Credential Stuffing – Are You Doing Enough?


Credential stuffing attacks are nothing new and are in fact one of the easiest attacks for hackers. For script kiddies, this may be one of the first things they try to see they gain access to systems, while for the more experienced, the potential for credential stuffing attacks is much greater. It can provide them with more information about an individual user related to their finances, personal life, etc., all for fraud, purchases or spending of funds on the account being accessed or to create a curated file about an individual can be sold on the dark web for others to exploit.

The problem is that it doesn’t stop there. The success of a credential stuffing attack is not always measured by the hacker using the above terms. When hackers find a username/password combination that works, they will then test that combination on the world’s most popular consumer sites and services to see if the same credentials have been used elsewhere – and we all know how often the same password is used . The pot of gold gets access to a personal email account where the hacker can lurk, read, learn and exploit.

Keep in mind that credential stuffing attacks aren’t always about gaining access. These are automated attacks, potentially throwing thousands of credentials at a website and testing them from multiple servers. This leads to poor performance on the website and can even take it offline in a kind of denial of service attack. Where that is the goal, no black market credentials are required at all.

Companies that fall victim to credential stuffing attacks can suffer financial and reputational damage as well as lose the trust of customers and investors.

The ingredients of an attack

One of the reasons credential stuffing attacks are so popular, especially among new hackers, is that they’re so simple and require very little technical know-how or flare.

The first ingredient in an attack is credentials, and these are extremely easy to find and buy online. research earlier this year of Digital Shadows found that the number of usernames and passwords openly for sale on the Dark Web has tripled in two years to more than 15 billion. Of course, if a hacker’s goal is to disrupt a website, this ingredient is optional.

The second ingredient is a tool that can test credentials with a website or multiple websites. There are a number of tools, many with their own built-in scripting languages, for which other hackers develop configurations and post them to the hacking community. These software tools are designed to be easy to use, very feature rich, and tons of resources and guides to help newcomers. In some cases they are arguably better supported and continuously developed than commercial software.

Finally, there are proxy services that help hackers not only evade detection by the authorities, but by making login attempts appear as coming from multiple locations, just like normal login attempts would. Lists of proxy servers are readily available online, and tools can be configured to rotate through a provided list.

detection and testing

From a technical point of view there are a number of components to detect a credential stuffing attack and the impression is that they are difficult to test during development. An attacker uses multiple credentials, different user agent strings (UAS) and logins are distributed over time from a range of IP addresses through proxy servers. The toolsets themselves are even engineered to ensure hackers don’t make obvious mistakes.

So instead of focusing on what we don’t know, you should focus on what you know about successful signups from your customers. You know your traffic volume and seasonality, the UAS and IP ranges (countries, languages ​​and browsers) and the number of your user accounts. This paints a picture of what is normal for your site and is key in the fight.

Mitigation does not have to mean complication

The hacking toolset is pretty impressive, no doubt about that, and for businesses there are quite a few security solutions out there that make it difficult for hackers to get what they want out of an attack, be it a disruption or validation credentials.

There are also some basics to consider to ensure your systems are doing everything they can to mitigate the risks:

The attacks and tools that hackers use are becoming more sophisticated. Just as you may be considering using artificial intelligence and machine learning in parts of your business, the hackers are doing the same.

The reality is that you must fight fire with fire, and some detection methods that will be needed in the future will be beyond our own comprehension; Identifying these patterns and developing this understanding is the task of ML.

As an industry, we need to get a grip on credential stuffing. While we’ve only scratched the surface of what’s possible, the point is that there’s a lot we can do to reduce the risk of an attack and quickly identify it when it does happen.


About Author

Comments are closed.