This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. In our previous installment, we examined new account fraud through email manipulation. This second part focuses on account takeover scenarios via brute force attacks. The third installment will explore cross-channel fraud detection.
A few weeks ago, I spoke with a Fraud Operations Manager at a regional financial institution about their recent success in detecting and preventing a coordinated account takeover attempt. By implementing Splunk Enterprise Security along with the Splunk App for Fraud Analytics, their team successfully identified and blocked a sophisticated brute force attack targeting multiple high-value customer accounts. This case perfectly illustrates how modern analytics can detect attack patterns that might otherwise remain hidden until after significant damage occur
Account Takeover Fraud Landscape
Account Takeover (ATO) fraud represents a substantial and growing threat to financial institutions. The prevalence of account takeover continues to grow, with Security.org's annual report finding that 29% of people have experienced account takeover, an increase from 22% in 2021, representing approximately 77 million adults in the US (Security.org, 2025). The financial impact is equally concerning, with studies suggesting the average financial loss per victim was nearly $12,000 (Security.org, 2021).
For financial institutions, these attacks not only result in direct monetary losses but also trigger increased chargebacks, refund requests, and strain on fraud investigation teams.
The bank I spoke with had been experiencing an uptick in customer complaints about unauthorized access attempts. Despite having standard authentication controls in place, their existing tools were failing to identify coordinated attack patterns. Their legacy fraud detection systems were primarily designed to detect unusual transaction behavior after account compromise, rather than identifying attack patterns during the infiltration phase. These systems operated in isolation, examining each authentication attempt individually rather than connecting patterns across multiple accounts.
Three months before our meeting, the bank implemented Splunk Enterprise Security along with the Splunk App for Fraud Analytics,, specifically configured to detect early indicators of account takeover attacks. This implementation focused on bringing together authentication data, geolocation information, and behavioral patterns that traditional systems were missing.
Brute Force Attack Pattern
The attack at the center of this case utilized a classic but increasingly sophisticated technique involving distributed brute force attacks. Rather than hammering a single account with numerous attempts, which most security systems easily detect, the attackers spread their attempts across multiple accounts while rotating through different IP addresses to evade detection.
This distributed approach makes the attacks far more difficult to spot with conventional tools. When a fraudster attempts hundreds of logins against a single account, most systems quickly flag and block the activity. However, when those same hundreds of attempts are spread across dozens of accounts and originate from multiple geographic locations, each individual account might only show a few failed attempts, typically not enough to trigger standard alerts.
The sophistication comes from the coordination. By distributing the attack across multiple targets while using IP rotation techniques, fraudsters effectively stay below traditional threshold-based detection systems. Most accounts might only see two or three failed attempts in a short period—not enough to trigger account lockouts or alerts in many systems.
What makes this approach particularly dangerous is that the attackers only need to be successful once. If dozens or hundreds of accounts are targeted, even a 1% success rate yields several compromised accounts. And with each successful compromise, fraudsters gain access to sensitive customer information and financial accounts that can lead to significant losses.
Dashboard Alert Reveals Suspicious Activity
The case began one morning when the fraud team was reviewing the "Fraud Posture" dashboard in Splunk. The system had identified a risk score of 70 for user acct_user7429, triggering a "Possible ATO" warning specifically for web traffic.
The risk score was primarily driven by three contributing scoring rules:
- Brute force attack on the user
- Single IP address hitting multiple user accounts
- Suspicious attempts targeting high-value accounts
What immediately caught the team's attention was the combination of rules firing simultaneously. While a few failed login attempts might be normal user error, the pattern suggested a coordinated attempt targeting multiple accounts from the same sources.
Investigation Process
The investigation followed a methodical process that demonstrates the value of connected security data. After identifying the high-risk account, the analyst navigated to the “Web Traffic Analysis” dashboard to examine the authentication patterns more closely.
The dashboard immediately revealed something alarming—the account showed over 1,800 failed login attempts coming from numerous IP addresses spread across many different countries. More concerning still, the logged_in column consistently showed a value of 0, indicating that none of these attempts had yet been successful. This volume of failed attempts clearly pointed to an automated attack rather than legitimate user activity.
To determine if this was a targeted attack or part of a broader campaign, the analyst selected one suspicious IP address—203.0.113.42—and analyzed all web traffic associated with it. This crucial investigative step revealed that the same IP had attempted to log into several other customer accounts, all unsuccessfully.
"What we found wasn't just a single compromised account, but evidence of a coordinated attack targeting multiple customers," the Fraud Operations Manager explained. "Without the ability to connect activity across different accounts and view authentication attempts holistically, we would have missed the pattern entirely."
