Peak levels of traffic will be seen throughout the holiday shopping season as a flood of consumers turn to online channels to purchase goods, Imperva reveals.
A monthly measurement and analysis of the global cyber threat landscape across data and applications, shortly after stay-at-home orders were issued, web traffic to retail sites spiked by as much as 28 percent over the weekly average, eclipsing the record peaks from the 2019 holiday shopping season.
Cybercriminals capitalized on the chaos and shift to a remote world by launching bad bot attacks and DDoS attacks with the goal of disrupting online activities. As retailers now prepare for a surge in online holiday shopping amid the on-going global pandemic, Imperva experts urge vigilance and preparedness on the part of online businesses.
Bad bots abusing websites, mobile apps and APIs
Malicious automated attacks are a top threat to online retailers, a trend that has remained consistent before and during COVID-19. 98.04% of the attacks on online retailers detailed in the report originate from automated bot activity.
Simple bots are used in 44.15% of these attacks and function by connecting to a single, ISP-assigned IP address. The leading sources for these attacks are the United States (30.93%), Russia (14.39%) and Ukraine (12.92%).
Bots are also increasingly used as a competitive weapon by retailers who deploy bots for price scraping and inventory trackers to keep an eye on their industry rivals.
The volume of attacks on retailers’ APIs far exceeded average levels this year. The retail industry is an attractive target for cybercriminals because they retain sensitive payment data. According to Imperva researchers, the leading attack vectors for retail API attacks in 2020 are cross-site scripting (XSS) (42%) and SQL injection (40%).
Cyber attacks targeting websites have already reached record levels so far in 2020. Imperva finds the three most common attacks to be remote code execution (RCE) (21%), data leakage (20%) and cross-site scripting (XSS) (16%).
49% of these attacks in the last 12 months (49%) were carried out against retail websites hosted in the U.S. by attackers using anonymity frameworks, a common method for concealing a bad actor’s identity from the target.
Imperva researchers have seen an increase in the volume and intensity of DDoS attacks throughout 2020. Researchers monitored an average of eight application layer DDoS attacks a month against online retail sites, with a significant peak occurring in April 2020, as demand for online shopping grew because of pandemic-related stay-at-home orders.
Account takeover (ATO) attacks
Online retailers experienced more than twice (62%) as many ATO attempts than any other industry this year. Criminals use 79% of leaked credentials to defraud retail targets because it typically guarantees a higher success rate, finds Imperva researchers.
“The holiday shopping season is a crucial revenue period for retailers every year, but in 2020, they face a two-pronged threat: managing unprecedented levels of human and attack traffic to their websites and APIs,” says Edward Roberts, Application Security Strategist, Imperva.
“As COVID reshuffled lives and daily habits, shoppers swarmed online retail sites at record levels. Amid this historic holiday shopping season, the retail industry is likely to experience a peak in human traffic that exceeds anything measured this year and unlike anything in recent memory. The question is how many attackers are going to hide within this expected traffic spike?”
Roberts continues, “Imperva’s research shows that retailers face a myriad of complex cybersecurity threats today, a situation that’s been compounded by the global pandemic.
“However, managing a stack of point solutions to address each of these unique risks is a challenge for lean security teams. Instead, they should invest in an integrated platform, like Imperva Application Security, that provides protection against the leading attacks and optimizes web performance, helping businesses operate more efficiently and securely.”
McAfee released a report examining cybercriminal activity related to malware and the evolution of cyber threats in Q2 2020. During this period, there was an average of 419 new threats per minute as overall new malware samples grew by 11.5%.
A significant proliferation in malicious Donoff Microsoft Office documents attacks propelled new PowerShell malware up 117%, and the global impact of COVID-19 prompted cybercriminals to adjust their cybercrime campaigns to lure victims with pandemic themes and exploit the realities of a workforce working from home.
“The second quarter of 2020 saw continued developments in innovative threat categories such as PowerShell malware and the quick adaptation by cybercriminals to target organizations through employees working from remote environments,” said Raj Samani, McAfee fellow and chief scientist.
“What began as a trickle of phishing campaigns and the occasional malicious app quickly turned into a deluge of malicious URLs, attacks on cloud users and capable threat actors leveraging the world’s thirst for more information on COVID-19 as an entry mechanism into systems across the globe.”
COVID-19-themed threat campaigns
After a first quarter that saw the world plunge into pandemic, the second quarter saw enterprises continue to adapt to unprecedented numbers of employees working from home and the cybersecurity challenges this new normal demands.
Over the course of Q2, a 605% increase in COVID-19-related attack detections were observed, compared to Q1.
Donoff and PowerShell malware
Donoff Microsoft Office documents act as TrojanDownloaders by leveraging the Windows Command shell to launch PowerShell and proceed to download and execute malicious files. Donoff played a critical role in driving the 689% surge in PowerShell malware in Q1 2020.
In Q2, the acceleration of Donoff-related malware growth slowed but remained robust, driving up PowerShell malware by 117% and helping to drive a 103% increase in overall new Microsoft Office malware. This activity should be viewed within the context of the overall continued growth trend in PowerShell threats. In 2019, total samples of PowerShell malware grew 1,902%.
Attacks on cloud users
Nearly 7.5 million external attacks on cloud user accounts were observed.
This data set represents companies in all major industries across the globe, including financial services, healthcare, public sector, education, retail, technology, manufacturing, energy, utilities, legal, real estate, transportation, and business services.
Q2 2020 threat activity
- Malware overall. 419 new threats per minute were observed in Q2 2020, an increase of almost 12% over the previous quarter. Ransomware growth remained steady compare to the first quarter of 2020.
- Coinminer malware. After growing 26% in Q1, new coinmining malware increased 25% over the previous quarter sustained by the popularity of new coinmining applications.
- Mobile malware. After a 71% increase in new mobile malware samples in Q1, Q2 saw the category slow 15% despite a surge in Android Mobby Adware.
- Internet of Things. New IoT malware increased only 7% in Q2, but the space saw significant activity by Gafgyt and Mirai threats, both of which drove growth in new Linux malware by 22% during the period.
