Taobao is a Chinese online shopping website that just happens to be the biggest e-commerce site in the entire world. Owned by conglomerate giant Alibaba, it also happens to be the eighth most visited website in the world according to Alexa Rankings.
In early 2016, Taobao users reported suspicious activity that turned out to be a massive brute force attack. Some 21 million user accounts were compromised, equating to 1 out of every 20 annual active buyers on Alibaba’s China retail marketplaces.
Brute force attacks remain a popular option among hackers. So, let’s familiarize ourselves with this attack and see how Netenrich helps to rectify these issues.
What is a brute force attack?
A brute force attack is a cryptographic hack wherein the attacker manually guesses the different possible combinations of a targeted password and repeats the process until they land on the correct combination. A longer password will require more sophisticated combinations.
Brute force attacks are not the most efficient approach, but consider that some still use passwords such as “12345” or “password,” making the hacker’s job easy every now and then.
Goals of a brute force attack
A well-executed brute force attack uses a script, hacking application, or some similar process to repeatedly execute certain processes to gain information. Goals include:
- Theft of personal information such as passwords and passphrases that can be used to access online accounts and network resources
- Obtaining information to sell to third parties
- Taking over user accounts to send phishing links or spread fake content
- Using credentials to deface the company website
- Taking over a website to redirect traffic to a site containing malicious content
Brute Force #1: Dictionary Attacks
Dictionary attacks are most common among brute force attacks. The idea behind this pretty simple: use a list of words in the dictionary to crack passwords. Attempts typically begin with assumptions about common passwords (like “password,” “12345,” etc.) and attempts to guess the correct one from the list in the dictionary.
Computers nowadays are so fast and powerful that they can crack an 8-character alphanumeric password in just eight hours through pure brute force tactics. The processor goes through every possible combination of every possible character to find the right combination.
Brute Force #2: Reverse Brute force Attacks
The reverse brute force attack targets a common password instead of a specific user using a common group of passwords against a list of possible usernames. For example, a simplistic option such as “password” may be used to brute force a username that goes with it.
Brute Force #3: Credential Stuffing
Most users will choose the same password to access all their online profiles to keep things simple. Many also interact with different websites by logging in via Facebook or Google accounts. Here, an attacker only needs to crack one key account to gain access to several others.
The Netenrich Solution
As a part of our Secure Enterprise package, Netenrich will protect you from brute force attacks with early detection and recommendations for remediation. We have created a Brute Force Detection Model that allows us to efficiently zero in on potential attacks faster than the speed of bad.
The keyword here is “efficiently.”