Credential Stuffing: Cracking Open Accounts with Stolen Data

Written by

As breached data continues to flood the dark web, Phil Muncaster asks what organizations can do to mitigate the impact of automated attacks

"We’re seeing credential stuffing attacks accelerate at a massive rate, so in that regard it does feel like this is just the beginning"

Data breaches have always made the headlines. From Cathay Pacific to Marriott International, Equifax to Yahoo, they are the closest thing the cyber-industry has to a good old-fashioned cops versus robbers story. However, this modern equivalent of the bricks and mortar bank robbery involves stealing data, not money. As such, the initial incident is just the beginning of a long chain of digital profiteering, with cyber-criminals cashing in at every stage. One such popular follow-up attack is credential stuffing – the use of automated tools to crack open accounts using stolen passwords. Attack campaigns are already happening on an epic scale, making headlines of their own.

To put the trend in perspective, Akamai detected nearly 28 billion credential stuffing attempts between May and December 2018 alone. The bad news is, the hackers continue to innovate and hone their techniques.

Where Did this Come From?

Credential stuffing is essentially a brute force attack which relies on the staggeringly large volumes of breached usernames/passwords flooding the dark web today. One particularly widely reported “combo list,” known as “Collection #1-5,” is said to contain over 2.2 billion unique usernames and passwords. These would be virtually useless if every employee and consumer used a password manager to keep unique passwords for each site and account, or if more businesses mandated the use of multi-factor authentication (MFA). However, they do not, so password reuse across accounts is endemic, providing an opportunity too good to miss for credential stuffing cyber-criminals.

So far in 2019, there have already been some big-name victims of credential stuffing attacks. They include brands as wide-ranging as Nest, Dunkin’ Donuts, Dailymotion and OkCupid.

Hackers are looking to crack open user accounts that share the same passwords as the ones they hold and grab any personal and financial data stored in there. Depending on the account, they may also look to sell access to credit lines, Air Miles, loyalty points and more to unscrupulous dark web buyers on the lookout for everything from free Uber rides and streaming content to heavily discounted flights. Credential stuffing also represents a major risk to corporate security. Every employee is also a consumer, so password reuse across both spheres could give hackers the opportunity to launch convincing BEC attacks or spear-phishing from inside hijacked enterprise accounts.

The success rate for credential stuffers is often no more than 1%, but with a possible trove of millions of passwords to try, it doesn’t need to be much higher. Retail is said to be the most affected vertical, with Akamai recording 10 billion attempts during May-December 2018. However, other industries also recorded high levels of activity, including streaming media services (8.1 billion), media and entertainment (3.5 billion), manufacturing (1.3 billion) and financial services (1.1 billion).

Needless to say, the impact on corporate reputation and the bottom line could be immense. Even if credential stuffing could technically be argued to be the fault of the user, consumers see it differently. A 2017 Akamai study calculated that the resulting loss in customers from a credential stuffing raid could cost firms on average $2.7m – far greater than application downtime ($1.7m), and IT overheads ($1.6m). Shape Security estimates the US consumer banking industry alone faces nearly $50m in potential daily losses due to credential stuffing.

"Some of the attacks use leaked personal information like PII to either reset passwords"

Another Arms Race

The bad news is that the black hats are just getting started, according to Troy Hunt, security expert and founder of the Have I Been Pwned? breach notification site.

“We’re seeing credential stuffing attacks accelerate at a massive rate, so in that regard it does feel like this is just the beginning. The rate is accelerating due to the prevalence of combo lists, the ease with which they’re spreading and the emergence of automated tooling,” he tells Infosecurity. “Attackers are participating in the same old game of one-upmanship we always see in this industry; defenses are built, adversaries work on circumventing them and the cycle continues.”

Aside from the breached data itself, credential stuffing campaigns rely on simulation software to automatically test the stolen log-ins, and distributed bots via which to make the log-in requests themselves. These can be hired for as little as $2 per hour.