- Regional cyber activity. McAfee counted 561 publicly disclosed security incidents in the second quarter of 2020, an increase of 22% from Q1. Disclosed incidents targeting North America decreased 30% over the previous quarter. These incidents decreased 47% in the United States, but increased 25% in Canada and 29% in the United Kingdom.
- Attack vector. Overall, malware led among reported attack vectors accounting for 35% of publicly reported incidents in Q2. Account hijacking and targeted attacks accounted for 17% and 9% respectively.
- Sector activity. Disclosed incidents detected in the second quarter of 2020 targeting science and technology increased 91% over the previous quarter. Incidents in manufacturing increased 10%, but public sector events decreased by 14%.
Vectra released its report on Microsoft Office 365, which highlights the use of Office 365 in enterprise cyberattacks. The report explains how cybercriminals use built-in Office 365 services in their attacks.
Attacks that target software-as-a-service (SaaS) user accounts are one of the fastest-growing and most prevalent problems for organizations, even before COVID-19 forced the vast and rapid shift to remote work.
Microsoft dominating the productivity space
With many organizations increasing their cloud software usage, Microsoft has dominated the productivity space, with more than 250 million active users each month. Office 365 is the foundation of enterprise data sharing, storage, and communication for many of those users, making it an incredibly rich treasure trove for attackers.
“Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organization’s network.” said Chris Morales, head of security analytics at Vectra.
“We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviours, social engineering, and identity theft to establish a foothold and to steal data in every type of organization.”
Cost of account takeovers
Even with the increasing adoption of security postures to protect user accounts such as multifactor authentication (MFA), 40 percent of organizations still suffer from Office 365 breaches, leading to massive financial and reputational losses.
In a recent study, Forrester Research put the cost of account takeovers at $6.5 billion to $7 billion in annual losses across multiple industries.
Highlights from the report
- 96 percent of customers sampled exhibited lateral movement behaviours
- 71 percent of customers sampled exhibited suspicious Office 365 Power Automate behaviours
- 56 percent of customers sampled exhibited suspicious Office 365 eDiscovery behaviours
The report is based on the participation of 4 million Microsoft Office 365 accounts monitored by Vectra researchers from June-August 2020.
While there has been a year-over-year decrease in publicly disclosed data breaches, an Arctic Wolf report reveals that the number of corporate credentials with plaintext passwords on the dark web has increased by 429 percent since March.
For a typical organization, this means there are now, on average, 17 sets of corporate credentials available on the dark web that could be used by hackers.
With access to just one corporate account, attackers can easily execute account takeover attacks, which allow them to move laterally within an organization’s corporate network and gain access to sensitive data, intellectual property, competitive information, or funds.
Cybersecurity incidents now occur after hours
The sharp increase in corporate credential leaks underscores the need for organizations to have dedicated 24×7 monitoring of their network, endpoint, and cloud environments in order to prevent targeted attacks that could happen at any time.
Of the high-risk security incidents observed, 35% occur between the hours of 8:00 PM and 8:00 AM, and 14% occur on weekends; times when many in-house security teams are not online.
“The cybersecurity industry has an effectiveness problem. Every year new technologies, vendors, and solutions emerge. Yet, despite this constant innovation, we continue to see breaches in the headlines.
“The only way to eliminate cybersecurity challenges like ransomware, account takeover attacks, and cloud misconfigurations is by embracing security operations capabilities that fully integrate people, processes, and technology,” said Mark Manglicmot, VP Security Services, Arctic Wolf.
COVID-19 increasing the number of security operations challenges
- A 64 percent increase in phishing and ransomware attempts – Hackers have created new phishing lures around COVID-19 topics and adapted traditional lures seeking to take advantage of remote workers.
- Critical vulnerability patch time has increased by 40 days – A combination of higher common vulnerabilities and exposures (CVE) volumes, more critical CVEs, and the emergence of a remote workforce have significantly slowed the patching programs at many organizations.
- Unsecured Wi-Fi usage is up by over 240 percent – Remote workforces connecting to open and unsecured Wi-Fi networks outside of their office or home are now facing increased risks of malware exposure, credential theft, and browser session hijacking.
Attempted account takeover (ATO) attacks swelled 282 percent between Q2 2019 to Q2 2020, Sift reveals. Likewise, ATO rates for physical ecommerce businesses — those that sell physical goods online —jumped 378 percent since the start of the COVID-19 pandemic, indicating that fraudsters are leaning heavily on this attack vector in order to steal payment information and rewards points stored in online accounts on merchant websites.
According to Deloitte, ecommerce sales are forecasted to grow 25-35 percent and are expected to generate $182 billion and $196 billion this season.
When combined with the surge in ATO rates, the 2020 holiday shopping season presents the perfect opportunity for fraudsters to leverage account takeovers to take advantage of more people shopping online. This can have a devastating impact on companies including financial repercussions and brand abandonment.
Account hacking leads to brand abandonment
According to the research, ATO attacks also create significant and lasting brand damage. Based on a survey of 1,000 U.S. adult consumers, 28 percent of respondents would completely stop using a site or service if their accounts on that site were hacked.
And while consumers can secure their accounts by leveraging tools like password managers, multi-factor authentication (MFA), and by using unique passwords, they largely ignore these best practices. In fact, 66 percent of consumers surveyed either don’t use any type of password manager or aren’t sure if they do, despite 52 percent of them having concerns about becoming victims of ATO in the future, and 25 percent reporting that they have already had their accounts hacked at least once before.
- Attacks are fueled by automation: Between Q2 2019 and Q2 2020, ATO attacks happened in discrete waves about a week apart, indicating that fraudsters are turning to bots and automation in order to overwhelm trust & safety teams.
- Fraudsters sneak in and cash out: Of those who have experienced ATO, 41 percent of respondents reported that payment details were stolen and used to make purchases, and 37 percent of victims had money taken directly from their accounts. Another 37 percent had rewards points or credits taken and used to buy goods and services.
- Ecommerce is in the crosshairs: Of consumers who confirmed being victims of ATO attacks, a whopping 61 percent said their ecommerce (both physical and digital goods and services) accounts were hacked.
- Other online destinations on which consumers reported experiencing ATO include:
- Social media sites: 36 percent
- Financial services sites: 35 percent
- Online dating sites: 22 percent
- Travel sites: 19 percent
ATO attacks for financial gain
Like payment fraud and content abuse—two of the other links in the fraud supply chain – account takeover is typically a means to a financial end.
