Five worthy reads is a regular column on five noteworthy items we’ve discovered while researching trending and timeless topics. This week we explore how credential stuffing attacks are evolving and why they pose a greater threat than meets the eye.
Credential stuffing is perhaps the simplest form of cyberattack, but it continues to make headlines despite its lack of sophistication. It has become the attack method of choice for cybercriminals primarily because of its high success rate and ROI. Even a petty cybercriminal can test up to 100,000 credentials for less than $200 on average.
Credential stuffing is as simple as using stolen credentials, like a username or email address along with the corresponding passwords readily available on the dark web from past data breaches, to gain fraudulent access to user accounts. Attackers just need a laptop and a residential internet connection to get started.
What makes credential stuffing so effective? People tend to use the same usernames and passwords in multiple accounts for ease of remembering. Sixty-five percent admit to reusing their passwords for many or all of their accounts. With the pandemic driving a larger segment of consumers to rely on online platforms as a substitute for most of their earlier offline activities, this number is bound to rise. This provides the perfect opportunity for cybercriminals to leverage stolen credentials from past data breaches. A common misconception is that such credentials become invalid, but users often reuse their old password with minor changes. They might also have forgotten accounts with unchanged passwords that are used for more current accounts.
Credential stuffing attacks are becoming more advanced. The opportunity for high profit has attracted more sophisticated bot operators. Today’s automated tools are designed to check millions of credential combinations on multiple websites. The sheer volume of such attacks can overwhelm even the most well-prepared IT teams. We’ve selected some relevant and interesting reads to help you gear up for this evolving threat.
Cybercriminals are now launching full-scale attacks on loyalty programs. They are reaping huge profits on the dark web by reselling account access, points, and other rewards from loyalty accounts. Fraud related to travel and hospitality loyalty programs has dropped due to the pandemic, but fraudsters are still stealing personal information. They are taking the time to build their hacked accounts’ reputations to make them difficult to differentiate from legitimate users.
The FBI has issued a warning about an increase in botnet-launched credential stuffing attacks in the financial sector. The reuse of passwords and a lack of multi-factor authentication (MFA) seem to be the main causes of such attacks.
Credential stuffing went unchecked until the mid-2010s; in 2015, credential stuffing was discovered as the link between breaches and account takeovers. Defenses against credential stuffing improved in the following years, but attackers also altered their tactics to bypass these safeguards. This shift marked the start of imitation attacks that replicate user behavior to evade detection.
Attackers often employ automation by using botnets to successfully launch and carry out credential stuffing campaigns. They also leverage many point-and-click attack credential tools and basic open source operational tools. Evasion techniques, like faking the bots’ originating network and impersonating human mouse movement, help attackers stay hidden.
Organizations within many sectors, like finance, gaming, media, and government, have been the victims of large-scale credential stuffing attacks in the recent past. The most alarming latest innovation in such attacks is that the credential stuffing tools are “being integrated into the attacker workflow,” which streamlines the trial-and-error process for hackers. Users are responsible for avoiding such attacks by taking certain measures like maintaining password hygiene, using unique passwords for multiple accounts, and enabling MFA.
Credential stuffing is dangerous because organizations that haven’t suffered a direct data breach can still become victims when their users’ accounts are compromised at a different source. If an employee uses the same credentials for their corporate account and Facebook and the latter gets compromised, the attacker can easily attempt multiple login requests across various sites using large-scale bots and specialist automation tools, ultimately gaining access to the corporate network. The rise in online dependency due to the global pandemic has only intensified this problem. It’s high time that businesses and individuals adopt the recommended measures to thwart such attacks.