Credential Stuffing – Are You Doing Enough?

Credentials stuffing attacks are nothing new, and are in fact one of the simplest attacks for hackers to launch. For script kiddies it can be one of the first things that they try for the thrill of seeing that they can gain access to systems, while for the more experienced, the potential for credential stuffing attack is much greater. It can provide them with more information on an individual user linked to their finances, home life etc, all of which can be used for fraud, make purchases or spend credit, in the account accessed, or to build a curated file on an individual that can be sold on the dark web for others to exploit.

The problem is that it doesn’t stop there. The success of a credential stuffing attack is not always is not always measured by the hacker in the above terms. By finding a username/password combination that works, hackers will then test that combination across the world’s most popular consumer sites and services, to see whether the same credentials have been used elsewhere – and we all know how often the same password is used. The pot of gold is gaining access to a personal email account, where the hacker can lurk, read, learn and exploit.

Remember, credentials stuffing attacks are not always about gaining access. They are automated attacks where thousands of credentials might be thrown at a website and tested from multiple servers. This leads to poor performance on the website and can even take them offline, in a type of denial of service attack. Where this is the goal, no black market credentials are needed at all.

Companies that become the victim of credentials stuffing attacks can equally suffer financial and reputational damage, as well as losing the confidence of customer and investors.

The ingredients of an attack

One of the reasons credential stuffing attacks are so popular, especially with new hackers, is that they are so simple, and require barely any technical expertise or flare.

The first ingredient of an attack is having sets of credentials and these are extremely easy to find and buy online. Research earlier this year from Digital Shadows found that the number of username and password credentials openly for sale on the dark web has tripled in two years to more than 15 billion. Of course, if a hacker’s goal is to cause disruption to a site, then this ingredient is optional.

The second ingredient is having a tool that can test the credentials against a website or multiple sites. There are a range of tools available, many with their own built in scripting languages that other hackers develop configurations for and post in the hacking community. These software tools are designed to be easy to use, have very rich functionality, and countless resources and manuals to help newcomers. Arguably in some cases, they are better supported and continuously developed than commercial software.

Finally there are proxy services, which help hackers evade detection not only from the authorities, but by making logon attempts appear to come from multiple locations, in the same way normal login attempts would. Lists of proxy servers are readily available online, and tools can be configured to rotate through a provided list.

Detection and testing

From an engineering standpoint there are a number of components to detecting a credentials stuffing attack, and the perception is they are difficult to test for during development. An attacker will use multiple credentials, different User-Agent Strings (UAS), and logins will be distributed over time from a range of IP addresses through proxy servers. The toolsets themselves are even designed with technical sophistication to make sure hackers do not make obvious mistakes.

So, rather than focus on what we don’t know, the answer is to focus on what you do know about successful logins from your customers. You understand your traffic volumes and seasonality, the UAS and IP ranges (countries, languages and browsers), and the number of user accounts that you have. This paints a picture of what is normal for your site, and is key in the fight.

Mitigation doesn’t have to mean complication

The hacker toolset is pretty impressive there is no doubt about it, and for companies there are a whole host of security solutions available that will help make it harder for hackers to get what they want out of an attack, whether that is disruption, or validated credentials.

There are also some basics that you should consider to ensure that your systems are doing all they can to mitigate the risks:

  • You might think you know your website traffic, but do you understand your logon traffic? These are not the same thing, so learn about the patterns in your business.
  • Don’t make the mistake of thinking that employing a tool such as Captcha is ‘job done’. You can still attempt to login multiple times on different usernames, and that is exactly what is happening during a CS attempt.
  • Do not assume penetration testing is the answer – check how this is being addressed by your provider. It can identify some issues, but credentials stuffing as an attack falls between the cracks. It does not fit neatly into app, network or perimeter security.
  • Monitor your failed to successful login ratio in real-time from all login requests. It might be that a 2%-3% fail rate is normal for your business. So, what are you doing when it falls outside that range, and could it constitute a credentials stuffing attack?
  • Look at employing time-series analysis to identify sudden peaks in attempted login attempts. There may be seasonal elements to this, for example the start of well promoted sale of concert tickets, or retail event, but you can plan for this, and combined with the successful login analysis it can identify a sudden attack.
  • Advanced attacks can originate from cloud infrastructure. The ranges of these providers are available online and can be used to help mitigate attacks.

The attacks and tools that hackers use are getting more sophisticated all the time. In the same way that you may be considering the use of artificial intelligence and machine learning in parts of your business, the hackers are doing the same.

The reality is that you will need to fight fire with fire, and some detection methods that will be needed in the future will fall outside our own understanding; identifying those patters and developing that understanding is the role of ML.

We need to get on top of credential stuffing as an industry. Whilst we’ve only scratched the surface of what is possible, the point is that there is a lot we can do to lower the risks of an attack happening, and identifying it quickly when it does.

What’s Hot on Infosecurity Magazine?