15 out of 16 Visits to Your Login Page Are Intruders

The case for Two Factor Authentication is becoming stronger every day, as more and more accounts of password-related hacking attempts are grabbing headlines in the mass media. The most recent story, and probably the highest-profiled one to date, was the successful hacking attempt of President Obama’s official social media channels. This and other similar cases are indicators of a much wider security trend of hackers who have come to view password-protected web pages as weak spots and prey on the false sense of security they provide.

To counter this trend, four months ago Incapsula launched Login Protect, which provides our customers’ websites with a flexible and easy-to-use Two Factor Authentication (2FA) option. While this feature is still in the early stages of adoption, it has already furnished us with some interesting real-world data, which underscores the magnitude of the threat. We’d like to share the highlights of these reports with you today.

Intruders on Your Doorstep

For the purpose of this report we surveyed a sample group of 1,000 websites over a 90-day period, during which we recorded over 1.4 million unauthenticated access attempts and 20,376 authenticated logins.

Login Protect:Authenticated vs Un-Authenticated Attempts

Our data shows that 2.8% of the unauthenticated attempts were made by human visitors. This suggests that most of these should be attributed to “human error” (e.g., typing the wrong password) and to the initial one-time 2FA activation process. Our numbers also show that another 1.8% of the unauthenticated visits were made by benevolent bots (e.g., search engines, legitimate crawlers, RSS readers, etc.) whose numbers would certainly be much higher, if not for the common practice of blocking the login URLs using the robots.txt file.

Login Protect: Visitor's Distribution

The remaining 94.1% of the visits were made by malicious automated tools – the kinds that are used to discover and exploit password-related security holes. Simply put, this means that on average 15 of every 16 visitors to your login page have ill attentions in mind.

Right in Time for Brute Force

The seemingly high ratio of malicious visits is, in fact, all but expected – especially considering the recent waves of large-scale Brute Force attacks and the overall increase in APT events and other password-related hacks. That connection becomes even more evident from looking at the trending reports. For example, while observing the timeline of blocked attempts, it is easy to spot a distinct correlation between the steep increase in number of malicious access attempts and the reports about the Fort Disco attack, which surfaced throughout August and September.

Login Protect: Malicious Access Attempts

We can safely assume that the reports of these attacks motivated the owners of Incapsula-protected websites to activate their Two Factor Authentication. For example, we know that the media coverage focused on the threat Fort Disco posed to Joomla and WordPress sites. And so, not surprisingly, almost all Joomla and WordPress sites in our survey group started using Login Protect during that period.

Perhaps it was simply a case of good timing, for us to have this solution ready just in time for the attack. Sill, fortune does favor the prepared.

Not Just for Your Website’s Admin

It should be noted that not all the surveyed websites use Login Protect to provide Two Factor Authentication security for their websites’ admin pages. While this is clearly the most common use case, we also saw other scenarios, including:

  • Securing Partner Areas: Some clients use Login Protect to secure their partner-facing web applications: affiliate and advertising platforms, partner portals, etc. The users who attend to these areas are not directly employed by the organization, yet they have access to privileged information. Moreover, some of these portals provide control planes which could be exploited to cause damage to the organization and its clients.
    In such scenarios, our clients are using Login Protect to augment basic password-based security, and usually activate its bulk management option to facilitate the import and management of hundreds and even thousands of users at a time.

Login Protect: Bulk Managment

  • Securing Internal Company Portals: This is very similar to the first scenario, but more sensitive, since access to internal company portals (e.g., internal forums) could be more easily exploited for phishing attacks. Hackers often try to assume the identity of a company employee to infiltrate the organization and gain persistent in-depth access to its more valuable assets. Our Two Factor Authentication gateway helps clients minimize that risk, while our bulk management option streamlines the handling of larger than “normal” user lists.
  • Securing Staging Areas: Clients and resellers conducting web development projects often have online staging areas, which serve their clients and other service providers involved in the project (e.g., web designer, SEO firm, etc.). Such staging areas may hold yet to be revealed information and are also more prone to hacking attempts and DDoS attacks which will also affect other sites on the server. For these reasons, we see Login Protect being used to provide additional security for such staging areas.

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.