Widespread Brute Force Login Attempts
Date: 16 February 2017
The purpose of this alert is to bring attention to ongoing and widespread brute force login attempt activity observed targeting retail organizations.
CCIRC has received reports from several retail sector companies concerning ongoing brute force login activity against their customer portals. The malicious actors appear to be targeting retail organizations that have a customer reward or loyalty programs and are using compromised customer account credentials from other sources to steal earned rewards or points. Customer rewards have a translatable cash-value, as they can typically be exchanged for gift cards and/or other merchandise/services or sold to a third party.
Malicious actors have leveraged several strategies and tactics in their malicious activities, including:
- utilizing multiple credential-set lists harvested from past publicly disclosed third-party service/website compromises
- password-spraying using public email address lists and password dictionaries of commonly used passwords
- rate-limiting login attempts to remain below detection thresholds
- using multiple different malicious hosts simultaneously to avoid detection
- utilizing proxy servers and VPNs to hide the source of the malicious traffic
Access to customer accounts and customer data could also potentially facilitate the malicious actors to perform other fraudulent activities including phishing.
CCIRC recommends that organizations review the following mitigation information and consider their implementation in the context of their network environment.
- Utilize a CAPTCHA (Completely Automated Public Turing Test to tell Computers and Humans Apart) test on login forms.
- Employ geo-blocking against website visitors outside of your typical customer area.
- Implement multi-factor authentication methods.
- Review logs for any suspicious activity and/or traffic which may indicate potential brute force login attempts. CCIRC suggests investigating any non-typical network/webserver activity or usage metrics including:
- Extended periods of high load/traffic/usage.
- High volume of account login failures including accounts that don’t exist, or conform to your username and password convention
- Multiple login attempts for different users from the same IP.
- High volume of account login attempts from outside your typical customer demographic.
- Disallowing redemption of customer rewards for items with direct monetary value (eg. gift cards or vouchers).
- Cross referencing customer email addresses with those of publicly known compromised credential sets.
- Employ a strong password policy, and disallow use of commonly used passwords.
Get CyberSafe Guide for Small and Medium Businesses:
Spotting Malicious E-mail Messages:
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: