A brute force attack occurs when cybercriminals try to guess and verify information such as passwords, credit card numbers and promo codes. Criminals can start with lists of potentially viable codes and common words, and work through different combinations of letters, numbers and symbols to break into accounts. The brute force moniker comes from the relentless, rapid attempts to pry the system open.
A determined hacker can guess just about any password or credit card number eventually, but it could take a while. To speed up the process, cybercriminals use highly distributed networks of bad bots — known as botnets — to do the dirty work. A botnet is a network of computers infected with malware that can be controlled together by the attacker without the device owners' knowledge.
Botnets can comprise thousands of devices, and using multiple computers makes the process of testing a large number of combinations even faster. Using distributed botnets enables attackers to bypass restrictions such as rate limiting. Attackers can also use the cloud and cloud services to launch brute force attacks, leveraging the computing capacity without having to make a fixed, long-term investment.
If a brute force attack is successful, cybercriminals can use the validated credentials and payment information to commit account takeover (ATO) attacks or make fraudulent purchases. If attackers gain unauthorized access to accounts, they can collect stored PII, steal gift cards and loyalty points, create fake accounts, submit fake warranty claims, and post fake reviews.
There are exceptions and variations on the guessing type of brute force attack, which invite explanation.
- Simple brute force attacks: Cybercriminals guess passwords and credit card numbers using logic and some common assumptions in simple attacks. When brute forcing credit cards or gift cards, for example, attackers will enumerate combinations that match some condition that is known on these cards, such as the number of digits. Certain tests, such as Luhn’s Algorithm, can also be used to narrow down possible combinations.
When trying to guess login credentials, a brute-force attacker can surf their target’s social media accounts for words with special meaning — such as their pet's name — to include in password guesses. Another example is common number combinations — like “123” — that many people use to create passwords that require numbers. Similarly, people most often use exclamation points for passwords that require a symbol. An attacker can also manually insert the most commonly used passwords from a published list.
- Dictionary attacks: Cybercriminals launch dictionary attacks by guessing passwords using well-known words. Dictionary attacks got their name because attackers used to scour dictionaries for words to use in password guesses.
Attackers can also use this method to work backwards, starting with a popular password and guessing common usernames until they find a valid pair. Known by several other names — including reverse brute force attacks and password spraying — this technique unlocks systems where the standard approach fails because common passwords likely work with many usernames.
- Hybrid brute force attacks: A hybrid brute force attack is the combination of a simple brute force attack and a dictionary attack. The attack starts with words in the dictionary as the basic building block, then adds letters, numbers and symbols to guess passwords. Cybercriminals often use software to generate guesses using common words and substitutions, such as “password,” “p@ssword,” and “passw0rd.”
Sites often require that people include numbers or special characters in their passwords. To keep passwords easier to remember, many users take their legacy passwords and manually add characters that make sense. The hybrid brute force attack imitates this approach to find those passwords.
- Credential stuffing: Credential stuffing bots test stolen usernames and passwords in brute force attacks on dozens to hundreds of sites and applications. Since 75% of people reuse passwords across multiple accounts, a combination that works on one site will likely work on another. Validated credential pairs can be used in an ATO attack.
Brute force attacks allow cybercriminals to break into user accounts and uncover payment methods. Once they gain access, they can commit many types of account fraud and identity theft. If a customer’s account and identity information is used fraudulently on your site, your brand reputation is at risk and you may be held liable for damages.
Brute force attacks lead to financial losses, such as refunds and chargebacks for fraudulent purchases, time spent on remediation by internal security and customer support teams — not to mention lawsuits and fines that can arise if users suffer identity theft as a result of a brute force attack against your site.
There are a few telltale signs of a brute force attack:
- An unusually high number of login or checkout attempts in a short timespan: This can indicate that a large-scale attack is taking or has taken place.
- Inhuman user behaviors: Cybercriminals often use bots to carry out brute force attacks, which navigate pages more quickly and precisely than humans do.
- Odd IP behaviors: An increase in IPs associated with multiple devices, multiple accounts, or pointing into untraceable ranges — like you might see with a TOR client — can indicate that a fraudster is manipulating IPs to levy an automated brute force attack.
- Slow application response time: The increase in web traffic during large-scale brute force attacks might overwhelm your application and slow site performance.
There are several methods to stop brute force attacks:
- Identify traffic usage anomalies: If login attempts spike suddenly, especially during what are normally off-hours, this could indicate a brute force attack. This should trigger deeper forensics and stricter challenges for questionable queries and users.
- Enforce rate limiting and volumetric detection: Limiting the rate of attacks discourages cybercriminals, who need to move quickly. Requiring a pause of a few seconds between login attempts slows attacks.
- Trick and lure bots away: Honeypots, such as hidden page elements and form fields, can trick bots into revealing themselves and lure them away from your login or checkout page. In addition, sending a fake success code when a login fails could trick a bot into thinking the password worked.
- Enable behavior-based bot management: Machine learning technology can analyze human and bot behaviors, and use predictive methods to detect bots. The algorithms update in real-time, staying one step ahead of cybercriminals.
- Decrease cybercriminals’ ROI: Some technologies, such as proof of work (PoW), make it more expensive for cybercriminals to complete their attacks. This changes their cost-benefit analysis of the attack and demotivates them from targeting your site in future brute force attacks.
- Continuously gather insights: Because attacks are so dynamic and tactics and techniques are constantly morphing, it is critical to have an active feed of data on cyberattacks again.
The Human Defense Platform offers a suite of bot management solutions that detect and stop brute force attacks against web and mobile apps and APIs. HUMAN Account Takeover Defense fights credential stuffing and account takeover attacks, and Transaction Abuse Defense defends against carding attacks. Both solutions use 350+ machine learning algorithms that growing smarter in real-time as attackers evolve their techniques.
HUMAN leverages techniques including honeypots, proof of work (PoW) and threat intelligence to apply the appropriate mitigating action. The solution takes a low latency, out-of-band approach to preserve page load performance and optimizes security resources and infrastructure costs. This gives your team the freedom to focus on innovation and growth, instead of chasing down bad bot traffic.
By stopping brute force attacks, HUMAN protects your users’ account and identity information everywhere along their digital journey.
What is Credential Stuffing? | Definition, Attack Types, & Solutions
Carding: What It is and How to Prevent It
What is Bot Detection? | How to Detect & Block Bad Bots
What is Bot Mitigation? | 4 Types of Bots & Botnets | How to Stop Bots
What is Bot Traffic? | Block Bad Bots from Attacks
How to Neutralize Compromised and Fake Accounts