Home » Cybersecurity » CISO Suite » Why fraudsters pretend to have better credentials than they actually do

Why fraudsters pretend to have better credentials than they actually do

by NuData on December 15, 2021

The average login credential attack now has a nearly one in 10 chance of succeeding — a fivefold increase from just one year ago. But how do fraudsters do it and why does it matter? Our latest case study has all the details.

The jump in successful login credential attacks poses a growing threat to organizations’ ability to guard their users’ accounts. But it also raises the question: Are bad actors actually using better credentials at login or are they just getting better at pretending? By identifying how bad actors are sneaking past your defenses, you’ll be better prepared to mitigate future attacks.

What is the risk posed by credential success rates?

The majority of our clients’ login threats are credential stuffing attacks — when a bad actor inputs pairs of stolen usernames and passwords in an attempt to compromise user accounts. But most of the stolen credentials fraudsters use are outdated or inaccurate. This means they have to test countless credentials just to get a single hit, with a traditional correct credential rate between 0.5% and 2%.

But don’t let seemingly low rates of correct credentials fool you. A single automated attack could easily input millions of credentials, resulting in thousands of correct hits that lead to compromised accounts.

As you can imagine, the outcome worsens as the percentage of correct login credentials increases. And the percentage of successful credentials used in attacks appears to be rising quickly, with some success rates averaging even higher than 10%. In fact, we recently identified an attack that appeared to have a 40% correct credential rate.

We knew this didn’t necessarily mean the attacker used a high-quality dataset. They were likely just pretending to have lots of accurate username-and-password pairings.

Before we get to how they did it, let’s talk about the why.

Remember, it’s a big deal if the average credential success rate of an attack reaches even 2%. To compare, a legitimate user only occasionally mistypes their passwords, giving them a 70-90% success rate. This is why many companies protect their login pages with simple rules that flag login attempts with a low proportion of successful logins as potential fraudsters. It’s the security equivalent of a “you must be this tall to ride” sign at a theme park.

Bad actors who pretend to have high credential success rates can sneak past security because they look like regular users – they look tall enough for the ride. But it’s not a flawless disguise. With the right tools to identify fraud at login, spotting credential-rate fakers is as easy as spotting two kids in a trenchcoat trying to sneak into Space Mountain.

How fraudsters artificially raised the credential success rate to 40%

Yes, it happened. We saw (and mitigated) a large attack with a 40% credential success rate. Call us suspicious, but we quickly guessed this was an attempt to bypass the basic security rules based on the login success rate we just talked about. So we considered other ways the attacker could have reached this 40% number.

The signs pointed to an attack that didn’t start at login, but at account creation instead. This is one of the first steps fraudsters take to fake high-quality credentials: They create a lot of new accounts that they control. In the case study, we’ll take a deeper dive into the rest of the process, which we’ve laid out below.

Purge data, Create new accounts, Test at login, Reap the benefits

Mitigating credential stuffing with behavioral biometrics

The case study shows how the client used NuData’s behavioral biometrics technology to flag and mitigate tens of thousands of login attempts by analyzing inherent user behavior (e.g., typing cadence or the location of their device) paired with other analytics.

With the increase in attacks with correct credential, it’s important for companies to understand how they evolve to try o bypass common security tools.

Check out the full story on our case study: