Credential Stuffing: Examples, Detection and Impact
Credential stuffing has become one of the most common and significant threats facing organizations today and is a risk for virtually any application that has login functionality, which is to say most applications. Let’s take a closer look at what credential stuffing is, why it is a challenge to control, and what organizations can do to defend themselves.
What Is Credential Stuffing?
In a credential stuffing attack, cyber criminals attempt to reuse credentials that were compromised in a previous breach to log in to another website or application. For example, take the PayPal data breach, which impacted 35,000 accounts.
Knowing that many end users will often reuse the same password on multiple sites, attackers often take breached credentials and try them on other high-value applications, such as a bank or online shopping account. In the PayPal attack, the company has yet to detect any unauthorized transactions, so the attackers may have carried out the attack simply to figure out which logins are reused across multiple accounts so they can then sell those lucrative credentials.
Since data breaches are a relatively common occurrence, attackers have an almost never-ending trove of credentials that they can try against a virtually endless supply of targets.
In fact, one study found that there are approximately 15 billion stolen logins stemming from around 100,000 breaches. This leads to somewhat of a cybersecurity feedback loop in which one breach can fuel downstream impacts to other apps and accounts.
The Value of Compromised Accounts
Credential stuffing plays a key role in the underground hacker economy. Naturally, an attacker could seek to directly profit from a compromised account. However, more often than not, access to the account is resold to other actors on the dark web and underground forums, as is suspected in the PayPal case.
This is an example of the ongoing specialization seen in criminal ecosystems in which certain actors will specialize in gaining access, while others will specialize in using the access to commit fraud or other activities.
These attacks are so common that compromised accounts have well-established commodity prices based on the value of the account. For example, financial and payment services accounts such as banking accounts, PayPal, or Western Union accounts can fetch between $30 and $120 depending on the amount of money in the account.
A wide variety of retail accounts are also prized targets with compromised Amazon accounts going for an average of $30. Social media user accounts are likewise common targets. These accounts can be used in astroturfing campaigns or can be used to spearphish and spread malware to users in a victim’s social network. For example, Facebook accounts are typically sold for $65, Instagram accounts for $45, and Gmail accounts for $80.
What causes Credential Stuffing Attacks?
Credential stuffing can be caused by a variety of different reasons.
1. Data Breaches
User credentials are often targeted by cyber criminals during massive attacks on sensitive databases, so they can be used for credential stuffing attacks.
These attacks occur when attackers infiltrate a company’s network and access sensitive user data, including usernames, passwords, and personal information. Data breaches can be caused by weak security practices, insider threats, or large-scale attacks.
2. Weak and Reused Passwords
Users often choose weak or easily guessable passwords for their accounts. They may also reuse the same password across different websites and applications. This increases the risk of credential stuffing attacks, which occur when compromised login information from one data breach is used to access multiple user accounts on different platforms.
3. Phishing Attacks
Phishing is defined as an attack where attackers impersonate trusted entities like banks or social media platforms to get users to reveal their login credentials. These credentials are then used for credential stuffing attacks. Phishing attacks can come in the form of emails, phone calls, text messages, or social media messages.
4. Credential Leaks
Sometimes, users or employees accidentally leak credentials by sharing them with others or storing them insecurely (e.g., in plain text files or on sticky notes). These leaked credentials can be discovered and used by cybercriminals for credential stuffing attacks. Additionally, online forums or dark web marketplaces may host databases of leaked or hacked credentials, making them easily accessible to attackers.
5. Automated Tools and Botnets
Attackers often use automated tools and botnets to carry out large-scale credential stuffing attacks. These tools allow attackers to test millions of username and password combinations in a short period of time, increasing the likelihood of successfully accessing user accounts. Botnets are networks of compromised devices that can be controlled by an attacker to distribute and amplify their attacks.
How to Detect Credential Stuffing Attacks?
Generally, standard credential stuffing attacks can be detected using the following key techniques
1. Unusual Login Patterns
Monitor and analyze user login patterns to identify irregularities, detect failed login attempts, recognize multiple geolocation inconsistencies, detect rapid changes in IP addresses, identify bot-like behavior and the implement time-based restrictions, flag atypical user agents, and verify login sources.
2. Rate Limiting
Throttling login attempts, implementing CAPTCHA, using progressive delays, setting maximum request thresholds, monitoring for spikes in failed logins, enforcing account lockouts, deploying real-time monitoring systems, adopting adaptive rate limiting, customizing rate limits per user, and establishing time-based rate limits to fight attacks.
3. Multi-factor Authentication (MFA):
Require additional verification methods, such as one-time passwords (OTPs), biometric authentication, mobile device-based authentication, hardware tokens, SMS-based authentication, software-based authenticators, push notifications, email-based verification, and time-sensitive tokens.
4. Device Fingerprinting
Collect device-specific information by analyzing browser configurations, monitoring installed plugins, identifying unique hardware characteristics, tracking device usage patterns, creating device profiles, detecting anomalies in device attributes, leveraging machine learning techniques, cross-referencing known device fingerprints, and establishing device reputation scores.