Using credentials either illicitly purchased on the dark web or obtained through techniques like credential stuffing, hackers gain access to user accounts on a business’s website and then make purchases on that website using stored payment information or rewards points. Attackers may also export the stored information in order to commit fraud across the web.
While consumers may be the immediate victim of these attacks, businesses ultimately face the real costs: in addition to reimbursing hacked customers, businesses face exorbitant chargeback fees and payment network fines when ATO leads to payment fraud.
Customer security as customer experience
“The surge in ATO attacks indicates that merchants can’t leave the burden of account security to their customers. Rather, companies should treat account protection as part of the overall customer experience and as a key part of their Digital Trust & Safety strategy, which allows for seamless transactions while preventing fraud.”
Forter released its Fraud Attack Index, delivering in-depth insight into the impact of COVID-19 on online buyer behavior and ecommerce fraud trends.
This edition revealed that:
- New customer accounts now represent 30% of transactions, five times more than they did pre-COVID-19. This is good news for retailers, but merchants using legacy fraud prevention systems could miss out on some of this revenue potential due to high false decline rates. Legacy systems lack data on new customers and cannot accurately distinguish between legitimate consumers and fraudsters.
- The growth in transactions driven by the consumer shift from brick-and-mortar stores to online purchasing is masking the fact that the number of fraud attacks has risen in real terms, leading retailers into a false sense of security.
- Omnichannel fraud is growing: Buy Online, Pick-up In Store (BOPIS) fraud rose 55% as new customer service options are subjected to significant fraud.
- With transactions falling by 97% compared with H1 2019, fraud attack rates in the travel industry more than doubled, with hotel fraud attacks rising 139% and airline fraud attacks increasing 144%.
- Account takeover (ATO) and Policy Abuse such as returns abuse, promotion abuse, and reseller abuse are set to surge during the holiday season.
Michael Reitblat, CEO of Forter, comments: “A rapid rise in new customer accounts, coupled with having to pivot quickly from brick-and-mortar to online sales channels, put unprecedented stress on merchants as they tried to perfect the ecommerce experience.
“It is clear from what we’ve seen that some retailers were more agile and prepared for this than others, quickly introducing new services such as curbside pickup and Buy Online, Pick-up In-Store, in a bid to retain new customers.
“To fully realize this new revenue potential, merchants need more accurate fraud prevention that can distinguish between these valuable new customers and fraudsters. Merchants can have a false decline rate between 5-7x higher for new customers – typical of legacy systems that do not have sufficient data on new account holders.”
Growth in transaction volumes masks increasing fraud attack numbers
There have been dramatic increases in transaction volumes across the majority of vertical sectors, but particularly those traditionally served by brick-and-mortar stores. Volumes rose 172% in home, furnishings and garden, 93% in food delivery & beverage and 119% in groceries.
Ecommerce fraud attacks decreased as a percentage of all transactions but in real terms, the number of fraud attacks has risen. This represents significant losses for retailers at a critical time.
Holiday season fraud surge expected
As retailers prepare for a critical holiday season and aim to recoup some of the year’s earlier losses, the research indicates that ATO attacks, and returns and delivery fraud will surge as fraudsters seek to exploit the increase in online shopping.
At the same time, customers will be more likely to take unfair advantage of promotions and abuse delivery and returns policies. Fraud and abuse trends that retailers need to prepare for include:
- Account takeover fraud to dramatically increase: The analysis indicates that fraudsters will seek to operationalize the data they’ve stolen and collected through data breaches and social engineering scams conducted during COVID-19 disruption. Also, new customer accounts opened by less experienced users are likely to use weaker passwords, fewer security steps, and be more vulnerable to ATO. As a result, retailers need to prepare for increasing ATO attacks during the holiday season.
- Returns and delivery fraud will continue to rise: Retailers increasingly offered omnichannel customer service options such as Buy Online, Return in Store (BORIS) and BOPIS, to satisfy new customers during COVID-19. Fraud attacks exploiting BOPIS policies increased 55% compared to H1 2019, as merchants offering frictionless experiences are less likely to ask for customer identification. It is anticipated that fraudsters will increasingly target and exploit returns and delivery services as online shopping surges over the holiday season.
- Policy abuse set to spike: Merchants courting new customers with aggressive promotions and user-friendly omnichannel options, will expose themselves to greater abuse risk, including returns, promotion and reseller abuse.
Vikrant Gandhi, Senior Industry Director at Frost & Sullivan commented: “Fraud and policy abuse issues have magnified in the recent months in the global ecommerce industry. Our research indicates a rise in sophisticated fraud attempts, including promotions abuse by using synthetic identities and friendly fraud in 2020.
“The challenge for merchants is to deliver frictionless customer experiences without letting fraud prevention come in their way of doing so. Our recommendation to merchants is if they do not prioritize working with identity-based, integrated fraud prevention platforms that leverage behavioral analytics, machine learning and the power of big data that is informed and refined by highly trained analysts, they will never be able to stay ahead of fraudsters and policy abusers.”
Twitter has finally shared more details about how the perpetrators of the recent hijacking of high-profile accounts to push a Bitcoin scam managed to pull it off.
The way in
To pull off the attack, attackers had to obtain access to Twitter’s internal network AND specific employee credentials that granted them access to internal support tools.
“The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack,” Twitter explained.
“Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools.”
Effectively, the attackers exploited human nature/vulnerabilities. “This was a striking reminder of how important each person on our team is in protecting our service,” the company noted.
Twitter says that access to its internal account support tools is “strictly limited” and “only granted for valid business reasons”, but apparently the attackers had a sizeable number of possible targets to try their luck with, as over a thousand Twitter employees and contractors had access to internal tools.
What’s Twitter doing to prevent similar attacks in the future?
While Twitter has controls and processes in place to prevent and detect misuse, the company is working on making them better.
For the moment, they’ve “significantly limited” access to the internal tools and systems, and are accelerating several of their pre-existing security workstreams and improvements to their tools.
“We are also improving our methods for detecting and preventing inappropriate access to our internal systems and prioritizing security work across many of our teams. We will continue to organize ongoing company-wide phishing exercises throughout the year,” they added.
