Recently 1,000s of attacks have been occurring involving Yahoo mail and their users, and that is just one proxy that has been recorded. Brute force attacks are being used to steal users’ credentials and access their email accounts to conduct spamming attacks. With the future of Authentication Trends showing an increase in hackers, and phishing attacks, it is no wonder this is a recent hot topic. Attacks need access to happen and with the growing number of access points, to get to data, it is no wonder attacks are increasing as well.
The main login page for Yahoo mail is protected against these brute force attacks, which are when hackers just keep trying to guess credentials, until they are able to steal them. Usually they implement an automated script that cycles through passwords and names, until finding the correct match. They use mechanisms such as:
· Enforce strike-out limits – the user will be prompted to enter in a CAPTCHA after they fail at entering their credentials “n” number of times.
· Incorrect credential is not specified – the error page following an incorrect login attempt, does not inform the user which part of their credentials, the username or password, was incorrect.
These mechanisms have been working to protect Yahoo mail users. Recent attacks and stealing of credentials happened through a service application, outside of Yahoo. With this API access point, hackers saw an open door.
This API is meant for ISP’s and third-party Web applications, but it does not enforce the same authentication mechanisms as Yahoo mail does, such as anti-automation defenses. There are no strike-out limits or CAPTCHAs, and the error page specifies which part of the credential you entered incorrectly. Hackers figured out quickly how to hammer this application with attacks, daily.
With further investigation it was found that hackers were trying something different in their attacks. Usually these brute force attacks are aimed at the Web interface that is highly visible, but this application was not for end-users, and just helped validating authentication credentials.
To fight these attacks the Web Application Security Consortium Distributed Open Proxy Honeypot project is being created. By getting attackers to push through the one proxy server for the project, the suspects can be monitored. It is a great idea, but with multiple phases of implementation, which started in 2007.
Yahoo has hundreds of servers, and attackers are learning to spread their attacks across a breadth of them. With current authentication mechanisms and projects, IT professionals are attempting to reduce attacks. Of course we all have to take a look at the overwhelming problem; users require multiple access points on a daily basis, and access opens the door for attacks. This will definitely be an ongoing dilemma.