By expanding the investigation to examine all traffic from suspicious IP addresses, the team ultimately identified dozens of customer accounts being targeted by the same attack pattern. The attackers were systematically rotating through different IP addresses while attempting commonly used passwords against each account—a classic brute force methodology, but distributed to avoid detection.
With clear evidence of a coordinated attack in progress, the fraud team alerted the bank's InfoSec team, who quickly implemented IP blocks and additional account protections before any accounts could be successfully compromised.
"What we found wasn't just a single compromised account, but evidence of a coordinated attack targeting multiple customers," the Fraud Operations Manager explained. "Without the ability to connect activity across different accounts and view authentication attempts holistically, we would have missed the pattern entirely."
By expanding the investigation to examine all traffic from suspicious IP addresses, the team ultimately identified over 30 customer accounts being targeted by the same attack pattern. The attackers were systematically rotating through different IP addresses while attempting commonly used passwords against each account—a classic brute force methodology, but distributed to avoid detection.
With clear evidence of a coordinated attack in progress, the fraud team alerted the bank's InfoSec team, who quickly implemented IP blocks and additional account protections before any accounts could be successfully compromised.
Multi-layered Detection Capabilities
The bank's implementation of Splunk included several key technical components that enabled successful detection of this brute force attack pattern. Their approach combined multiple detection methodologies working in concert:
- Real-time Authentication Monitoring
At the foundation of their detection strategy was a sophisticated real-time monitoring system for authentication activity. Using the Splunk search capabilities, they created queries that track failed login attempts across all digital channels. These searches identify sources making multiple failed authentication attempts against user accounts within short time windows—a classic signature of brute force attacks.
But unlike traditional systems that only track attempts against a single account, their implementation aggregated attempts across their entire customer base, allowing them to spot distributed attack patterns that might otherwise fly under the radar.
- Behavioral Analytics and Baselines
Building on this foundation, they implemented Splunk Enterprise Security along with the Splunk App for Fraud Analytics, that establish normal patterns for each customer and flag significant deviations. These searches detect when a user's login patterns deviate significantly from their historical behavior, potentially indicating account takeover following a successful brute force attack.
The system bases these determinations on each customer's unique usage patterns rather than applying a one-size-fits-all threshold, allowing for more precise detection with fewer false positives.
- Geolocation Analysis and Impossible Travel
Perhaps the most impressive aspect was their implementation of geolocation analysis, which could identify physically impossible login patterns. These searches detect users who have successfully authenticated from multiple geographic locations within timeframes that would make physical travel between the locations impossible—a pattern that strongly indicates account takeover rather than legitimate user activity.
The system automatically calculates whether the reported locations could be reached within the given timeframe, flagging these impossible travel scenarios for immediate investigation.
- Account Modification Tracking
After gaining access through brute force methods, attackers typically modify account settings to maintain control. Splunk can monitor for suspicious changes with searches that identify accounts with multiple modification events occurring in rapid succession, a common pattern after successful account takeover.
These searches look for changes to email addresses, phone numbers, security questions, or password resets that occur shortly after authentication, especially when those authentications themselves showed suspicious patterns.
Implementing Multi-layered Defense with Risk-Based Alerting
An effective defense against brute force attacks requires a multi-layered approach using Splunk's Risk-Based Alerting framework. Here's how financial institutions can implement this protection:
- Risk Scoring and Correlation
The bank configured Splunk to assign risk scores to various suspicious activities and correlate them to identify potential attacks. Their implementation evaluates the frequency and severity of failed login attempts and assigns appropriate risk scores based on established thresholds. When risk scores exceed predefined levels, the system automatically triggers alerts to the security team, enabling rapid response to emerging threats.
- IP Address Reputation and Intelligence
The bank integrated Splunk with threat intelligence feeds to identify known malicious IPs. This feature enhances detection by incorporating external threat intelligence to identify connections from suspicious sources. By cross-referencing authentication attempts with threat intelligence data, the system can assign higher risk scores to login attempts from known malicious sources.
- Automated Account Protection
When brute force patterns are detected, they implemented automatic account protection measures. Their system includes automated workflows that temporarily lock accounts showing signs of being targeted and initiate additional verification steps. These protection measures help contain potential breaches while minimizing customer impact.
- Customer Notification
The bank built a customer notification system to keep customers informed when suspicious activity is detected. This proactive communication system alerts customers to potential threats via email, SMS, or in-app notifications based on customer preferences. The system includes templates for different types of suspicious activities, ensuring clear and consistent communication.