“Our investigation is ongoing, and we are working with the appropriate authorities to ensure that the people responsible for this attack are identified.
The attacker targeted 130 Twitter accounts in all, tweeted from 45 of them, accessed the DMs of 36, and downloaded Twitter data of 7 users.
The company has promised to publish a more detailed technical report on what occurred once the investigation is over.
Barracuda released key findings about the ways cybercriminals are attacking and exploiting email accounts. The report reveals a specialized economy emerging around email account takeover and takes an in-depth look at the threats organizations face and the types of defense strategies you need to have in place.
- More than one-third of the hijacked accounts analyzed by researchers had attackers dwelling in the account for more than one week.
- 20% of compromised accounts appear in at least one online password data breach, which suggests that cybercriminals are exploiting credential reuse across employees’ personal and organization accounts.
- In 31% of these compromises one set of attackers focuses on compromising accounts and then sells account access to another set of cybercriminals who focus on monetizing the hijacked accounts.
- 78% of attackers did not access any applications outside of email.
“Cybercriminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximize the ways they can exploit the account, whether that means selling the credentials or using the access themselves,” said Don MacLennan, SVP Engineering, Email Protection at Barracuda.
“Being informed about attacker behavior will help organizations put the proper protection in place so they can defend against these types of attacks and respond quickly if an account is compromised.”
The Twittersphere went into overdrive on Wednesday as a bunch of prominent, verified Twitter accounts were hijacked and started promoting a COVID-19 cryptocurrency giveaway scam.
The attackers simultaneously compromised Twitter accounts of Bill Gates, Elon Musk, Barack Obama, Jeff Bezos, Joe Biden, Mike Bloomberg, Apple, Uber, as well as those of cryptocurrency exchanges Binance, Coinbase, KuCoin and Gemini, the CoinDesk news site and other top crypto accounts.
Twitter reacted by locking down the affected accounts, removing Tweets posted by the attackers, and limiting functionality for all verified accounts, but not quickly enough to prevent many gullible users falling for the scam and sending money to the attackers.
“The accounts tweeted that they ‘partnered with’ a company called CryptoForHealth. The domain for this website was registered on July 15. The website itself claims that, to help with the hard times endured by COVID-19, they’re partnering with several exchanges to provide a ‘5000 Bitcoin (BTC) giveaway’ which is a ruse for advanced free fraud,” Satnam Narang, Staff Research Engineer at Tenable, explained.
This type of scam is common, but what makes this incident notable is that the scammers have managed to legitimate Twitter accounts to launch it, he notes. Because of this, users were more likely to place their trust in the CryptoForHealth website or the provided Bitcoin address.
Before Twitter locked the hijacked accounts and deleted the scammy tweets, the attackers apparently received nearly $118,000 in Bitcoin.
How have the Twitter accounts been hijacked?
As the compromised accounts began tweeting the scam in a coordinated manner, many speculated on how they attackers pulled off the massive compromise.
It soon became quite obvious that the attackers must have compromised them all from one central place.
Some users noticed that some of the hijacked accounts had been associated with one specific email address:
Yep! Crazy – looks like a full takeover/hijack pic.twitter.com/toug6PYnYr
— harrydenley.eth ◊ (@sniko_) July 15, 2020
Motherboard’s sources said that a Twitter insider (admin) was bribed or coerced to use an internal user management tool to reset the email address and password on the affected accounts. Others speculated that the attackers managed to compromise the corporate account of a Twitter employee.
Earlier today, Twitter confirmed that last speculation.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools. We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it,” the company explained.
“We have locked accounts that were compromised and will restore access to the original account owner only when we are certain we can do so securely. Internally, we’ve taken significant steps to limit access to internal systems and tools while our investigation is ongoing. More updates to come as our investigation continues.”
The attack points to a greater poblem
According to the BBC, the same email address that was used to register the CryptoForHealth domain was used to register an Instagram account with the same name. On it, the attackers posted a message that said: “It was a charity attack. Your money will find its way to the right place.”
Many have pointed out that, given how much US politicians depend on Twitter to keep the citizenry informed about their thoughts and actions, the attackers could have used the access to those accounts to do much more damage.
Others have posited that the Bitcoin scam was perhaps just a smokescreen:
Stage 1: Throw up simple bitcoin scam for some nice walkin-around money.
Stage 2: Exfiltrate DMs for later use in blackmail, etc. If you’re already sitting on data like OPM, etc., you have a nice amount of kompromat for leverage/profit.
— Jim Wagner (@jimwagmn) July 15, 2020
US Senator Josh Hawley demanded from Twitter more information about the hack, including and answer to the question of whether the attack threatened the security of US President Donald Trump’s account (which has not be made to tweet out the scammy message).
“The Twitter hack highlights how bad actors are using highly trafficked social media channels to wreak havoc,” noted Richard Bird, Chief Customer Information Officer, Ping Identity.
“The news of this exploit is extremely concerning as it really focuses attention on the inherent weaknesses in Big Tech security, which has been a point of focus across the country as we head into a presidential election and as we navigate the challenges driven by the pandemic. Disinformation and exploitation of supposedly trusted social media channels only amplifies the anxieties and concerns that consumers and citizens are already dealing with in this country and others.”
“Given the accounts’ relatively high profile, including that of a former US President, it’s likely that federal law enforcement and intelligence assets from both the public and private sector will be brought to bear on this very problem,” noted Kevin O’Brien, Co-Founder and CEO, GreatHorn.
“It’s highly likely that this will result in attribution, although I suspect we’ll find that this occurred from a non-US location, increasing the difficulty of apprehending the responsible parties.”
There were seven major application DDoS attacks over the previous month — two of which lasted 5-6 days, Imperva reveals.
Additionally, the team found that 47% of account takeover (ATO) attacks were aimed at loyalty programs and streaming services, where bad actors attempted to use stolen credentials to gain unauthorized access to online accounts to carry out malicious actions such as data theft, identity fraud or fraudulent e-commerce transactions.
The report also showed continued signs of site traffic recovery across various industries following the lift in shelter-in-place orders, as schools across the world reopened and employees returned to workplaces.
