Credential Stuffing: New Tools and Stolen Data Drive Continued Attacks
Automated credential stuffing attacks have been a boon to cybercriminals seeking to use stolen login credentials. The proliferation of data breaches where credentials are stolen, has led to there being huge increases in automated script attacks, where fraudsters will use bots to attempt many account creations at the same time, maximizing the chances of success. Credential stuffing is now one of the main tools that fraudsters use for cybercrime. This trend has continually grown in the past few years and is set to continue its growth as we enter a new decade.
Barriers to Entry in Free Fall
Credential stuffing is a cyberattack vector where fraudsters steal or purchase web account credentials from the dark web like usernames and email addresses with passwords to gain access to user accounts in various applications through large-scale automated requests often utilizing bots. This is what we call automated script attacks – a fraudster using a website’s coding to fill out a number of application or sign-up forms at the same time with the use of the stolen credentials.
Large-scale data breaches continue to drive the availability of stolen details. The prices of credentials for accounts purchased on the dark web has actually increased. It’s classic supply and demand. With demand exceeding supply, more fraudsters are trying their hand and quickly realise they need to automate their jobs just like any analytics professional.
Far too many of us use the same usernames and passwords for numerous accounts, which helps flame these attacks. People tend to use the exact same passwords across all transactions —”123456,” “qwerty,” and “abc123” rank among the top 10 most hacked passwords today. In addition to this, computer processing power has increased dramatically in the last few years allowing for faster script attacks.
Cybercriminals validate these credentials through small credential testing attacks before launching a major offensive on their ultimate prey.
Hackers rapidly evolve attack methodologies. More advanced credential-stuffing bots are taking a “low and slow” approach in an effort to mimic legitimate customer behavior and slip just beneath the velocity radar. This makes them harder to detect.
However, tech-savvy crime syndicates are also doing something far more unsettling: Selling user data—account credentials, cookies, browser user agents and more—belonging to malware-infected web users who have had their account passwords and full browser details recorded. One way of doing this is through the use of a keylogger trojan – malware that tracks the users keystrokes logging all the passwords and credentials used for different websites.
This includes browser user-agent details, WebGL signatures, HTML5 canvas fingerprints, user profiles and login credentials for banking services, file-sharing, and social media as well as the cookies associated with those accounts. Cybercriminal bot attacks leveraging this user data may start to appear nearly indistinguishable from legitimate traffic.
Others use AI-enabled autonomous agents capable of emulating human behavior in order to evade detection. Cybercriminals increasingly leverage residential IP addresses to give bot traffic the appearance of originating from innocuous, low-risk sources.
The Economics of ‘Stuffing’ are Irresistible
The payoff for credential stuffing can be huge. Compromised peer-to-peer payment accounts were responsible for the theft of $500 million in 2018. CSO further reports that 60% of logins at airlines and 91% of traffic at online retailers consisted of credential stuffing during peak attack times last year.
According to Verizon’s 2019 Data Breach Investigations Report, one especially lucrative attack modality appears to be leveraging stolen credentials to compromise cloud-based webmail accounts. Such attacks now account for 16% of all breaches, up from 3% in just 12 months. Hackers infiltrate Gmail, Office 365 or other cloud-mail accounts then launch “chain phishing attacks“ to pull off executive impersonation scams, stealing valuable IP, redirecting employee paychecks and more. The recent Twitter celebrity account takeovers to scam people around the globe out of more than $100,000 in bitcoin is a good example of this.
We have seen numerous publicly traded companies fall victim to attacks where hackers hijacked supplier email accounts and sent out bogus invoices. One company unwittingly paid out $45 million to these criminals through wire transfers, another two lost $30 million.
The Answer is Identity
The truth is that no independent solution can curb credential stuffing on its own. Companies will find they need to employ a more multi-layered approach to cybersecurity as credential stuffing attacks increase.
Breached credentials, AI-based behavioral emulation, stolen user web data, residential IP hijacking and other forms of identity deception are no match for solutions that assess hundreds of dynamic identity attributes that cannot be faked or stolen.
How can companies combat credential stuffing? Deploy modern, digital identity-based user verification and assessment solutions backed by behavioral biometrics, device recognition and online and offline identity data. Options that leverage shared, global threat intelligence prove especially compelling. This makes it harder for the fraudsters by slowing down their processes which results in them moving to easier, more lucrative targets. One retailer that deployed such solutions reports that it can now block 90% of all bot traffic and has cut bot-based login attempts by 50% without negatively affecting the user experience.
The Time to Act is Now
Some companies are making significant progress. Others have yet to take the first steps toward mitigating the threat posed by credential stuffing. Given the billions in annual losses and new advances in attack techniques, they have plenty of incentive to get started.