What are brute force attacks and how to prevent them?

What is a Brute Force Attack?

A brute force attack occurs when cybercriminals try to guess and verify information such as passwords, credit card numbers and promo codes. Criminals can start with lists of potentially viable codes and common words, and work through different combinations of letters, numbers and symbols to break into accounts. The brute force moniker comes from the relentless, rapid attempts to pry the system open.

A determined hacker can guess just about any password or credit card number eventually, but it could take a while. To speed up the process, cybercriminals use highly distributed networks of bad bots — known as botnets — to do the dirty work. A botnet is a network of computers infected with malware that can be controlled together by the attacker without the device owners' knowledge.

Botnets can comprise thousands of devices, and using multiple computers makes the process of testing a large number of combinations even faster. Using distributed botnets enables attackers to bypass restrictions such as rate limiting. Attackers can also use the cloud and cloud services to launch brute force attacks, leveraging the computing capacity without having to make a fixed, long-term investment.

If a brute force attack is successful, cybercriminals can use the validated credentials and payment information to commit account takeover (ATO) attacks or make fraudulent purchases. If attackers gain unauthorized access to accounts, they can collect stored PII, steal gift cards and loyalty points, create fake accounts, submit fake warranty claims, and post fake reviews.

Types of Brute Force Attacks

There are exceptions and variations on the guessing type of brute force attack, which invite explanation.

Simple brute force attacks

Cybercriminals guess passwords and credit card numbers using logic and some common assumptions in simple attacks. When brute forcing credit cards or gift cards, for example, attackers will enumerate combinations that match some condition that is known on these cards, such as the number of digits. Certain tests, such as Luhn’s Algorithm, can also be used to narrow down possible combinations.

When trying to guess login credentials, a brute-force attacker can surf their target’s social media accounts for words with special meaning — such as their pet's name — to include in password guesses. Another example is common number combinations — like “123” — that many people use to create passwords that require numbers. Similarly, people most often use exclamation points for passwords that require a symbol. An attacker can also manually insert the most commonly used passwords from a published list.

Dictionary attacks

Cybercriminals launch dictionary attacks by guessing passwords using well-known words. Dictionary attacks got their name because attackers used to scour dictionaries for words to use in password guesses.

They can also use this method to work backwards, starting with a popular password and guessing common usernames until they find a valid pair. Known by several other names — including reverse brute force attacks and password spraying — this technique unlocks systems where the standard approach fails because common passwords likely work with many usernames.

Hybrid brute force attacks

A hybrid brute force attack is the combination of a simple brute force attack and a dictionary attack. The attack starts with words in the dictionary as the basic building block, then adds letters, numbers and symbols to guess passwords. Cybercriminals often use software to generate guesses using common words and substitutions, such as “password,” “p@ssword” and “passw0rd.”

Sites often require that people include numbers or special characters in their passwords. To keep passwords easier to remember, many users take their legacy passwords and manually add characters that make sense. The hybrid brute force attack imitates this approach to find those passwords.

Credential stuffing

Credential stuffing bots test stolen usernames and passwords in brute force attacks on dozens to hundreds of sites and applications. Since 75% of people reuse passwords across multiple accounts, a combination that works on one site will likely work on another. Validated credential pairs can be used in an ATO attack.

Read the Beat Bad Bots E-book

Read E-book

Impact of Brute Force Attacks

Brute force attacks allow cybercriminals to break into user accounts and uncover payment methods. Once they gain access, they can commit many types of account fraud and identity theft. If a customer’s account and identity information is used fraudulently on your site, your brand reputation is at risk, and you may be held liable for damages.

Brute force attacks lead to financial losses, such as refunds and chargebacks for fraudulent purchases, time spent on remediation by internal security and customer support teams — not to mention lawsuits and fines that can arise if users suffer identity theft as a result of a brute force attack against your site.

How to Identify Brute Force Attacks

There are a few telltale signs of a brute force attack:

  • An unusually high number of login or checkout attempts in a short timespan: This can indicate that a large-scale attack is taking or has taken place.
  • Inhuman user behaviors: Cybercriminals often use bots to carry out brute force attacks, which navigate pages more quickly and precisely than humans do.
  • Odd IP behaviors: An increase in IPs associated with multiple devices, multiple accounts, or pointing into untraceable ranges — like you might see with a TOR client — can indicate that a fraudster is manipulating IPs to levy an automated brute force attack.
  • Slow application response time: The increase in web traffic during large-scale brute force attacks might overwhelm your application and slow site performance.

How Does PerimeterX Stop Brute Force Attacks?

PerimeterX Bot Defender detects and stops brute force attacks against web and mobile apps and APIs with unparalleled accuracy. The solution’s machine-learning algorithm analyzes user behavior and creates intelligent fingerprints of illicit bot behaviors, growing smarter in real-time as attackers evolve their attack techniques.

Bot Defender leverages techniques including honeypots, proof of work (PoW) and threat intelligence to apply the appropriate mitigating action. The solution takes a low latency, out-of-band approach to preserve page load performance and optimizes security resources and infrastructure costs. This gives your team the freedom to focus on innovation and growth, instead of chasing down bad bot traffic.

By stopping brute force attacks, Bot Defender protects your users’ account and identity information everywhere along their digital journey.

© PerimeterX, Inc. All rights reserved.