A credential stuffing attempt can be caught as a behavioral anomaly – if you’re looking. Earmarked by the FBI as a particular threat to the financial service industry just over a year ago, the increase of internet traffic, data breaches and API usage all contribute to the perfect conditions for successful credential stuffing attacks. Here’s what you need to know about how they work, and how you can stay safe.
What is credential stuffing?
“Credential stuffing is a type of attack in which hackers use automation and lists of compromised usernames and passwords to defeat authentication and authorization mechanisms, with the end goal of account takeover (ATO) and/or data exfiltration.” In other words, bad actors glean lists of breached usernames and passwords and run them against desired logins until they find some that work. Then, they enter those accounts for the purpose of abusing permissions, siphoning out data, or both.
Why is it so prevalent now?
It’s now easier and more economical than ever to come by lists of compromised credentials (many are posted free on hacker forums) and run low-sophistication credential stuffing attacks. Tooling-wise, hackers are also using the same efficient resources used to automate and defend, to automate and attack. These upgraded capabilities include scripting and automation tools, APIs and traffic throttling (to disguise brute force attacks as legitimate traffic).
Also, with the massive push to remote work, XaaS technologies and the rush to the convenience of apps, companies are relying heavily on APIs which are often underprotected. They aren’t customer-facing, and there seems to be a lag in protection owing to that. “Out of sight, out of mind” apparently does not apply to eager cybercriminals, however. And, there remains general bad hygiene surrounding the creation of usernames and passwords, with many being reused over multiple websites. That is the primary way – and indeed the premise upon which – credential stuffing works. You can’t access an account with recycled credentials if there aren’t any.
How credential stuffing attacks work
Here are several steps an attacker could take to implement a successful credential stuffing campaign:
How to stop credential stuffing attacks
Here are some primary methods for preventing credential stuffing attacks:
Secondary methods include:
According to OSWAP , a nonprofit dedicated to making software safe, “In isolation none of these [secondary measures] are as effective as MFA, however if multiple defenses are implemented in a layered approach, they can provide a reasonable degree of protection.” It’s important to note that to avoid disrupting the user experience, secondary methods of authenticating can be employed on suspicious login attempts only.
Credential stuffing is a systemic problem with a simple solution. If everybody changed their logins tonight, the issue could be solved by morning. However, in lieu of that, best practices can be put in place and successful. MFA, CAPTCHA and limits on your API go a long way to discouraging hackers and securing access. However, the most effective proactive defense is to track traffic over time. That will identify anomalous patterns in traffic over time and point towards attempted attack, even if other methods fail to do so.
About the Author: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, credential stuffing)