Are brute-force attacks against online accounts (gmail, facebook, instagram) something that really happens? I don't mean something like cracking password hashes or DDoS, but real brute-force attacks (e.g., password guessing) using a botnet or proxies.
I think most big web applications are secured against this using things like rate limits so it does not seem realistic to me but I would like to know if there are any known publications / statistics.
I prefer to call them "online password guessing attacks" since "brute force" has a specific meaning that may not always apply to these attacks. But yes, they do still happen and here are a few example stats for you:
Microsoft: “we detect more than 10 million credential attacks every day across our identity systems.”
Akamai: They observed “999,980 IPs were involved in the attacks against [a financial institution] customer's login page.” 427 million accounts were checked in a one week period. Also saw 817,390 IPs making 388 million login attempts using 65 million email addresses against an entertainment industry customer. Comparing source IPs of both attacks, they found 70% match, implying the same org was responsible for both attacks, or that they used the same botnet.
Google: “We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second.” This was reported in 2013, but I'm sure they still face similar attacks.
Taobao: Taobao was attacked via an online guessing attack over a few days in Oct 2015. The attackers used 99M credentials collected from other sites. 20.5 million credentials matched Taobao accounts, which was about 1 in 20 of their total annual active buyers. Wasn’t detected until November, however Alibaba says at the time their security systems discovered and blocked the vast majority of log-in attempts. Still resulted in around $1 million of fraud transactions on their site.
In these cases these sites may have rate limiting or other adaptive authentication controls in place, but they aren't 100% effective in preventing all account takeover attempts.
Anecdotally, yes. WordPress sites are subject to straight-up password guessing attacks all the time. WordPress does allow user-name-enumeration by default, and there seem to be a few folks that use real user names to try to guess just the password, but the bulk of the attacks guess both user names and passwords.
I ran a WordPress honey pot for a couple of years, and I saw many password guessing attacks. Most were from a single IP address, but a few were from 50-60 IP addresses. I got as many as 280 thousand guesses in a day.
I don't know of any publications or even attempts at comprehensive stats, so all I've got are anecdotes.
Captchas barge in the house to save the day. Not only captchas actually. Once I was trying to make a simple Gmail PDA (Python Dictionary Attacker). It just basically reads every line from a dictionary file and try all the words for the inputted email.
But I couldn't do it because Gmail has this new feature, a user setting, that disallows receiving or even authenticating from a "non-modern email service". And it's turned on by default. See this for more: https://support.google.com/accounts/answer/6010255?hl=en
But that doesn't mean it's not possible. It is. Of course they may not be "the thing" but they definitely are "a thing". There are a lot of young aspiring IT enthusiasts out there that are yet to reveal their talents. One of them might be the one to figure out a clever and more accurate way-around for these captchas. One of them could even be the one to hack the unhackable. And most of them have the goal of a white hat, or at least grey, and they just want you to feel a lot more secure so cheer up.