The key for the attackers is to remain undetected while they test log-ins for onward sale or crack open accounts. Various techniques help the black hats stay hidden. Half of all attacks are “low and slow,” with the aim to replicate human behavior to avoid raising the alarm, according to Distil Networks. This is helped by the distributed nature of bots, with a single IP address typically used just twice per attack.

According to Shape Security director of engineering, Jarrod Overson, it’s also important to “execute an attack as rapidly as possible to get results before the company recognizes and puts in countermeasures.” However, with organizations taking on average 15 months to discover a credential breach, there’s clearly too long a window of opportunity for hackers to monetize their attacks. Overson claims that in January, his firm recorded nearly three billion log-in attempts against a single customer in just one week.

Akamai research has also revealed innovations in botnet technology. All-In-One (AIO) bots are often designed with specific retailers in mind, while others can be used to target as many as 120 different brands online – combining credential stuffing with quick purchasing capabilities in a single tool. If successful, the retailers simply believe that their products have been in high demand, unaware they’re being purchased by bots.

Similarly, SANS Technology Institute dean of research, Johannes Ullrich, argues that campaigns increasingly go beyond mere automated log-in attempts.

“Some of the attacks use leaked personal information like PII to either reset passwords, or to set up passwords with businesses that you did not establish an account with,” he explains to Infosecurity.

“For example, you may have an insurance policy, but you elected not to setup online access to the account in part because you are afraid that doing so will open you up to attacks. Instead, the bad guys will now use information about you that was leaked in other breaches to setup online access on your behalf and use it to raid your accounts.”

"The downside is, if anyone breaches this one account, they get access to everything"

Security Without Friction

The obvious question for anxious CISOs is how to mitigate the growing threat of credential stuffing. Troy Hunt articulates the challenge for security teams well.

“It’s a difficult position defenders find themselves in because we’re effectively saying ‘someone comes to your site with the correct username and password for one of your customers but it’s not actually your customer – stop them but don’t detriment the UX for real customers.’ That’s a hard problem to solve.”

MFA would certainly do the trick, but many firms are reluctant to mandate this for customers as it could introduce extra friction which causes them to abandon their accounts. Password managers are another good option for users, enabling them to store long, strong and unique credentials for each site/account. Apple will automatically suggest credentials and save them securely on the device, for example. However, it’s difficult to force customers to invest in these tools.

“A third option is using a central account with a very well-chosen password and preferably MFA to log into various services,” SANS certified instructor, Mathias Fuchs, tells Infosecurity. “Today, many services allow the user to log-in using their Google, Facebook or Microsoft credentials. The downside is, if anyone breaches this one account, they get access to everything.”

Organizations need to think not just about the log-in process, but detecting and blocking the machinery behind credential stuffing.

For Ping Identity’s chief customer information officer, Richard Bird, this means using machine learning analytics to create a baseline of normal activity which they can measure fluctuations against. “This technology can be extremely helpful in understanding a company’s API activity, flagging anomalous behavior and detecting attacks without human-written policies or signatures,” he says.

Shape Security’s Overson argues that the focus of security teams should be on “sabotaging the software development lifecycle of attackers in order to increase the cost and time burden of developing new attack tools.” Countermeasures should be rapid, limited in scope and variable, he tells Infosecurity.

“A simple example could be where an attacker is detected using headless Chrome running on Google Cloud. A potentially effective countermeasure might be delivering a computationally heavy JavaScript resource to just requests by that tool in order to raise the cloud costs of the attack,” he explains. “Generic countermeasures require a constant balance between efficacy and user experience friction which is a balance that is harder and harder to maintain.”

However, it is a balance that security bosses must continue to strive towards if they want to protect their corporate reputation and ensure the success of digitally-driven innovation efforts. If breached data continues to flood the dark web as it has been, 2019 could well be remembered with little fondness as the year credential stuffing went mainstream

What’s hot on Infosecurity Magazine?