Response Processors: Login Processor: Incident - Site Login User Pooling

Complexity: Low (2.0)

Default Response: None.

Cause: The login processor is designed to protect the login dialog of the website. It works by monitoring all login attempts and identifying suspicious and malicious events. This specific incident is triggered when a single client successfully logs into several different accounts. Depending on the nature of the protected site, this can be perfectly acceptable behavior, however on some sites this type of behavior can be harmful.

Behavior: There are two possibilities for this incident. Firstly, a single user might have signed up for multiple accounts on the protected site, and they are simply using those accounts. On some sites, this alone would be considered malicious, while on other sites, this is considered perfectly acceptable. For example, an online e-mail provider can allow its users to sign up for multiple e-mail accounts. On the other hand, a billing website for your home utility provider would probably not expect a single household to have multiple accounts. The other possibility is that a single user has hijacked several other accounts. This can be more obvious if there is also a "Site Login User Sharing" incident for the username as well. This would indicate that not only is the malicious user logging into multiple accounts, but other users are also logging into those accounts. Generally, an account should be used by a single user unless the website has specific rules about allowing users to share account details.