Increasing length of application DDoS attacks
Seven major application DDoS attacks over 150,000 requests per second (RPS) were identified. Two of the attacks lasted five and six days consecutively — an unusual occurrence, as most (70% of those in May) DDoS attacks typically last less than 24 hours.
Additionally, while the average DDoS event in April originated from 300 IPs, these two major events were from 28,000 and 3,000 unique IPs. Additionally:
- The most targeted industries overall were news (38%), business (25%) and financial services (19%).
- Top countries from which DDoS attacks originate are China (26%), US (15%) and the Philippines (7%).
ATO attacks are focused at loyalty program cards and streaming services
Out of the total ATO attacks, 47% were aimed at loyalty programs and streaming services. In one example, 13.5 million ATO attempts were registered over three days.
Across all ATO attacks, the average attack size per site was about 100,000 attempts, distributed over 2,000 IPs on average. This means that each IP sent no more than two requests per day, classifying as a “low and slow” attack — where a botnet uses multiple devices, each sending only a handful of requests, to masquerade its attack with legitimate traffic.
COVID-19 affects cyber traffic and attack trends, while recovery continues
As the coronavirus crisis escalated, changes in traffic and attack trends across multiple industries and countries were previously examined. In May, as more countries reopened schools and less students were at home, overall traffic to education sites went down by 20%.
Additionally, with many returning to work and spending more time commuting, the use of entertainment sites — specifically radio streaming services — increased by 11% overall.
Cloud platforms and automated tools: The main source of attacks against govt sites
Cloud platforms and automated tools are the main source of attacks against government sites in the United States. A total of 65% of the attacks against law and government sites in the US originated from cloud platforms using automated tools written in the Python programming language.
Database vulnerabilities spike
Ten new database vulnerabilities were published in May, and almost half held a high severity score of greater than seven, with one reaching a critical score of greater than nine per the Common Vulnerability Scoring System (CVSS). Most of the vulnerabilities were published on May 12, 2020 as part of SAP Security Patch Day.
Overall Cyber Threat Index score remains at a ‘high’ level
Although the number of attacks declined by 28%, the Cyber Threat Index score went up by 32 points due to more high- and medium-risk vulnerabilities and an increase in high volume and longer duration DDoS attacks.
“In May, we were surprised to find two unusually long DDoS attacks lasting 5-6 days. As methods to carry out DDoS have become more advanced, leading to increased accessibility to those with no technical skills, we have historically seen that most attackers would rather not waste time and resources on achieving their proof of impact,” said Nadav Avital, head of security research at Imperva.
“For example, in Imperva’s 2019 Global DDoS Threat Landscape Report, we found that about 29% of attacks lasted 1-6 hours while 26% lasted less than 10 minutes. Longer attacks — such as the ones conducted in May — suggest they are the work of more professional bad actors who use their own botnets to carry out persistent assaults.”
Account Takeover (ATO) attacks happen when a bad actor gains access to a legitimate customer’s eCommerce store account and uses that account for fraud.
The impact of ATO attacks
A new Riskified survey shows that ATO attacks have a huge negative impact on customers and merchants, damaging brand reputation and hurting merchants’ bottom lines. Despite that, many merchants lack security measures, and 35% of merchants report that at least 10% of their accounts have been taken over in the last 12 months.
Both merchants and customers value secure store accounts. Customers cite their convenience and the opportunity to earn rewards as notable benefits. Merchants report that account holders shop more often and spend more per purchase than other customers.
But accounts can also increase risk if they are not properly secured. Sixty-six percent of merchants and 69% of customers say they are concerned about their accounts getting hacked. Purchases made using compromised store accounts are hard for merchants to detect, because they look like they are made by legitimate returning customers.
ATO attacks are also very costly for merchants. When fraudsters use compromised accounts to make fraudulent purchases, not only does the merchant lose the revenue and the value of the goods sold, but it also often suffers serious damage to its brand reputation and diminished customer lifetime value.
65% of customers say they would likely stop buying from a merchant if their account was compromised. 54% of customers say they would delete their account, 39% would go to a competitor, and 30% say they would tell their friends to stop shopping with the merchant.
Preventing ATOs presents unique challenges
Because ATOs require only a login and stolen password, merchants have less data with which to evaluate the action, making detection and prevention difficult. Many merchants are failing to do so:
- 27% admit that they do not have measures in place to prevent ATOs.
- 24% of merchants can’t identify an ATO during a purchase.
- 14% of merchants say they are not even aware that an ATO has occurred unless a customer contacts them.
- Only 7.5% of customers learn their accounts were compromised from the merchant. The vast majority spot changes to their accounts or learn of unauthorized purchases.
Merchants that take steps to reduce ATOs risk hurting the customer experience. The most common approach to prevent ATOs is two-factor authentication for login attempts (62%), which can frustrate legitimate customers and increase cart abandonment.
Many merchants also require complex passwords to increase security, with 73% reporting that account passwords must contain a mix of characters, numbers, symbols and uppercase and lowercase letters.
This can help security, but it also increases friction and does little for customers who reuse passwords, meaning that store accounts are at risk through data breaches on other sites. That’s a real concern, as 47% of customers admit to using the same password for two or more online stores.
Embracing advanced technology may offer a solution
Because of their potential for serious financial and reputational harm – combined with the difficulty in detection – merchants need to use as much available data as possible to avoid ATOs. For example, merchants should look at the device and network details, proxy usage and previous logins to determine if the entity attempting to access the account is the rightful owner.
If the device or network is unfamiliar or exhibiting characteristics consistent with fraudsters, merchants should exercise caution by notifying the account owner or applying two-factor authentication.
Merchants also need to recognize that the account takeover isn’t the end goal. Fraudsters use ATO attacks to then place fraudulent orders, and merchants have the advantage of seeing that whole process.
An unfamiliar login or a change of details might seem suspicious initially, but if the cart that reaches checkout is low risk, then merchants can likely safely approve the order.
Similarly, if a safe-looking account event is followed by a chargeback, then merchants should take another look at the account activity and, likely, prompt the customer to change their password. When merchants ensure that these parts of the shopping journey – and the teams and solutions that manage them – are coordinated, they can decrease risk and increase revenue.
“Our survey shows that merchants are aware of and concerned with ATO attacks, but they usually lack the ability to identify and prevent them,” said Assaf Feldman, CTO at Riskified.
