Speaking at BSides Leeds, security researcher Darren Martyn explored the issue of credential stuffing, calling it an “exploding problem on the internet” and the “cyber-equivalent of volume crime.”
Saying that credential stuffing is “aided by data leaks,” Martyn argued that nothing much has been done about it “as it is not cool like ransomware, but the problem exists, and it affects everyone.”
The problem is further enhanced by tools created to enable credential stuffing to be done much more easily, and tools which are sold purely “to engage in post-compromise monetization strategies.” He said that as little as $10 can get you dumps of passwords which has been done by “low level hacking” and most of the tools are “idiot proof.”
He added that “kids revolutionized testing while we were writing Python scripts, and the kids write things that actually work.” As well as low level hacking efforts, you can build tools to do searches for data sets for you, and in his research he had stumbled across hundreds of accounts
In terms of how this makes money, he said that he had “cosplayed as a cyber-criminal” to find more information, and said that there is a “fantastic secondary market for logins” as people can add cash to gift cards using stored credit cards, or in video games where you can pay for in-game items.
Martyn said that despite the scale of the problem, “no-one cares as it affects the consumer who cannot pay for pen testing” and they are left out of pocket, “while the criminals laugh all the way to the bank.”
In terms of protection, he recommended consumers use a password manager and two-factor authentication to better protect their details and logins, while businesses should look to make automated login testing hard, but there were problems with rate limiting, temporary IP blocks and captchas as they can be bypassed.
Asked by Infosecurity what a good first step would be to better prevent credential stuffing attacks, Martyn said that, if you are a company, start by trying to make it expensive for the attacker.
“Rate limiting, temporary IP blocks and captchas don’t prevent, they just slow down,” he said, “but actually put in logging as you will know straight away when you are getting lit up by some script kiddie with Sentry, and your application logs start showing 'gajillions' of logins. See if your API is being brute forced, as no one really checks.”