Dashboard Visualization for Effective Monitoring
Splunk's visualization capabilities are crucial for monitoring and responding to brute force attacks effectively. Key dashboards include:
- Fraud Posture Dashboard
The Fraud Posture dashboard provides an overview of potential fraud incidents, helping teams quickly identify issues requiring investigation. This dashboard displays:
- Total number of notable events triggered by fraud rules
- Risk events by user
- Trending metrics for confirmed fraud, false positives, and investigations
- Geographic visualizations showing login attempt origins
- Web Traffic Analysis Dashboard
This dashboard allows analysts to drill down into specific user activity to identify suspicious patterns:
- Failed login attempts by source IP
- Geographic distribution of login attempts
- Login success/failure ratios
- Time-based patterns of authentication attempts
- Customer Account Analysis Dashboard
When investigating a specific account, this dashboard provides detailed insights into:
- Account modification history
- Risk rules triggered by the account
- Related accounts with similar suspicious activity
- Visualization of entity relationships to identify coordinated attacks
Immediate Response and Outcome
Once the pattern was identified, the bank's security team took swift action to contain the threat. Their first priority was implementing immediate IP blocks for all addresses involved in the attack, effectively cutting off the attackers' access. They simultaneously placed temporary additional authentication requirements on all targeted accounts, ensuring even successful credential compromises couldn't lead to account access.
Going beyond immediate containment, they conducted a thorough review of all targeted accounts to identify any that might have been compromised before detection. They found two accounts where attackers had successfully gained access but hadn't yet conducted any unauthorized transactions. For these accounts, they initiated password resets and direct customer contact to verify legitimate access.
The response extended to broader security enhancements as well. The bank implemented additional API rate limiting controls that would restrict the number of authentication attempts possible within specific timeframes, regardless of source IP. This systemic change helped address the vulnerability across their entire customer base.
"This case completely changed our approach to authentication security," the Fraud Operations Manager explained. "We realized we needed to look beyond individual account activity to see coordinated patterns across our customer base."
The financial impact of their intervention was significant. Based on analysis of similar historical cases, they estimated that a successful attack of this scale could have resulted in losses exceeding one million dollars. Their proactive detection prevented any financial loss from occurring and protected their customers from the significant disruption of account compromise.
Broader Implications and Strategic Insights
This brute force detection case transformed how the bank approaches account security and authentication monitoring. They've moved from a largely reactive posture to a proactive threat hunting methodology, regularly searching for emerging attack patterns rather than waiting for traditional alerts.
The success they had with cross-account pattern detection inspired them to apply similar techniques to other security domains. They're now connecting data across channels, allowing them to identify when attackers pivot from failed web authentication attempts to mobile or call center attacks.
What stood out most from our conversation was how this case highlighted the changing nature of modern attacks. "Fraudsters have evolved beyond targeting individual accounts," the fraud manager noted. "They're launching coordinated campaigns that exploit the blind spots in traditional systems. We needed to evolve our detection capabilities to match."
The bank now emphasizes holistic pattern recognition over individual account monitoring. By aggregating and normalizing authentication data across their entire customer base, they can identify subtle attack patterns that would remain invisible when looking at accounts in isolation.
They've also adjusted their risk modeling approach. Rather than using static thresholds, they've implemented dynamic risk scoring that adapts to emerging threats and considers the relationships between seemingly disparate events. This more sophisticated approach allows them to detect coordinated attacks even when individual components stay below traditional alert thresholds.
Perhaps most importantly, this case demonstrated the value of real-time detection over post-compromise analysis. By identifying attack patterns during the attempt phase rather than after successful compromise, they prevented financial losses before they could occur. This shift from detection to prevention represents a fundamental evolution in their security posture.
Conclusion
The distributed brute force case provides a compelling example of how modern fraud detection requires sophisticated pattern recognition across seemingly unrelated accounts. By implementing Splunk Enterprise Security along with the Splunk App for Fraud Analytics, this bank was able to detect attack patterns that would have remained invisible in traditional account monitoring systems.
As fraudsters continue to evolve their tactics from single-account attacks to coordinated campaigns, financial institutions must adapt their detection capabilities accordingly. This case demonstrates how the right combination of technology, configuration, and expertise can transform seemingly routine authentication data into clear attack patterns—ultimately protecting both the institution and its customers.
In the next and final article of this series, we will examine how Splunk aided in detecting cross-channel fraud patterns, highlighting how fraudsters increasingly exploit the gaps between different banking channels. Stay tuned for part three, coming soon.
