Credential Stuffing Attacks vs. Brute Force Attacks
The Open Web Application Security Project
(OWASP), a non-profit that is dedicated to web application security, classifies
credential stuffing as a subset of brute force attacks. However, in practice,
the two types of cyber-attacks use very different methods to accomplish an account takeover
and fraud.
To explore how credential stuffing attacks and brute force attacks differ, we need to understand what they are and how they operate. Here is a quick summary.
What Are Brute Force Attacks?
A brute force attack is a method used by
hackers to crack the username and password of accounts through trial and error.
Bad actors can use automated software to attempt as many guesses as possible
with the goal to gain access to an account.
This is done with the hope that they will eventually find the right
combination. Brute force attacks are a numbers-game that relies on increasing
probabilities. It would be unlikely for a hacker to gain access to the account
on the first attempt, the second attempt, or even the third attempt, but with
enough attempts it just might happen. Brute force attacks are often likened to
“breaking the door down.” This is because they don’t rely on sophisticated and
complex methods or even already known compromised credentials to gain access,
but rather they try to force their way in by overwhelming the system with
guesses.
That isn’t to say that there is no
intelligence behind some brute force attack methods. Hackers will often use a
list of common passwords and use the most common combinations first. There is
some logic in this form of brute force attack, so you may see it referred to as
a hybrid brute force attack. Another common method is a systematic approach at
guessing that can be devoid of outside logic. In this scenario, hackers may just
use a list of dictionary words or dictionary word combinations. This is called
a dictionary attack.
An attacker will often know the username of
the account they are trying to get into and try to brute force the password.
However sometimes the attacker may not know the username conclusively, but have
some confidence in estimating a username. This is most commonly seen when a
hacker is attempting to breach an employee account for a company. Companies
tend to use a pattern for their email addresses. For example, Jamal Harris might be jharris@company.com,
Ines Martinez would be imartinez@company.com, and so on. With these patterns,
if the hackers know the CEO of the company is called Anika Ming, then hackers
could make a confident guess at her username.
Reverse brute force attacks are the opposite of this; instead of using a lot of passwords against 1 username, they use 1 password against lots of usernames (this is also known as password spraying, or low and spray attacks). These attacks are less common because it can be difficult to attain a large list of usernames, but websites often don’t have the same measures in place to protect against these attacks when compared to traditional brute force attacks. In March 2019, tech giant Citrix became a victim of this type of attack.
Online accounts almost always have cybersecurity measures in place to prevent brute force attacks. For example, a hacker could use brute force to get into your Gmail account because after a few wrong username and password combinations, the website will ask you to perform a CAPTCHA. Most websites will have something like this in place, if not a CAPTCHA they may impose a time restriction before another login can be attempted, and some websites will use both.
Credential Stuffing Attacks
While credential stuffing
attacks are considered a subset of brute force attacks, they actually use a
higher degree of intelligence in their method because they use bots or
automated scripts to attack. This type of attack uses compromised credentials
obtained from a data breach to attempt an account takeover (otherwise known as
ATO). In this scenario, the hacker will have a database of credentials and
personally identifiable information (PII) from a data breach. For example, a bad actor can obtain PII data
online from a data breach of a large hotel chain’s customer database and then, use
these credentials to gain access to an unrelated account such as a bank
account. In May 2019, Boost
Mobile disclosed a credential stuffing attack and if you run a google
search on credential stuffing attacks, you can find thousands of victims in the
last 3 years.
Credential stuffing attacks mainly rely on
people having the same username and password combinations across their accounts
in order to work. People will often use one email address for their accounts,
and often people will use the same password because it’s easy to remember. This
is why it is recommended that you have unique passwords for all of your
accounts.
The success rate of credential stuffing
attacks can be low, with some estimates putting it at around 0.1% to %1
depending on the security of the target organization. Like brute force attacks,
it’s a numbers game. For example, if a
credential stuffing attacks is taking place over time with 1,000,000 targets,
that can equal 10,000 vulnerable accounts. Hackers will use lists of hundreds
of thousands of credentials and an automated script in order to conduct the
account takeover and even if they only successful a few times, they can
successfully commit fraud.
The attacker will use the spilled usernames and passwords against a range of accounts, such as bank accounts, social media accounts, online marketplaces, crypto wallet accounts, and even loyalty or rewards program accounts. If they get into an account with funds, they will drain the account of funds or in the case of online marketplaces, may use your linked credit card to commit fraud. Even when an attacker only gains access to social media accounts, your data can still be highly valuable to them. Your personal information can be used in social engineering email or telephone scams in order to encourage you to give up access to your account under false pretenses, or can be used to gain access to your friends and family.
How to Handle These Types of Attacks
There are a variety of ways that organizations
are attacked and there is a broad array of security products to mitigate these
brute force and credential stuffing attacks.
No single product is 100% reliable against all of the forms of attacks
and most security experts recommend a layered approach of protection against
the attacks.
Nevertheless, the most common threat vector to
organizations are compromised user name and password combinations that get
exposed in data breaches. The
organization that has the data breach is vulnerable to nefarious activity. But
the problem becomes worse because so many online users reuse passwords, bad
actors are able to fraudulently access other accounts that use the same user
name and password.
To help reduce both brute force attacks and credential stuffing attacks, organizations can opt to screen their user accounts for compromised credentials and then take appropriate action to degrade the threat.
Enzoic Can Help with These Attacks
If your organization
is struggling with a lot of brute force attacks on your sites and systems, we
would recommend checking our Password API to make sure that the user’s password
isn’t part of a cracking dictionary. This is specifically what the NIST
Password guidelines recommend (NIST 800-63b). The screening of the username and
password combination isn’t sufficient, you also need to check against cracking
dictionaries. Just because a user name
and password combo have not been found on the dark web, doesn’t mean it safe. If the password is a common password or is
frequently seen in cracking dictionaries, it is still vulnerable to a brute
force attack. Brute force attacks are by definition offline attacks, so you
need to defend against a lot of possible passwords. And that password needs to
be checked an updated list daily, not just when the user sets it up.
If your organization
is the victim of a lot of credential stuffing attacks, we would recommend
checking our Credential API. You can get a free list of passwords online, but
the free lists are usually limited in size and will need to be updated daily.
Most teams do not have the staffing to support a daily update process. Because
credential stuffing attacks are by definition online attacks, you can defend
against them using specific compromised username and password combinations.
Restricting users from using any password from a cracking dictionary (like the
free lists) results in limiting your online users from selecting passwords that
would otherwise be safe from an online attack. The user experience can be very
frustrating if the passwords restrictions are too stringent and you risk user abandonment.
The post Credential Stuffing Attacks vs. Brute Force Attacks appeared first on Enzoic.
*** This is a Security Bloggers Network syndicated blog from Enzoic authored by Kristen Wilson. Read the original post at: https://www.enzoic.com/credential-stuffing-attacks-vs-brute-force-attacks/
