Credential Stuffing Threats Facing the eCommerce Industry This Holiday Season

Forecasts call for double digit growth in eCommerce holiday spending. Much like the Dr. Seuss novel, there is a Grinch lurking this holiday season, trying to ruin this joyous time of year. The Grinch, in this case, is the collection of fraudsters working to perform Account Takeover (ATO) attacks.

ATO attacks continue to be a growing threat on the Web, targeting any site with a login protecting valuable information. These ATO attacks are a consequence of the ever-growing lists of companies that have been breached, giving attackers access to user credentials which are unfortunately often re-used by users on multiple sites. The first phase of these ATO attacks is known as Credential Stuffing. Credential Stuffing is the mass-scale automated testing of username/password combinations across multiple websites. When successful matches are discovered, attackers use these logins to take over the account for fraud.

Scale of ATO Attacks in Commerce

We recently reviewed the data of attacks directed at Akamai’s ~ 5000 customers for the 7-day period including Black Friday and Cyber Monday. Of the 100 most attacked sites, we can see that more than 66% are eCommerce sites. We’ve broken down eCommerce into Retail and Travel & Hospitality. While more retailers are attacked than travel sites in this data set, travel sites that were attacked saw on average 8 times more Credential Stuffing attempts over the course of the 7-day period than retailers. The intensity of attacks at the Travel & Hospitality sites reflects their attractiveness to attackers. During this 7-day period, Akamai observed approximately 1 Billion malicious login requests directed toward the top-100 targets.

Akamai 1

Attacker Methodology:

Like so many attacks these days, there are freely available tools for Credential Stuffing complete with training. Sentry MBA is a popular framework for attackers to get started, whereas the more sophisticated attackers will build their own tools. These frameworks represent the engine used by fraudsters to run these attacks.

If Sentry MBA is the engine for these attacks, the never ending list of breached companies make up the fuel. With each “spill” of user credentials, attackers have fresh fuel to use in their search for re-used credentials. Unfortunately, there doesn’t appear to be any slowdown in these types of breaches, so we should assume attackers will continue to have plenty of fuel for their attacks.

Among Web App attackers that we track, those behind these attacks are evasive and work to circumvent controls. They employ massive proxy networks comprised of mostly IoT devices, and tools like Sentry MBA provide easy configuration of proxy networks as an evasion technique. These proxy networks allow the attackers to distribute their attacks from a massive collection of devices and slow per target request rates from an individual source to less than one per minute on average. These features evade some of the most common controls that a Web Application Firewall (WAF) would provide, geo-blocking and rate controls. We do see significant overlap in the IP addresses used to launch these attacks, indicating that the attackers are leveraging a common proxy infrastructure. Below is a chart of the IPs attacking the top 3 most targeted retailers. More than 70% of IPs attacking the 3rd most targeted retailer, Retailer C, are also used to attack the first and/or second most attacked retailers. The more retailers that you include in the analysis, the fewer unique proxy IPs are seen. This does suggest that intelligence sharing amongst retailers would be a fruitful exercise to undercover IPs of the proxy network, and it also highlights the value of providers with broad visibility.

Akamai 2

 Common Defenses for Credential Stuffing

CAPTCHAs are often the first security control that comes to mind to slow the bots that launch Credential Stuffing attacks. This control was designed to be very challenging for bots to complete and quite easy for humans. It certainly hasn’t worked out that way. Tools like Sentry MBA ship with evasions to CAPTCHA, including optical character recognition. The tool’s flexibility allows attackers to expand CAPTCHA evasion techniques. Researchers have shown that AI-powered CAPTCHA solving bots have higher success rates than humans. Even if CAPTCHA were a more successful security control, it is a very expensive control for a Commerce application due to the impact on user experience. Studies have shown that fractions of a second of delay impacts conversion rates, and that CAPTCHAs introduce significant friction for the end user.

Multi-Factor Authentication (MFA) is another popular defense to protect login interfaces from brute force attacks. MFA is a very effective control used to protect logins for internal applications or banking applications; however, there is a significant level of user friction associated with this control. Therefore, it is an expensive control for business-to-consumer retail apps when competitors are racing to reduce user friction with systems like 1-click purchasing.

There has been quite a bit of innovation that has yielded low user friction solutions to combat Credential Stuffing attacks as Bot Management or Bot Mitigation have emerged as an industry must-have. These solutions employ techniques such as browser fingerprinting or biometric analysis of physical input-output from sensors such as mouse, keyboard, mobile phone gyroscopes, accelerometers, etc. These advances in bot detection not only provide more effective detection, but they can also be deployed in models that are end-user friendly with only a few dozen milliseconds of page load delay introduced.

The 2017 holiday season appears to be off to an active start, both by shoppers and attackers.  The trends of fraudsters attempting ATO attacks continues to accelerate. Innovative vendors continue to create defenses that provide better protection from these attacks, while also providing a great user experience.

This is a Security Bloggers Network syndicated blog post authored by Patrick Sullivan. Read the original post at: RSA Conference Blog