Imperva recently detected and mitigated the largest – and most concentrated – series of brute force ATO (account takeover) attacks in its history. Over the course of 60 hours from midnight on October 28, our ATO team’s monitoring systems detected more than 44 million ATO attempts on the login page of a particular online banking service. We began blocking the attack within 15 minutes of learning of its existence.
In simple terms, ATOs involve a technique known as brute force credential stuffing, in which illicitly obtained credentials are used to gain unauthorised access to online accounts from where attackers are able to carry out malicious actions such as data theft, identity fraud or to carry out fraudulent e-commerce transactions.
Comparing the activity during the attack to a typical 24-hour period shows the sheer scale of the malicious activity.