5. Web Application Firewalls (WAFs) and Security Solutions
Deploy advanced WAFs, implement intrusion detection systems, use behavior-based security solutions, monitor server logs for suspicious activity, create custom security rules, leverage AI-driven security tools, block known malicious IPs, employ content delivery networks (CDNs) with security features, implement distributed denial of service (DDoS) protection, and use threat intelligence feeds to increase security efficacy.
Credential Stuffing Detection Challenges
Credential stuffing techniques can sidestep traditional WAF signatures and rate-based rules for several reasons. Most notably, the techniques do not rely on an exploit or other overt malicious action. Instead, they use/abuse the exposed functionality of an application in unexpected ways.
In this case, the attacker, usually in the form of a bot, is using the application’s login functionality in much the same way that a legitimate user does.
Additionally, since attackers have many username/password combinations to cycle through, the work is typically done by a large, distributed botnet or other form of malicious automation. This not only speeds up the work, but it allows the attacker to distribute the attack over a large number of IP addresses so that it isn’t obvious that the attack traffic is coming from a specific set of IPs.
And unlike a brute force attack, credential stuffing attacks don’t typically try to iterate through multiple passwords for a given account. They simply try the stolen name/password pair, and if that doesn’t work, they move on to the next. As a result, rules that lock out an account after a certain number of failures will never trigger.
All of this results in a situation where the attackers can blend in with valid users. On aggregate, it may be obvious that an application is under attack because it is inundated with login traffic. But for each login attempt, security teams often have no way to know which attempt is malicious and which is a real user.
Credential Stuffing vs Password Spraying
| Comparison | Credential Stuffing | Password Spraying |
|---|---|---|
| Methodology | Uses large sets of stolen credentials to target multiple platforms | Targets multiple users with a few commonly used passwords |
| Automation | Involves automated tools or bots to rapidly input credentials | Is often a more manual, targeted approach |
| Detection | Can generate numerous failed login attempts per user, and is easier to detect | Results in fewer failed attempts per user, making it harder to detect |
| Focus | Relies on exploiting the common practice of password reuse across multiple accounts | Exploits weak or default passwords such as ‘Alpha123’ |
| Prevention | Employ unique, complex passwords with multi-factor authentication and deploy advanced bot mitigation | Employ strong password policies, monitoring anomalies in login attempts and better password hygiene |
The Impacts of Credential Stuffing
Credential stuffing leads to a wide range of problems. Most obviously, a successful credential stuffing attack paves the way for an account takeover (ATO).
However, suffice it to say, attackers can abuse a compromised account in a variety of ways to commit fraud and pursue other malicious goals. Financial accounts can be used to steal funds, retail accounts to illegally buy items, and social media accounts can sway opinions or spread malware.
However, the influx of traffic from a credential stuffing attack can also quickly overwhelm an application’s resources, leading to a denial-of-service situation. One industry analysis estimates that, on average, 16.5 percent of traffic on a login page is tied to credential stuffing. However, this can be a drop in the bucket when a specific group sets its sights on a particular application or industry.
For example, in a recent series of credential stuffing attacks targeting credit unions, we were able to detect that 90 percent of traffic was malicious and automatically block that traffic from ever reaching the target customers’ servers.
Figure: ThreatX blocking malicious traffic
How ThreatX Protects Against Credential Stuffing
As seen in the example above, ThreatX has considerable real-world experience in mitigating bot-based attacks, including credential stuffing. It does this by bringing together a variety of detection and analysis techniques to reliably separate the valid users from the malicious bots and botnets. While the details are naturally always changing as we adapt to stay ahead of attackers, we have highlighted some of the most important traits below:
- Active Interrogation of Visitors: ThreatX actively challenges visitors in ways that are completely transparent to valid users but can cause a bot to reveal its identity. This could be observing how the entity responds to automated challenges such as how the entity handles JavaScript or other types of code.
- Advanced Fingerprinting: ThreatX leverages some of the most advanced fingerprinting techniques in the industry to reliably identify and track malicious entities and infrastructure over time. This allows the platform to recognize attackers even as they change IP addresses, user agents, or other identifying characteristics.
- Automated Deception Techniques: The platform can introduce deceptive techniques such as fake fields that are readable to bots but invisible to users. Any interaction with these fields or functions can reveal that the visitor is a bot and not a human.
- Attacker and Application Behavior Analysis: In addition to tracking complex behaviors over time, ThreatX can identify atypical behavior at the user or application level. For example, if a visitor fills a login form with abnormal speed or if applications seem to be getting overloaded with login traffic.
- Global Correlation and Tracking: By fingerprinting attacking entities, ThreatX can track their behavior across the internet and across organizations. This allows organizations to benefit from intelligence gathered in previous attacks and preemptively block threats before the attack even gets started.
These represent just a few of the techniques and countermeasures that ThreatX uses every day against credential stuffing attacks.
*** This is a Security Bloggers Network syndicated blog from A10 Networks Blog: Cyber Security authored by A10 Networks. Read the original post at: https://www.a10networks.com/blog/credential-stuffing-examples-detection-and-impact/
