Following straightforward security procedures can avert a serious incident that could have a devastating impact on a business."
We've put together a couple of graphs to give a visual representation of what we have been seeing.
The horizontal axis represents months, starting with 1 January and ending 22 June, the vertical axis is the daily frequency of attacks.
Attacks were far rarer and less intense as little as two years ago, today brute force attacks are just business as usual.
‘Large-scale’ attacks are defined as having more than 10,000 malicious requests in less than 10 minutes.
‘Very large-scale attacks’ have more than 30,000 malicious requests in less than 10 minutes.
The largest brute force attack, recorded in June, was 3,547,074. With the size of the average attack from January to June being 55,993.
How to defend yourself from a brute force attack
Luckily there are a multitude of actions you can take to protect yourself and your business from this common attack vector.
Create a strong password: We get told this over and over again, yet still people aren't creating strong/complex passwords. If you're using easy to guess, weak passwords such as qwerty123, then it won't take long for a hacker to crack it. Try to create a password using a long, unpredictable string of characters that include upper-case letters and numbers.
Rename the admin user: If you're using a default admin user, you're making life easier for hackers. You should change the default admin username so that they have the added job of trying to find out the username as well as the password. They're usually looking for 'low hanging fruit' - in this case, easy to breach websites. So, making things a little more difficult where you can is more likely to move them onto easier prey.
Limit the number of login attempts: For example, deploying a system whereby four failed login attempts leads to a block for a specified time period.
Multi-factor authentication (MFA): MFA adds an extra layer of security when logging into your website. Alongside a known password, the hacker would need another form of authentication to login as an administrator. For example they might need access to an authenticator installed on your mobile phone, or a one time password sent by text message.
Add CAPTCHA: You've probably seen it before, that obscure string of text that you're forced to input before you can login somewhere. Well, they're a useful tool for helping to prevent brute force attacks.
If you're interested in the security of your website, why not check out our free website scanner? There's no download required, just enter your websites URL and away you go! It'll let you know if you're vulnerable to attack, or if you're already harbouring malware. If you're interested, follow the link below.