“Without a dynamic approach that evaluates all relevant data, merchants risk significant financial losses, frustrated customers and damaged brand reputations. Advanced machine-learning solutions can instantly recognize legitimate customers and ease their path to checkout.
“Suspicious actions can be verified or blocked to minimize damage. By doing so, merchants maximize revenue while giving their customers a great experience.”
The importance of accounts
Accounts are an important shopping tool for customers:
- 3% of customers say they have accounts on individual sites for shopping.
- 75% do most or all of their online shopping with merchants where they have accounts.
- 42% said they shop more frequently when they have an account.
Merchants get a significant portion of their business from customers with accounts:
- More than 67% of the merchants surveyed say at least half of their orders come from customers with accounts.
- 58% of merchants report that account holders spend more per purchase than customers who use guest checkout.
- 61% say that account holders purchase more frequently than customers who use guest checkout.
“Companies can combat lateral phishing threats by adopting advanced security solutions that identify suspicious logins and take actions before breaches can occur. These controls enable businesses to verify users’ identities and enforce measures, such as MFA, which can limit an attacker’s chance of hijacking a corporate email address in the first place. Additionally, all companies can learn that it is essential to have full visibility and control over their customer data in order to prevent a breach. To do so, organizations must implement security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent the leakage of sensitive information,” said Anurag Kahol, CTO at Bitglass.
Phishers are trying to bypass the multi-factor authentication (MFA) protection on users’ Office 365 accounts by tricking them into granting permissions to a rogue application.
The app allows attackers to access and modify the contents of the victim’s account, but also to retain that access indefinitely, Cofense researchers warn.
The attack starts with an invitation email that directs potential victims to a file hosted on Microsoft SharePoint (a web-based collaborative platform that integrates with Microsoft Office).
The name of the document implies that the email recipient will get a bonus on their salary for Q1 2019.
Users who follow the link will land on a legitimate Microsoft Office 365 login page, but only those careful enough to check the URL might see something out of the ordinary – and only if they know what to look for:
The long URL holds a number of parameters that, “translated”, show that by entering the login credentials and pressing the login button, the user will “ask” the Microsoft Identity Platform for an ID token and an authorization code, which will be sent to domain masquerading as a legitimate Office 365 entity (hxxps://officehnoc[.]com/office).
It also shows that the app for which the request is made will gain permission to access the victim’s account, read and modify its contents (documents, files) and use associated resources, access and use the victim’s contacts, and prolong that access indefinitely.
How? The aforementioned authorization code is exchanged for an access token that is presented by the rogue application to Microsoft Graph, which will authorize its access.
How can attackers bypass MFA protection on Office 365?
“Applications that want to access Office 356 data on behalf of a user do so through Microsoft Graph authorizations. However, they must first obtain an access token from the Microsoft Identity Platform,” Cofense researchers explained.
“This is where OAuth2 and OIDC come in. The latter is used to authenticate the user who will be granting the access, and if authentication is successful, the former authorizes (delegates) access for the application. All of this is done without exposing any credentials to the application.”
So the attacker doesn’t have to know the victim’s login credentials and this tactic allows them to gain access to the victim’s account without having to use the credentials or the MFA code.
The access token the rogue app receives and uses will expire after a while, but the app has also been granted the permission to obtain refresh tokens, which can be exchanged for new access tokens, meaning that the app will able to retain access potentially indefinitely.
After signing in, the user will be asked to confirm that he or she wants to grant the application all those permissions. Ideally, that’s the moment most users will balk and refuse but, unfortunately, many don’t understand the danger of giving random apps access to their account.
“The OAuth2 phish is a relevant example of adversary adaptation. Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data,” the researchers noted.
“If users fail to act, it will be up to domain administrators to spot and deal with any suspicious applications their users might have misguidedly approved.”
Once the rogue app’s access is revoked, victims must change their O365 account password and check whether the attackers have switched off MFA protection or modified some of its settings/options.
Since the COVID-19 outbreak, digital fraud has increased significantly, especially when it comes to account takeover. In this Help Net Security podcast, Angie White, Senior Product Marketing Manager at TransUnion, explores ATO and social engineering attacks and offers some suggestions on how to address these threats.
Here’s a transcript of the podcast for your convenience.
Hello. This is Angie White, Senior Product Marketing Manager for TransUnion Global Fraud and Identity Solutions. Today we’re going to dive into how COVID-19 is driving an increase in account takeover as well as providing some suggestions on how to combat.
Before we get too into the weeds, let’s just quickly level set on a definition of account takeover or ATO. Account takeover is when a legitimate customer’s account is accessed through illicit means for the purpose of committing fraud. Account takeover isn’t a new phenomenon. It’s something that’s been around in financial services and banking for a long time, but we’ve seen a rapid increase in segments such as e-commerce, insurance, telecommunications in recent years.
How is COVID-19 driving an increase in account takeover? We’re seeing two primary factors. First off is just the increase in volume, as consumers have been forced to turn to digital channels because they can no longer go to their local bank, go to their local store. It’s really made it easier for fraudsters to hide in that uptick of volume. Secondly, you see that fraudsters are taking advantage of the chaos using the uncertainty to victimize consumers.
Looking at our data, we’re seeing big spikes for sectors such as banking, telecommunications, e-commerce. As an example, we saw a 23% increase in e-commerce traffic the week of March 11th to 18th, so that was the week following the declaration by the World Health Organization of the pandemic. This left many businesses trying to shore up work from home operations, secure their sites and deal with increases in volume both on their sites but also in their contact centers.
The Aite group estimates that banks have seen spikes in call center volume at around 40%, so that’s quite the increase. Likewise, telecommunications providers have seen spikes ranging around 25%. Never missing an opportunity, fraudsters have also taken advantage of a chaos to perpetrate more fraud, and in an analysis of transactions we protect, we found a 14% increase in risky transactions for financial services since March 11th. So, we’re definitely seeing that already play out for our customers.
Also, looking at the consumer impact, TransUnion pulled over 3000 Americans, 18 and older, on how COVID-19 is impacting them. 28% of respondents indicated that they had already been targeted by a digital fraud scam related to COVID-19, and this was up from the previous week where 23% had indicated that they had already been targeted. So, a 5% increase in one week. This really highlights that this trend is likely to accelerate. Of those consumers, 10% of Gen-Z and 9% of Millennials indicated that they had already fallen victim to a COVID-19 scam. So, we’re seeing approximately a third of those scams be successful.
