Billions of credentials are up for sale on the dark web. PerimeterX's Tony Klor shares tips on making your site less appealing to hackers
When it comes to launching a cyberattack, criminals always take the path of least resistance. This means attacking the most vulnerable sites using the fewest resources possible.
Moreover, with so many websites to choose from as potential targets, they will gravitate towards those that offer the easiest trajectory to financial reward.
Every additional second a fraudster wastes trying to get past a defense mechanism makes your site less appealing. Making your site less attractive to cybercriminals will help you avoid being targeted in the first place — protecting your brand’s reputation and revenue.
Launching automated cyberattacks is cheap and easy
There are more than 15 billion stolen credentials up for sale on the dark web, with some lists going for as little as $2. Botnets can be rented for under $10 an hour for use in credential stuffing and carding attacks.
Furthermore, compromised accounts can go for less than $100. The emerging crime as a service (CaaS) ecosystem makes it easy for amateur cybercriminals to get started, offering cheap programs and tutorials for launching your own bot or malware attack.
With so much value held in accounts — such as stored credit card numbers, account credits, gift card balances and personally identifiable information (PII) — there is a lot to gain and little to lose from launching a cyberattack. Thus, the question for many sites is not if they will be attacked, but when.
How to disrupt the web attack lifecycle
Blocking bots is critical and necessary to stop cyberattacks as they are happening. However, simply blocking bots does not deter ongoing or future attacks against your site. The best long-term strategy combines proactive, real-time and reactive measures to disrupt the cycle of cyberattacks and disincent cybercriminals from targeting your business.
As mentioned earlier, if fraudsters lose too much time and money trying to penetrate your defenses, they will move on to the next site. Here are a ways you can encourage them to get going:
1. Scenario-optimized Proof of Work
Proof of Work (PoW) requires a users’ device to complete a computational task before adding an item to a shopping cart, verifying a card number or completing a similar activity. It takes a lot of energy and CPU cycles to perform computations like this at a scale — for example, if your device is operating bots attempting thousands of logins per second.
When cybercriminals are hit with PoW, it becomes quite expensive for them to finish their attacks. Thus, PoW preserves user experience while building a strong economic disincentive for future attacks on your site.
Cybercriminals won’t waste their resources when there are so many fish in the sea — i.e, sites on the web that are cheaper to attack and don’t have obstacles in place to deter perpetual attacks.
2. Proactive Credential Monitoring
Proactive credential monitoring serves as an early warning system that automatically prevents an attacker from logging in with stolen usernames and passwords. This technology notifies users and companies that compromised credentials are being used on their site, so they can take mitigating action.
Such tools deter attackers from targeting your site because they reduce the potential surface area for credential stuffing attacks. If credentials are put on the compromised list, they are no longer reusable. A previously recyclable resource turns into a single-use resource, which makes the attack unfeasible and unprofitable for the attacker.
3. Continuous Authentication
Login authentication can no longer serve as a proxy for identity. Although this approach makes it easy for plugins and integrations, it doesn’t account for cybercriminals who have access to valid login credentials. Such fraudsters can often gain unauthorized access to user accounts, unchecked once they use the correct username and password or social login.
Continuous authentication uses multiple streams of data to allow the risk engine to be able to evaluate and recognize a customer's unique movements and patterns during their session. This makes it difficult for attackers to carry on with their illegitimate behavior on your site.
4. Layered defense
Cybercriminals want to be quick about their fraudulent activities. Making it more expensive and time-consuming for them to get what they want will disincent them from targeting your site in future attacks.
When optimizing your security infrastructure, be sure to enable a layered defense that not only blocks current attacks, but prevents ongoing and future ones.