There are a number of attack methods used to perpetrate account takeover, but for our purposes I’m only going to hit on three of the most common methods: phishing scams, social engineering and credential stuffing.
Phishing scams. You’ve likely all seen these emails, they look very legitimate or it could be a phone call or legitimate looking website. Fraudsters are using the current crisis to send out prevention tips for COVID-19, news updates, promising information about stimulus checks, using that to steal login credentials and personal data through various means. Unfortunately, consumers have a bad habit of reusing login credentials. That means that such compromises will likely lead to an uptick in account takeover across all industries and across the board.
Social engineering can come in a number of flavors. One attack method is to gather information that is publicly available about a consumer, from sources such as social media or that have been gained from phishing attacks. In the age of social media, consumers have gotten in the habit of oversharing, so publicly posting about things like attending a high school reunion, that makes it very easy for a fraudster to then go and search on that high school, find out who their mascot is, find out what their hometown is. Those are all pieces of information that can be used in social engineering to answer KBA questions, to socially engineer contact center agents and gain access to an account.
Another flavor of social engineering that we see is what we term romance scams. This is where a bad actor ingratiates themselves with an intended victim. We actually had a real use case with one of our customers, a very large telcom provider, where fraudsters were going out ingratiating themselves with lonely people on dating sites and getting them to give them their login credentials with the promise that they would go and add a phone line, get a phone so that they could talk more.
Of course, the fraudsters go in, they add 10 lines, order 10 new phones and create big losses for the business and a lot of dissatisfaction for that customer. I’ll talk through some ways that they shut that down in just a moment.
Lastly, credential stuffing. This is when fraudsters, they take stolen credentials, gained through phishing attacks or in many cases simply bought off the dark web, and they test those stolen credentials against a site to see what accounts they can gain access to. These attacks are often automated using bots. When they find a good account, they go in, they can take it over. And what’s more is they use those good credentials, not only on that site, they move from site to site, seeing if they’ll work on other platforms.
So again, with the attacks that we’re seeing due to COVID-19, with the increase in phishing scams, increased breached credentials, personal data, that’s all going to drive more credential stuffing attacks.
There’s a number of measures that businesses can take to mitigate account takeover. I’m going to break it out by customer touch points. So let’s start at login.
You really do need to go beyond username and password to secure customer accounts. With all the breaches, all the phishing attacks, you really do need to move forward with the assumption that your consumer’s credentials have been compromised. There’s a number of options that are easy to layer onto existing authentication solutions depending on the need of your business. Things such as one-time passcodes, or OTP, multifactor authentication, captcha. At TransUnion, we recommend device-based authentication. This essentially pairs the consumer device to their account using it as a mode of authentication.
I touched on the romance scams a little earlier. This is exactly how that telcom provider shut down account takeover in their service, so they implemented device-based authentication. They were able to pair good user devices to their accounts, that way, if a fraudster came in, even with the correct credentials, they could see that that device was not authorized to access that account, so very effective for them in shutting down account takeover.
Device-based authentication also gives you a lot of risk insight that isn’t available for most other authentication methods. Things like unusual velocities, geolocation mismatches, or the use of anonymizing proxy, so somebody’s trying to make it look like they’re coming from a mobile device when you can really see that they’re using an emulator and coming from a laptop.
The next point of risk is account management. Once fraudsters have gained access to an account, they of course want to change account details such as email or shipping address so they can take over the account.
Again, there’s a number of methods where you can protect account management. You can add verification checks such as verifying email, phone, address. Another very effective method is using push authentication. With this, you can push an authentication request to the user’s device to authenticate with, say, a thumbprint or a PIN that they did initiated that change to their account.
One of the benefits of this is that you can use it for any channel. So, if somebody is requesting changes via the web, via your application, or even via the contact center, you can push that authentication request directly to the user’s device to authenticate before proceeding with the change.
As your business starts to operate in the new normal that is COVID-19, it’s really important to think through what are your points of risk across your customer journey and how can you add protection without adding too much friction. Unfortunately, there isn’t a silver bullet for shutting down ATO because there are many points of risk across the customer journey and many different attack methods.
Businesses are really going to have to examine what are their points of risk in the customer journey, how can they protect those points of risk without adding too much friction and create the new normal in the COVID-19 era. Stay safe out there.
Since the start of the year, journalists and news outlets have become preferred targets of government-backed cyber attackers, Google’s Threat Analysis Group (TAG) has noticed.
“For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email,” shared Toni Gidwani, a security engineering manager at TAG.
Government-backed attackers also target foreign policy experts – for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks – as well as government officials, dissidents and activists.
Protecting Google accounts
Aside from trying to deliver malware to compromise the targets’ computer and/or smartphone, the attackers are also trying to compromise their online accounts – repeatedly.
“In 2019, one in five accounts that received a [government-backed phishing or malware attack] warning was targeted multiple times by attackers. If at first the attacker does not succeed, they’ll try again using a different lure, different account, or trying to compromise an associate of their target,” Gidwani said, and boasted about the effectiveness of Google’s protections when it comes to phishing and account hijacking.
“We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted,” she claimed.
Google’s APP provides additional account security for those who are at an elevated risk of targeted attacks, by: requesting the person logging in to have a specific physical security key (as well as the password and the second authentication factor), preventing untrusted third-party apps to access the account, providing added download protection, insisting on a stricter account recovery process, etc.
The attackers haven’t failed to notice the effectiveness of the protections, Gidwani says, and have slowed down their onslaught. “In 2019, we sent almost 40,000 warnings, a nearly 25 percent drop from 2018,” she noted.
Google’s TAG also discovers attacks and tracks attackers exploiting zero-day vulnerabilities in popular software – in 2019, they discovered zero-day vulnerabilities affecting Android, Chrome, iOS, Internet Explorer and Windows.
“Last year, TAG discovered that a single threat actor was capitalizing on five zero-day vulnerabilities,” she shared.
“Finding this many zero-day exploits from the same actor in a relatively short time frame is rare. The exploits were delivered via compromised legitimate websites (e.g. watering hole attacks), links to malicious websites, and email attachments in limited spear phishing campaigns. The majority of targets we observed were from North Korea or individuals who worked on North Korea-related issues.”
There has been a spike in digital commerce since social distancing became widespread globally, according to a TransUnion research.
The research found a 23% increase in global e-commerce transactions in the week following the World Health Organization declaring the novel coronavirus outbreak a pandemic on March 11th compared to the average weekly volume in 2020.
“It is clear that social distancing has changed consumer shopping behaviors globally and will continue to do so for the foreseeable future,” said Greg Pierson, senior vice president of business planning and development at TransUnion. “No doubt fraudsters will continue to follow the trends of good consumers and adjust their schemes accordingly.”
Increase in account takeover
In a recent survey of 1068 Americans 18 and older, 22% said they have been targeted by digital fraud related to COVID-19. The survey reported a 347% increase in account takeover and 391% rise in shipping fraud attempts globally against its online retail customers from 2018 to 2019.
“With so many reported data breaches, it’s not just about if your account will be hijacked, it’s about when,” said Melissa Gaddis, senior director of customer success for TransUnion Fraud & Identity Solutions.
“Once a fraudster breaks into an account, they have access to everything imaginable resulting in stolen credit card numbers and reward points, fraudulent purchases, and redirecting shipments to other addresses.”
E-commerce fraud and transaction methods
Typical methods used to take over an account include buying login details on the dark web, credential stuffing, hacking, phishing, romance scams and social engineering.
Shipping fraud is when criminals take over a customer account but don’t change the shipping address in order to avoid detection. Once the package has shipped, they intercept it at the carrier site and change the shipping address.
Besides account takeover and shipping fraud, there were also other significant e-commerce fraud and transaction trends:
- 42% decrease in promotion abuse from 2018 to 2019. Cybercriminals access accounts to drain loyalty points or create multiple new accounts to use the same promotion over and over, often against website and app terms. TransUnion believes this decrease can be attributed to fraudsters turning to more lucrative schemes such as account takeover.
- 78% of all e-commerce transactions came from mobile devices in 2019. That’s a 33% increase from 2018. E-commerce companies are scrambling to ensure a mobile-first experience for consumers not just to browse but to buy.
- 118% increase in risky transactions from mobile devices in 2019. Fraudsters have taken notice that more e-commerce transactions are coming from mobile devices and are trying to replicate that consumer behavior in order to avoid detection.
“Although the death of brick and mortar has been well documented, there is still plenty of room for e-commerce growth with one report claiming online retail only makes up 14% of all global retail sales,” said Gaddis.
“With so much room left for growth, it’s important that retailers stay ahead of the emerging transaction and retail trends to provide a friction-right experience for consumers and a fraudster-proof barrier.”
Have you secured your streaming services’ accounts? Are you sure someone else, unbeknown to you, isn’t using them as well?
As people around the world are being asked to remain in their homes due to the coronavirus pandemic, many are turning to streaming services such as Netflix, Hulu, Disney+, Spotify, and Apple Music for entertainment, Proofpoint cybersecurity strategist Adenike Cosgrove notes.
He also posits that, despite cybercriminals having been compromising users’ streaming services’ accounts for ages, they will now likely increase their efforts.
How do criminals usually steal streaming credentials
Streaming credentials are usually stolen via malware (information-stealing Trojans) or fake login/phishing pages:
Criminals are also trying out credentials leaked after data breaches. If the user has reused them for their streaming accounts, their compromise is, effectively, just a matter of time.
Finally, they sell the compromised login credentials for a fraction of the price of a legitimate subscription:
“At this point there is a very mature, operationalized market for stolen streaming credentials,” Proofpoint researchers noted. “When attackers get your streaming credentials, they sell them to others who will use them to log on and piggyback off of your streaming services, likely without you even knowing it.”
What can you do to protect your online streaming accounts?
None of the aforementioned streaming services have made available the two-factor authentication option for their customers, so the security of those accounts still depends on users:
- Choosing a strong, long and unique password that they will not reuse for other accounts
- Being able to spot and avoid phishing pages
- Being able to avoid getting infected with info-stealing malware.
The researchers advised users to keep their operating system, browsers and plug-ins up to date and not click on links embedded in emails or attachments to visit a streaming site.
“It is also important to always use a unique strong password for each of your streaming sites, ideally in conjunction with a password manager,” they added.
“Additionally, many streaming services now provide an option that notifies you anytime a new device connects to your account. Selecting this option will allow you to verify that each device is authorized and take action if it is not.”
Users who by reviewing recent streaming activity associated with the account spot an unknown device logged into it, should first change the account password then sign out all devices and, finally, sign in again with the new password. This will lock any unauthorized user from the account.
It’s good to add that if your account has been compromised, so has the information it holds, including payment card information. Users would do well to cancel that card and be on the lookout for fraud and identity theft attempts leveraging the compromised information.
44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking due to use of compromised passwords, Microsoft has shared.
The discovery was made in the first quarter of 2019, when the company’s identity threat research team checked billions of credentials compromised in different breaches against Microsoft consumer and enterprise account credentials.
Password reuse and efforts to prevent it
Data breaches have become a fact of life for both businesses and individuals, making password reuse across online accounts a big problem. Year after year, surveys show that convenience trumps security for too many users – even infosec professionals.
Some organizations set up stringent password rules to prevent users from choosing short, predictable and easy-to-guess passwords. To help with that Microsoft has, for example, provided Azure AD Password Protection to enterprise users.
Google has also offered Chrome users an extension that detects username/password combinations that have been compromised due to breaches and recently built the technology into Google Account’s Password Manager (and soon the Chrome browser).
Compromised passwords and Microsoft accounts
While the infosec industry would like everyone to use password managers to come up and save long, unique passwords for each online account, many users still avoid using them and opt for password reuse.
NIST advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis, against a dynamic database comprised of known compromised credentials.
The latter is what Microsoft did and how it made this latest discovery.
“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” the company noted and, once again, advised users to use MFA wherever possible.
“Microsoft also offers solutions to protect customers from breach replay attacks. This includes capabilities to flag users as high risk and inform the administrator to enforce a password reset,” they added.